Table of Contents
Homelab
Introduction
I'm not exactly sure where the term “homelab” came from, but it is often used to describe servers and professional networking gear in a test environment at home. Generally this will be set up as a hobby rather than the staging/development environment for a business.
I don't necessarily consider my setup to be a “homelab” but it's the best word I have found to describe it so far.
The Hardware
- A server running Proxmox
- HP ProCurve Managed Gigabit Switch
- DrayTek VDSL2 Modem/Router
- 2x DrayTek WiFi Access Points
- Raspberry Pi's (see Phone Honeypot & SDR)
The server is the core of my “homelab” whereas the Raspberry Pi's are generally used for temporary projects.
The Network
VLAN ID | Description | Subnet |
---|---|---|
1 | Management | 192.168.0.1/24 |
2 | Main LAN | 192.168.1.1/24 |
666 | CCTV LAN | 192.168.2.1/24 |
1337 | Secure LAN | 10.0.0.1/24 |
Naturally, my VLAN IDs haven't followed any kind of numbering convention. VLAN 1 simply contains the switch itself and my Graylog VM has an interface which can access it; this allows the switch to push syslog messages to my server. I can also access VLAN 1 by physically plugging into the switch for when switch config changes are required.
VLAN 2 is “almost everything”. We haven't needed much separation (yet) so this is all PCs, laptops, phones, Chromecasts, etc.
VLAN 666 is for the CCTV cameras; this has strictly no internet/LAN access because all devices connected here are presumed to be evil; I use very low end cameras which have multiple confirmed vulnerabilities and appear to have backdoors. My CCTV VM within Proxmox has an interface which can access it so the footage can be recorded. This server can be accessed from VLAN 2 to view the footage via the server.
VLAN 1337 uses pfsense running on Proxmox as its gateway. This VLAN is for things which need to be slightly hardened. Nothing can access devices on this LAN directly and rules can be established to lock things down to the appropriate level.
VLANs 3-5 are configured and ready to use for temporary projects. pfsense is also configured to use VLAN 3 but that interface is disabled; this means giving temporary internet access to VLAN 3 only takes a couple of clicks.
I have an additional cable between the switch and the server which allows all traffic on the switch to be mirrored to the server. I am running various network monitoring tools to ensure everything is working correctly and no malicious traffic is passing by.
I am also taking part in the DN42 network; having VLANs makes this easier to play around with at home.