For those of you who know me, you already know my involvement in networking and cybersecurity, as well as my past in ISP and Core Network Building at all levels.
For those that do not know me, well I am the Main Network and Server Engineer at my company as well as the chief Cyber Security Architect.
I spend my days dealing with advanced network issues, routing and switching and of coarse fine tuning and setting up Cyber Security devices such as firewalls.
I am certified in quiet a few brands of Cyber Security products but my company specializes more in the Sophos XG firewalls, which I am Certified as both an engineer and architect.
Now onto the topic of this post, my home network. Being so involved in advanced network design and building has led me to continually building mini labs where I can test concepts and expand my knowledge but in the end I had to tear them down and build new ones each time.
I started a year ago with a Huawei B315 LTE router as my sole network device. Now I have quiet a bit more. My home network comprises of two main parts, on premises at home and cloud based. I will talk about both and how they work together.
My core network comprises multiple routers and switches but I thought it best I start at the top and work my way down into the various Subnets. All photographs are of my actual network equipment. And yes, as soon as my daughters birthday party is finished, I will be investing in a proper rack for all this gear.
My Core Router is a Mikrotik Hex S Router. My reason for choosing Mikrotik as my main perimeter device is that I enjoy their simplicity. For some they may seem over complicated but once you are familiar with Mikrotik Router OS then you will be able to control your network and do so much with it. I can do load balancing and so much more with this as my Main Routing Device. My Current setup on this router is as below:
Currently the Ports are assigned as below:
- Eth1 – Connected to Huawei B618 LTE with fixed MTN LTE – WAN
- Eth2 – Connected to Fibre CPE -PPPoE Static IP – WAN
- Eth3 – Connected to ZTE LTE with fixed Telkom LTE – WAN
- Eth4 – Downlink for Cisco Catalyst 2960 24 Port Swith – LAN
- Eth 5 – Exchangeable with Fibre – LAN
- SFP1 – Downlink for Mikrotik CRS326 Cloud Router Switch – LAN
As you can see, the poor little router is at its limits in terms of physical connectivity, but its still idling with very low CPU and RAM usage.
The VLAN and interface setup on this device is below:
As you can see, I seperate all my home network portions into different VLANS. Vlan 2 is my home Unifi Wifi Network. Vlan 3 is my normal home network for DSTV, Streaming etc. Vlan4 is my Voice Network, used for SIP phones and SIP phone wireless network. Vlan 5 is my guest network and users are connected to this gateway through an additional Sophos XG Firewall which is used for contect filtering and such on my guest network.
Then last, but not least, is the Vlan 6 which is my Cisco Lab Environment. This is a permanent Lab which I use to test various Cisco based ideas etc.
Then on Eth4 Downlink you can see I have more VLANS, which are trunked down to my Home Cisco Catalyst 2960 24 Port Switch. Currently I have 3 VLANS on this environment but I am still setting this all up.
For now we will head down the SFP fibre link to My Mikrotik CRS326 Cloud Rourter Switch.
This cloud core device, is technically not doing any routing but is being used as a layer 2 and layer 3 switch running in RouterOS mode and not SwitchOS. This gives me more control over the device as a whole.
I then build bridges for each VLAN and add the interfaces that I want on the VLAN to the bridge. This keeps things nice and simple and gives me the utmost control over what goes where. I can also control what can route between the VLANS using some clever routing on the Core Mikrotik Hex S.
I have also created an address list with my devices, which allows me to use Mangle rules to direct my devices differently to everyone else’s and give me direct access to all VLANS from my devices.
Then from this Cloud Switch I have allocated ports directly to the Wifi Vlan 2 which allows me to plug the Unifi AP’s directly into the switch via POE Injectors. This switch does not have POE. Then there is also a branch off this on VLAN 6 connecting to the Cisco 1900 Router which makes up the Gateway Router for my Cisco Lab Environment. This then breaks out over the Catalyst 48 Port switch seen in this image. This is a seperate lab and although fully routable from outside (As this all resides inside the Core Mikrotik Router / Firewall) I have seperate VLAN setups and labs running within this environment so it does not make up part of my home network.
Then on my Voice Network, I have a Cisco 891F with 4 x POE and 4 x None POE ports. The POE ports are connected to my phones and wireless APS for my voice network. The AP is basically a virtual AP running on the Red Mikrotik 2011 Wireless Router seen below.
This 2011 is also pushing out the guest wifi network and has a physical connection to the Sophos XG firewall seen below. This firewall is connected to breakout on VLAN 5 Guest. The Guest Wifi Virtual Lan is bridged to the Sophos on this Mikrotik. Again, no routing is happening on the above Mikrotik.
Below you can see the two LTE devices and some other spare hardware. You can also see the AP’s I have around the house. These are all connected to a Linux based Unifi Controller which is setup on a VM on my Windows 2019 server at Hetzner’s data centre.
Below you can see the 2 x Cisco’s used in my environment as well as the Sophos XG firewall appliance.
Lastlt, when talking about the other 3 VLAN’s we saw on my core router, VLAN 20,21 and 22. These are all controlled from this switch.
I plan on building out a complete network environment off this switch, but need to do a serious upgrade on my core router before I do this. I need to look at 3011 or 4011 for this task as I believe I will start pushing the limits of this little Hex S router.
I also have a few other lab routers and such which I would like to setup at some point.
Below you can see my home Unifi Controller which I am hosting on my DC Server.
Now although I think this is an article for another day, I have already given a brief rundown of my cloud infrastructure on my previous post : https://www.dionneswart.co.za/2020/02/17/my-personal-cloud-infrastructure/
Just something to note, I do have a full Layer 2 VPN between my house and this infrastructure. My hosted Mikrotik also connects me to my wife’s moms Mikrotik at home which allows me to change their wifi passwords and help them manage their home network without me leaving the comfort of my home. 🙂
Technology is amazing isn’t it.
Anyway have a great week everyone.