Home Network V2

OVERVIEW

Migrated from Version 1 where most services were hosted on a local server to a more robust network, similar to that of a small business. The self-hosted services remained, minus DHCP. Much of this was done to gain experience in more standardized network hardware and to strengthen my security posture at home.

GOALS

  1. Strengthen security posture on home network
  2. Move to small business / enterprise grade hardware
  3. Change server from Fedora to Debian

SPECIFICATIONS

  • TP Link OC200 Network Controller
  • TL Link ER605 V2 Firewall / Router
  • TP Link TL-SG2008P | Jetstream 8 Port 
  • TP Link EAP610 Wireless Access Point (connected to Switch)
  • TP Link EAP610 Wireless Access Point (connected through wireless mesh)
  • 2014 Mac Mini with Debian 12.x
  • Ugreen DXP4800 Plus NAS 
  • Nokia Fiber Connection Modem

MILESTONES

Migrating to TP Link Omada Hardware

As this is my home network, I needed to make changes when family members were not home and changes needed to be fairly quick. I powered down the Mac Mini and disconnected everything. It’s worth noting that prior to changing out hardware, it had been powered up and set up with a very basic configuration to allow a fairly seamless move from one system to the next.

Converting the Mac Mini to Debian from Fedora

The latest Debian version, 12.x, and older Mac machines work well together. Since I was redoing Network entirely I opted to redo the Mac Mini as well. This was fairly straightforward and the largest issue I encountered was that it did not see the wireless adapter on the initial install of Debian. I manually loaded the driver for the adapter so I could finalize the basic config on the machine and then connected it to the Jetstream Switch.

Docker / Remaining Services

With the Mac Mini now running Debian, the following Docker Containers were spun up:

  • Adguard for self hosting secure DNS and network wide ad blocking
  • Fail2ban to block inbound traffic based on activity
  • Twingate for zero trust remote access
  • Wazuh (complete with agents on local machines) for monitoring
  • UpTime Kuma to monitor certain external services and Docker Containers
  • Watchtower to automate updates
  • Portainer for container management

Overall Network Configuration

With the hardware all in place and various local services running once again, it was time to get the network configured in a more useful manner. The Omada hardware allows for multiple SSIDs and VLANs, which were key selling points. I currently run three SSIDs / VLANs in the home. There is a general network for the household, I’ll call it SSID-A here and it is used by my wife and kids. Laptops, desktops and printers are connected to this. SSID-B is my own personal network and is not reachable from SSID-A, but I can access SSID-A from SSID-B. Lastly there is SSID-C, which is used for IoT devices. SSID-C has TVs, FireTV / Fire Sticks and Echo Dots along with Ring devices. SSID-C is completely walled off from SSID-A and SSID-B. All three SSIDs have their own VLAN, making the entire process very easy.