So after a few weeks of running in the previous configuration, I have found that there is a better way for me to setup and run my lab environment and home network. Also I have purchased some new hardware which I wanted to make the best use of. Hence the changes.
Firstly the hardware that I have available is as below:
- Mikrotik Hex S 5 x Gigabit +SFP Router
- Mikrotik RB951G Gigabit +Wifi Router
- Mikrotik RB750II 5 Port Router
- Mikrotik RB493 9 Port Gigabit Router
- TP-Link AC12 Dual Band Router +Access Point
- TP-Link 8 Port Gigabit Switch
- Cisco 891F 4xPOE Gigabit + 4xGigabit Router/Managed Switch
- Huawei B618 LTE Router
- Huawei B525 LTE Router
- Voip Phone
Using the above hardware, I want to have seperated guest and home users. I want to have an isolated LAB environment where I can test hacks and exploits with no chance of it traversing the network but with it still having isolated internet access.
I also want packet marking so that I can push traffic through whichever route I want to as and when I want to. Here is my plan.
WAN Portion setup below. 2 x LTE’s and Fibre routing into Ports 1,3 and 5. Due to the HexS’s unique internal switching this will give the best WAN to LAN performance in my opinion.
The HexS then has 2 LAN’S Setup on the internal side of the firewall.
The Cisco is in full bridged mode and is basically being used as a managed POE Gigabit switch with DHCP etc coming off the HexS. The phone connects to one of the POE ports.
The home network also operates off port 2 of the Hex S with DHCP Enabled. The only change is I am using the TP Link Gigabit switch in between the HexS and the AC12 Router. So if I want to make more use of this subnet then I can do so. This will be for media servers, streaming servers and other such things I will place on the home network.
Below that is the AC12 pushing its own DHCP on its own range. This range is managed to a maximum of 20/20Mbps by the HexS. The AC12 also has per device limiting in place. In the HexS I basically mark all packets sourced from this subnet as Home Wifi and limit it accordingly.
Part 3 is the below image:
This shows the breakout from my business network into yet another Mikrotik, the RB493G which has two isolated subnets / Lan’s on it. This is where I do all my WAN to LAN testing of different firewalls and such. I am hoping to test a Sophos XG appliance in the Lab pretty soon as see what we can push through it and find out just how good they really are at keeping you safe and secure.
More to come in the next episode.
Cheers for now.