Hello everyone,
I am currently considering how to set up the network in our house.
In this context, I thought it would be great if some of you could share how you have implemented a high-end network on an individual basis.
I am an IT professional myself, but my focus lies elsewhere. Nevertheless, feel free to get technical—I assume I will understand you.
I am interested in:
- How have you segmented your networks?
- What devices do you use (manufacturer-independent)?
- Which devices (manufacturer-independent) do you group together in which network, and why?
- Which networks do you allow to communicate with each other?
- How have you implemented external access, if desired?
- Do you perhaps have a DMZ?
- In your opinion, what is a “must-have” and what is a “nice-to-have”?
I am currently considering how to set up the network in our house.
In this context, I thought it would be great if some of you could share how you have implemented a high-end network on an individual basis.
I am an IT professional myself, but my focus lies elsewhere. Nevertheless, feel free to get technical—I assume I will understand you.
I am interested in:
- How have you segmented your networks?
- What devices do you use (manufacturer-independent)?
- Which devices (manufacturer-independent) do you group together in which network, and why?
- Which networks do you allow to communicate with each other?
- How have you implemented external access, if desired?
- Do you perhaps have a DMZ?
- In your opinion, what is a “must-have” and what is a “nice-to-have”?
Mycraft schrieb:
Ubiquity recently added the UniFi Dream Machine Pro to their product lineup. It offers many useful features at a very good price.Feel free to stop by... there are some freebies available for it.
Since you are an IT specialist yourself, first define your requirements (specification document). At this point, the choice of devices or the number and communication between the networks is secondary; all of that will follow from your detailed requirements (functional specification).
FloHB123 schrieb:
What exactly are your requirements? What do you want to run on your network?
If it’s just for some browsing/streaming plus a printer and NAS, honestly, I don’t see why it should be made so complicated. Although I’m also an IT professional, at home it’s nice when things just work and don’t require much configuration. dhd82 schrieb:
Since you’re an IT professional yourself, first define your requirements (specifications).
At this point, the choice of devices or the number and communication between networks is secondary; all of that depends on your requirements (detailed specifications). Good point. And at the same time the dilemma. The requirements are not clearly defined yet. So I’m interested in what you have implemented and why—as a source of ideas.
The only thing established so far is that I want to segment the network into the usual suspect areas, and it must be compatible with Magenta TV, specifically IGMPv3 support.
We also have a switch with a 10GB uplink on the upper floor in the utility room. I'm not a fan of Wi-Fi, so we installed cables almost everywhere. I’ve distributed nearly 20 duplex sockets across two floors. On the ground floor utility room and the upper floor storage room, there is a patch panel with a switch in each. The utility room also houses a NAS and various other equipment (FritzBox, Homematic central unit, Raspberry Pi, 3D printer, etc.). This way, everything is centralized in one place, and my wife doesn't have the "ugly devices" visible around the house. The smart home devices will be set up on their own VLAN, since you never know how much those things might snoop around.
Much depends on what you want to achieve, how familiar you are with the subject, and what budget you have in mind.
For me, if you have some knowledge, VLAN separation definitely makes sense. Guests, of course, should not have access to the main network. Insecure devices (various smart home devices with cloud connections, TVs, streaming sticks, etc.) also have no place in the network that contains my "private data."
If you want to prevent certain services from communicating externally, a firewall is important. This ranges from OpenWrt (more like a "router+") through OPNsense or similar open-source solutions, up to Sophos UTM/XG Home. (By now, I would rather use XG instead of UTM with version 18.)
With a firewall, you can cover many scenarios depending on your needs. A transparent web proxy (which is unfortunately becoming increasingly important — with SSL scanning) can help less experienced users avoid downloading malware. A mail proxy can be useful if you want to store your emails directly on a home server. Routing between VLANs is also possible (for example, the camera may only access the CIFS share and synchronize with the firewall for time, or the video server accesses the camera; the streaming stick should only connect externally via HTTP/S, perhaps even only to Netflix servers, IPS, etc.). There is a lot you can do if you want. Whether this is really useful is another question. The more you "secure," the more time you need to invest — also in maintenance and troubleshooting.
Having your own server — with Windows 10 as “server OS,” Server 2019 Essentials, Linux systems, NAS solutions (Synology or QNAP), or open-source NAS systems — and on whatever hardware from Raspberry Pi or small Intel Atom motherboards to real server motherboards with Intel Xeon CPUs or even HP/Dell/... tower servers. Here, the question is also what exactly you want to cover. If you want to run multiple virtual machines, both production and test/hobby/play VMs, you’ll need significantly more power than if you just want a small TV server for recording and watching TV (using DVBViewer/TVHeadend, for example), possibly with OpenHab or ioBroker as well (maybe as a Docker image). Storage capacity is probably another important question.
In terms of Wi-Fi solutions, there are many options. Currently, I would say that Unifi access points or Ubiquiti solutions in general offer the best value for money. For me personally, no other solution would currently be an option. Whether you choose Unifi AC APs or Amplifi again depends on what you might want to do with it in the future or what else you plan to do with the network.
Regarding the network itself — many people who use Unifi also use their switches. One management interface is easier to handle than many separate interfaces that all behave differently. However, some switch models can become quite warm, so the environment around the switch should be appropriate. A manageable switch is necessary anyway due to VLANs. Whether you choose Unifi or a more affordable Netgear, or other manufacturers like HP/Cisco, depends on your budget. It’s also possible to get “old” enterprise switches from work for free or cheap, which can be a good solution. Usually, you don’t really need this in a home environment. PoE support directly from the switch can be very useful if the devices also support PoE (e.g., the access points). This way, you don’t need additional power supplies or adapters between the switch and the patch panel.
If you knew a bit more about how big the budget is or exactly what you plan to do, it would be easier to give advice specific to your case and share opinions.
Maybe a Raspberry Pi with a FritzBox would be enough for you at the beginning, and your setup can develop gradually from there.
For me, if you have some knowledge, VLAN separation definitely makes sense. Guests, of course, should not have access to the main network. Insecure devices (various smart home devices with cloud connections, TVs, streaming sticks, etc.) also have no place in the network that contains my "private data."
If you want to prevent certain services from communicating externally, a firewall is important. This ranges from OpenWrt (more like a "router+") through OPNsense or similar open-source solutions, up to Sophos UTM/XG Home. (By now, I would rather use XG instead of UTM with version 18.)
With a firewall, you can cover many scenarios depending on your needs. A transparent web proxy (which is unfortunately becoming increasingly important — with SSL scanning) can help less experienced users avoid downloading malware. A mail proxy can be useful if you want to store your emails directly on a home server. Routing between VLANs is also possible (for example, the camera may only access the CIFS share and synchronize with the firewall for time, or the video server accesses the camera; the streaming stick should only connect externally via HTTP/S, perhaps even only to Netflix servers, IPS, etc.). There is a lot you can do if you want. Whether this is really useful is another question. The more you "secure," the more time you need to invest — also in maintenance and troubleshooting.
Having your own server — with Windows 10 as “server OS,” Server 2019 Essentials, Linux systems, NAS solutions (Synology or QNAP), or open-source NAS systems — and on whatever hardware from Raspberry Pi or small Intel Atom motherboards to real server motherboards with Intel Xeon CPUs or even HP/Dell/... tower servers. Here, the question is also what exactly you want to cover. If you want to run multiple virtual machines, both production and test/hobby/play VMs, you’ll need significantly more power than if you just want a small TV server for recording and watching TV (using DVBViewer/TVHeadend, for example), possibly with OpenHab or ioBroker as well (maybe as a Docker image). Storage capacity is probably another important question.
In terms of Wi-Fi solutions, there are many options. Currently, I would say that Unifi access points or Ubiquiti solutions in general offer the best value for money. For me personally, no other solution would currently be an option. Whether you choose Unifi AC APs or Amplifi again depends on what you might want to do with it in the future or what else you plan to do with the network.
Regarding the network itself — many people who use Unifi also use their switches. One management interface is easier to handle than many separate interfaces that all behave differently. However, some switch models can become quite warm, so the environment around the switch should be appropriate. A manageable switch is necessary anyway due to VLANs. Whether you choose Unifi or a more affordable Netgear, or other manufacturers like HP/Cisco, depends on your budget. It’s also possible to get “old” enterprise switches from work for free or cheap, which can be a good solution. Usually, you don’t really need this in a home environment. PoE support directly from the switch can be very useful if the devices also support PoE (e.g., the access points). This way, you don’t need additional power supplies or adapters between the switch and the patch panel.
If you knew a bit more about how big the budget is or exactly what you plan to do, it would be easier to give advice specific to your case and share opinions.
Maybe a Raspberry Pi with a FritzBox would be enough for you at the beginning, and your setup can develop gradually from there.
T
T_im_Norden24 Jun 2020 18:40The more you get involved, the more potential sources of errors there are.
Similar topics