Just adding if you have any resources about how to go about this i would more than appreciate any nuggets you can share. I have a some networking background from college but its been about a decade since I used any of it so any help to point me in the right direction of hardening my network like this would be extremely appreciated. Thanks!
Good morning. First, please let me apologize for basically dropping this all of a sudden. Life happened and I had to be away for quite a while.
I am very sorry, because by the time I came back to be able to sit down in my computer to go over find my notes, I completely forgot about this.
Now, this will be very long, as I have it all documented with as much detail as possible to make sure I can reproduce it if anything goes catastrophically wrong.
As I mentioned, devices and choice of software is very personal. For example, I choose OPNSense vs PFSense for very personal reasons. Additionally, my infrastructure is so ‘hardware-bloated’ because the walls are all concrete, so I needed to make sure WiFi is covering as much as possible, which led to a shitload of APs. This caused me to spends quite some time tweaking the power and channels of each AP to make it easier for devices to move from one to the other without losing connectivity.
Lots of trial and error, but absolutely worth it once deployed.
The 2.5GB and 10GB ports were chosen just to future-proof the setup. My internet is not even 1Gb, but who knows where wee’ll be in 5 years, right?
All cabling is Cat 6A shielded, and everything with a LAN port is wired, with WiFi disabled, this helps with keeping the RF a bit cleaner while ensuring a much more reliable connection for those devices (TVs, PCs, Consoles, Cameras, etc)
The choice of mini-PC for OPNSense is entirely based on the fact that I want to do IPS all the time, and an n95 CPU would choke with the ridiculous amount of devices and hosts in my network.
I would like to see what you guys have as well. This could be fun.
By all means man. Full disclosure, what I suggest is because it worked for me, so it’s always wise to research based on anyone’s suggestions and then choose the path that would work best for your intentions. In my case, I have a VLAN for my kids because their access goes away every night at 8pm on weekdays, for example. My wife has her own VLAN because there some stuff I have blocked that she wants access to. Then I have a media VLAN for gaming consoles and streaming devices, IOT is separate, CCTV in it’s own VLAN, etc. I you scroll up a bit, you’ll find another reply I just added. If you can tell us what you’re looking to achieve, and what infrastructure you currently run, I know some of us will love to suggest options to point you in the right direction.
On a separate note, I still want someone to tell me if there’s anything else I can do on my ONT modem to harden it even more.
Just adding if you have any resources about how to go about this i would more than appreciate any nuggets you can share. I have a some networking background from college but its been about a decade since I used any of it so any help to point me in the right direction of hardening my network like this would be extremely appreciated. Thanks!
Good morning. First, please let me apologize for basically dropping this all of a sudden. Life happened and I had to be away for quite a while.
I am very sorry, because by the time I came back to be able to sit down in my computer to go over find my notes, I completely forgot about this.
Now, this will be very long, as I have it all documented with as much detail as possible to make sure I can reproduce it if anything goes catastrophically wrong.
Having said that, here goes:
## 1. Hardware, Adapters & Physical Backbone * **Gateway:** MINISFORUM NAB6 Lite Mini PC Core i5-12600H(12C/16T, up to 4.5 GHz) Mini Computer 16GB RAM + 500GB SSD (Dual 2.5GbE Intel i226-V) * **WAN Aggregator:** MokerLink 2G04210GTM (Managed 2.5G RJ45) * **Core Switch #1:** MokerLink POE-2G08110GSM (Managed 2.5G PoE) * **Core Switch #2:** MokerLink POE-2G08110GSM (Managed 2.5G PoE) * **CCTV/Media Switch:** TP-Link TL-SG1218MPE (Managed 1G PoE) * **Transceivers:** * **2x 10G SFP+ to RJ45:** Connects Core #1 SFP+ to Core #2 SFP+ (10G Backbone). * **2x 1.25G SFP-T:** Used in TP-Link SFP slots for Uplink/Media. * **Cabling:** Cat6A Shielded (26AWG) for all backbone, WAN, and high-speed runs. --- ## 2. Phase 1: OPNSense Foundation & Cloudflare SSL ### Installation & CLI Handshake 1. **Boot:** UEFI Mode, ZFS Partitioning (Auto). 2. **Assignments:** * WAN: `VLAN 99 on igc0` (Fiber) * WAN2: `VLAN 98 on igc0` (Starlink) * LAN: `VLAN 1 on igc1` (Management) 3. **Static IP:** Set LAN to `192.168.0.1/24`. Enable DHCP temporarily, disable after assigned IPs(.100 - .200). --- ## 3. WiFi Optimization: Cinder Block "Cellular" Strategy ### A. Radio Policies (Zero-Overlap Logic) * **Transmit Power:** * **2.4GHz:** Custom (6 dBm). Active **ONLY** for Matter-IoT and Guest-WiFi. * **5GHz:** Custom (20 dBm). Active for **ALL** SSIDs except **for Matter-IoT and Guest-WiFi**. Bumped for cinder-block penetration. * **Handoff:** Enable **802.11k/v/r**. * **Min RSSI:** **-75 dBm** (forces device to drop weak signals at cinder-block boundaries). ### B. 5GHz Channel Matrix (80MHz Width) | AP Unit | Location | Floor | 5GHz Block | 2.4GHz (IoT Only) | | :--- | :--- | :--- | :--- | :--- | | **AP 1** | Master Bedroom | 2F | 36 | 1 | | **AP 2** | Master Closet | 2F | 52 (DFS) | 6 | | **AP 3** | Family Room | 2F | 100 (DFS) | 11 | | **AP 4** | Sammy Bedroom | 2F | 116 (DFS) | 1 | | **AP 5** | Oliver Bedroom | 2F | 132 (DFS) | 6 | | **AP 6** | Dining/Living | 1F | 149 | 11 | | **AP 7** | Pantry | 1F | 36 (Reuse) | 6 | | **AP 8** | Guest Bedroom | 1F | 52 (Reuse) | 1 | | **AP 9** | Outdoor (Front) | Ext | 116 (Reuse) | 11 | | **AP 10** | Outdoor (Back) | Ext | 149 (Reuse) | 6 | --- ## 4. Physical Port & Cabling Matrix ### A. WAN Aggregator (MokerLink 2G04210GTM) * **Port 1:** Fiber ONT Input (VLAN 99 Access) * **Port 2:** Starlink Gen3 Input (VLAN 98 Access) * **Port 3:** **MINISForum Port 1 (WAN Trunk)** ### B. Core Switch #1 (POE-2G08110GSM) * **Port 1:** Input from MINISForum Port 2 (Main LAN Trunk) * **Port 2-5:** 4x Indoor APs (VLAN 1, 10, 15, 25, 45, 55, 75) * **Port 6:** 1x Outdoor AP (VLAN 1, 10, 15, 25, 45, 55, 75) * **Port 7:** PS5 (Access VLAN 45) * **Port 8:** **TP-Link SFP Slot 1** (Trunk Uplink for 1, 5, 35, 45) * **SFP+ Slot:** **Core #2 SFP+ Slot** (**Uses 10G Adapter**) ### C. Core Switch #2 (POE-2G08110GSM) * **SFP+ Slot:** **Core #1 SFP+ Slot** (**Uses 10G Adapter**) * **Port 1-4:** 4x Indoor APs (VLAN 1, 10, 15, 25, 45, 55, 75) * **Port 5:** 1x Outdoor AP (VLAN 1, 10, 15, 25, 45, 55, 75) * **Port 6-7:** Proxmox Servers (Access VLAN 5) * **Port 8:** My Main Desktop (Access VLAN 10) --- ## 5. Logical Layer: Subnet, Gateway & WAN Master Table | VLAN | Name | IP CIDR | Gateway | Primary WAN | Wireless SSID | Active Bands | | :--- | :--- | :--- | :--- | :--- | :--- | :--- | | **99** | WAN 1 | ISP DHCP | 192.168.100.1* | Fiber | N/A | N/A | | **98** | WAN 2 | ISP DHCP | 192.168.1.1* | Starlink | N/A | N/A | | **1** | Management | 192.168.0.0/24 | 192.168.0.1 | Fiber | N/A | Wired | | **5** | DMZ/Servers | 192.168.5.0/24 | 192.168.5.1 | Fiber | N/A | Wired/HASS Tablet| | **10** | My Kingdom | 192.168.10.0/24 | 192.168.10.1 | Fiber | **My-Kingdom** | 5GHz/6GHz | | **15** | Wife | 192.168.15.0/24 | 192.168.15.1 | Fiber | **Wife-Net** | 5GHz/6GHz | | **25** | Kids | 192.168.25.0/24 | 192.168.25.1 | **Starlink** | **The-Lords** | 5GHz/6GHz | | **35** | CCTV | 192.168.35.0/24 | 192.168.35.1 | Starlink | N/A | Wired | | **45** | Media/Gaming | 192.168.45.0/24 | 192.168.45.1 | Fiber | **Media-Gaming**| 5GHz/6GHz | | **55** | Matter IoT | 192.168.55.0/24 | 192.168.55.1 | **Starlink** | **Matter-IoT** | 2.4G | | **75** | Guests | 192.168.75.0/24 | 192.168.75.1 | Starlink | **Guest-WiFi** | 2.4G |As I mentioned, devices and choice of software is very personal. For example, I choose OPNSense vs PFSense for very personal reasons. Additionally, my infrastructure is so ‘hardware-bloated’ because the walls are all concrete, so I needed to make sure WiFi is covering as much as possible, which led to a shitload of APs. This caused me to spends quite some time tweaking the power and channels of each AP to make it easier for devices to move from one to the other without losing connectivity.
Lots of trial and error, but absolutely worth it once deployed.
The 2.5GB and 10GB ports were chosen just to future-proof the setup. My internet is not even 1Gb, but who knows where wee’ll be in 5 years, right?
All cabling is Cat 6A shielded, and everything with a LAN port is wired, with WiFi disabled, this helps with keeping the RF a bit cleaner while ensuring a much more reliable connection for those devices (TVs, PCs, Consoles, Cameras, etc)
The choice of mini-PC for OPNSense is entirely based on the fact that I want to do IPS all the time, and an n95 CPU would choke with the ridiculous amount of devices and hosts in my network.
I would like to see what you guys have as well. This could be fun.
By all means man. Full disclosure, what I suggest is because it worked for me, so it’s always wise to research based on anyone’s suggestions and then choose the path that would work best for your intentions. In my case, I have a VLAN for my kids because their access goes away every night at 8pm on weekdays, for example. My wife has her own VLAN because there some stuff I have blocked that she wants access to. Then I have a media VLAN for gaming consoles and streaming devices, IOT is separate, CCTV in it’s own VLAN, etc. I you scroll up a bit, you’ll find another reply I just added. If you can tell us what you’re looking to achieve, and what infrastructure you currently run, I know some of us will love to suggest options to point you in the right direction.
On a separate note, I still want someone to tell me if there’s anything else I can do on my ONT modem to harden it even more.