Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


1664 posts

Uber Geek
+1 received by user: 188

Subscriber

Topic # 199113 4-Aug-2016 22:11
Send private message

Hey guys,

 

I am no networking expert but I have a reasonable sized LAN here at home, due to all the home automation gadgets and geekery I have around the place. Currently I have the following setup;

 

     

  1. Draytek Vigor 130 VDSL modem (no UFB here yet)
  2. Mikrotik 750GL
  3. 2xUnifi UAPs
  4. 24 point gigabit unmanaged switch
  5. Cisco SPA122 VOIP ATA

 

All but 1-2 of my 24 ports on the switch are in use. I have 4 IP cameras around the place, 3 of which are WIFI and one is LAN. I also have a juicy server running Proxmox with a dozen openvz containers which run all my services etc - i.e. Unifi controller, Freeswitch VOIP server, motion server for IPC monitoring, openHAB server, dnsmasq for DHCP, web server with ownCloud etc.

 

I also have a NAS running Freenas on a separate box, a RPi with some big external USB drives running as a simple backup server (via rsync from the nas), and a UPS.

 

Now I have been reading a lot on these forums and others about the need for VLANs to isolate at-risk devices on my network and have decided this should be my next project. What I am after from GZ is some advice about how to structure my new network, and some advice about what hardware to buy.

 

STRUCTURE

 

After a bit of reading I came up with the following for my VLAN structure;

 

     

  1. Management
  2. VOIP
  3. Data (Proxmox, NAS, BackupPi, printer, PCs, laptops, mobile devices)
  4. Security (IP cameras)
  5. Automation (all my Arduinos and RPi nodes etc, home automation devices/bridges etc)
  6. Media (couple of Kodi clients, 4-5 Squeezebox clients, IP connected AVRs/TVs etc)
  7. Guest (WIFI only)

 

First question, is this overkill? I wasn't sure about the Media VLAN - is there anything to be gained by splitting out devices by function in this way? Or should Media be merged with Data?

 

I would like to lock down VLANs 4 & 5 to have no internet access. Everything home automation based will be controlled/monitored via openHAB but the question then is, where does openHAB live? On the main Data VLAN, since it needs WLAN access? This is where I get a little unsure - i.e. the best way to protect certain devices/networks, yet still retain access from other devices on different VLANs.

 

Do I need to worry about the Proxmox server since different containers will live on different VLANs? Is this easy enough to configure or am I completely dreaming with this?! I am not after specific config settings, just an idea of whether the plan _can work_ ;). 

 

HARDWARE

 

Next question is hardware. I have been looking at the Unifi switch since I could then manage it all via my existing Unifi Controller. They are not cheap but I am wondering if the ease of setup would be worth it in my case. Or would the EdgeSwitch be a better option? From what I understand these are not managed by the Unifi Controller but that might not be a bad thing?

 

Or are these over priced bits of kit and I should be looking at a cheaper 24 port alternative? I don't need POE but I think it makes sense to get it if I am going to be spending the money. I am sure more and more devices will be coming that are POE and it would mean my two UAPs could run directly from the switch removing the need for the in-line power adapters I am currently using (minor benefit).

 

The alternative I was considering is buying a much cheaper 8 port managed switch which would handle all the VLANs as listed above, and then have a few 8-16 port (plus my existing 24 point) unmanaged switches hanging off the smart switch. So each VLAN would have its own dumb switch for connecting all the individual devices. Or is this just plain stupid?!

 

 

 

Sorry for the very long post, I just wanted to get down as much as I could in the hope someone would look at it and see what I am trying to do and have either already done something similar or have a good idea about the best way to approach it!

 

Appreciate any/all suggestions!


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
3621 posts

Uber Geek
+1 received by user: 1343

Subscriber

  Reply # 1604681 4-Aug-2016 22:38
One person supports this post
Send private message

As geeks we some times over think things when it comes to our home LANs. It's fun to play around with it, but then it just becomes annoying to keep maintaining stuff.

In terms of hardware, the EdgeSwitch is pretty good. I've used a few for wireless deployments and they pretty much just do what you would expect. I don't really see the value in the Unifi switch- just seems like a premium for not much more.

As for the set up you can make it as complex or simple as you wish. Personally, I have the following...
- Trusted - vmWare management, NAS, "Web apps" server, openhab, Kodi clients, known PC's, tablets etc. Has access to all lan segments.
- Untrusted - Guest devices for people who just want to use internets at my place. Firewalled from all other lan segments and can only access the net.
- CCTV - Just for cctv kit. No access to the internet.
- Voice - only have this because it's the business I'm in and some times work from home. So have a voice vlan with priority tagging just for the sake of "doing it properly".

All of this is going in to an Allied Telesis layer 2 switch with PoE - AT make awesome stuff but I wouldn't pay their prices....

My router is a Mikrotik, so for the "lab" I just have an isolated interface on the router which I just use for screwing around with.



1664 posts

Uber Geek
+1 received by user: 188

Subscriber

  Reply # 1604683 4-Aug-2016 22:46
Send private message

Thanks @chevrolux - always interesting to hear how others are doing this. Would you believe that my very first job as a software developer was working for Allied Telesyn here in ChCh writing code for their routers!? I only worked there for 9 months before heading off overseas and this was back in 1999 so I have zero knowledge of their gear or software now. Hopefully none of my code is running on your router as it was my first gig as a developer!!

 

Yep, definitely trying to be conscious of overdoing things here, but at the same time I like to _do things right_ - which sounds similar to your philosophy...

 

The prices between the Unifi Switch and the EdgeSwitch are pretty much the same from what I could tell. Just seems the only difference is the management side of things, one has no web interface and must be configured by the Unifi Controller software, the other has its own web interface for stand alone configuration.

 

Doesn't sound like I am too far off the mark with my VLAN structure then - I do quite like your simplified approach of trusted/non-trusted though. Would probably still add a VLAN for HA devices, keep reading about light bulbs that expose your network to the world etc!


3621 posts

Uber Geek
+1 received by user: 1343

Subscriber

  Reply # 1604772 5-Aug-2016 08:52
Send private message

Would probably still add a VLAN for HA devices, keep reading about light bulbs that expose your network to the world etc!

 

Yep, thats why the CCTV kit is in it's own VLAN. I have Hikvision gear and at the time I set it up there was the major buzz going around about the NVR's getting turned in to Bitcoin miners due to poor network security. ALso, all the cameras have UPNP turned on by default and I couldn't be bothered going through each camera and setting it up properly. So went overboard and put them in the isolated VLAN firewalled off from getting to the WAN interface. Remote access is only achieved by VPN.




1664 posts

Uber Geek
+1 received by user: 188

Subscriber

  Reply # 1605672 6-Aug-2016 22:14
Send private message

Anyone else got any views or opinions on the best option for a 24 port managed switch? Is spending the money on an EdgeSwitch/UnifiSwitch worth it? And is there a reason to go for the Edge v Unifi (considering I already have the Unifi Controller running on my LAN managing my UAPs)?

 

Cheers!


919 posts

Ultimate Geek
+1 received by user: 224

Subscriber

  Reply # 1605685 6-Aug-2016 22:44
Send private message

I have one of these running my home network: ZyXEL GS1900 I looked at a PoE managed switch but they were way too pricey for me, buying that Zyxel and a separate PoE switch worked out much cheaper.

 

I'm also no networking expert (I'm a programmer by trade) but I had zero problems getting it configured, I'm running 5 VLANs on it (LAN, Guests, CCTV, Kids, Lab).

 

I'm not sure with Proxmox and running different containers on different VLANs (I'm guessing this is LXC?) but when I had a brief play with Proxmox I remember being able to pass through a VLAN specific connection to a KVM virtual machine. For my setup I'm using KVM on Debian in a box with 2 network interfaces, the first one being just a standard connection to the main LAN and the second doing tagged 802.11q to the switch for the 4 remaining (and less used) VLANs. I then pass through the required VLAN specific interface to each virtual machine as required.

 

My main reasons for running a VLAN are:

 

     

  1. To put my CCTV cameras on a separate network with no internet access, primarily because I don't 100% trust cameras bought off Aliexpress (even though they're Hikvision)
  2. Banish my guests to a separate network and I have 2 access points (Asus routers running TomatoUSB that support VLANs)
  3. My eldest is starting to get to an age where she can use the internet and I want to keep it locked down for the moment



1664 posts

Uber Geek
+1 received by user: 188

Subscriber

  Reply # 1605693 6-Aug-2016 22:55
Send private message

Thanks for that the @meesham - that is a much more cost effective option - I had actually come across that switch in some of my earlier searching so great to hear it is doing the job for you. I have no need for POE at the moment, my UAPs have injectors which I am happy to continue using. So something like this could well be the way to go.

 

I am really not sure how I will configure Proxmox - I am using openvz containers - but I am sure I will be able to figure it all out (with a little help from Google).

 

Your reasons very much mirror my own, along with the desire to put all my home automation devices on a separate/isolated network as well.

 

Thanks again for your feedback.


240 posts

Master Geek
+1 received by user: 18


  Reply # 1605694 6-Aug-2016 22:59
Send private message

SumnerBoy:

 

Anyone else got any views or opinions on the best option for a 24 port managed switch? Is spending the money on an EdgeSwitch/UnifiSwitch worth it? And is there a reason to go for the Edge v Unifi (considering I already have the Unifi Controller running on my LAN managing my UAPs)?

 

Cheers!

 

 

I'm looking at access points and a router and I see Computer Lounge has 10% Ubiquiti network gear code: UBIO508 this weekend.




1664 posts

Uber Geek
+1 received by user: 188

Subscriber

172 posts

Master Geek
+1 received by user: 53


  Reply # 1605698 6-Aug-2016 23:07
One person supports this post
Send private message

It's UBI0508 :)


240 posts

Master Geek
+1 received by user: 18


  Reply # 1605699 6-Aug-2016 23:07
Send private message

SumnerBoy:

 

Thanks @blanch! Just tried that code on a *Ubiquiti EdgeSwitch Lite Managed 24-Port Gigabit Switch* but the code was invalid. Have you had it working?

 

 

I can't tell the difference between O and 0 

 

 

 

 


240 posts

Master Geek
+1 received by user: 18


  Reply # 1605700 6-Aug-2016 23:09
Send private message

Blanch:

 

SumnerBoy:

 

Thanks @blanch! Just tried that code on a *Ubiquiti EdgeSwitch Lite Managed 24-Port Gigabit Switch* but the code was invalid. Have you had it working?

 

 

I can't tell the difference between O and 0 

 

 

 

 

 

 

was meant to also include this 

 

 

 




1664 posts

Uber Geek
+1 received by user: 188

Subscriber

  Reply # 1605706 6-Aug-2016 23:37
Send private message

The corrected code is being recognised, but no discount is being applied to my order of 1 x Ubiquiti EdgeSwitch Lite. Anyone actually had any success with that code?!


240 posts

Master Geek
+1 received by user: 18


  Reply # 1605708 6-Aug-2016 23:45
Send private message

SumnerBoy:

 

The corrected code is being recognised, but no discount is being applied to my order of 1 x Ubiquiti EdgeSwitch Lite. Anyone actually had any success with that code?!

 

 

 

 

That's not good, I was looking at buying a access point and router. (still trying to decide).

 

 

 

Don't know if this helps but I have been watching a few of this guys videos on Youtube https://youtu.be/m_HSjK60Pfc


240 posts

Master Geek
+1 received by user: 18


  Reply # 1605712 6-Aug-2016 23:54
Send private message

Blanch:

 

SumnerBoy:

 

The corrected code is being recognised, but no discount is being applied to my order of 1 x Ubiquiti EdgeSwitch Lite. Anyone actually had any success with that code?!

 

 

 

 

That's not good, I was looking at buying a access point and router. (still trying to decide).

 

 

 

Don't know if this helps but I have been watching a few of this guys videos on Youtube https://youtu.be/m_HSjK60Pfc

 

 

Sorry, just read the fine print, looks like I don't need to rush, the routers I'm looking at are "In-Stock at Supplier"

 

 

 

- All Specials and Coupon Codes apply to In-Stock items only. Does not apply to In-Stock at Supplier, Pre-Order or Special Order items.
- No Bulk Orders, Trade or Rain Checks.
- Coupon Codes cannot be used on Special Orders, Price Matched Items, Gift Vouchers, Combos, Clearance Stock or items already on special.
- Coupon Codes and Reward Points cannot be used at the same time on an order.
- Coupon Codes can only be used once.
- Reward Points will not be earned on Special Orders, Price Matched items, Gift Vouchers, Combos, Clearance Stock or when using a Coupon Code.
- Reward Points cannot be used on Special Orders, Price Matched items or Gift Vouchers or Clearance Stock.

 

The intention of this newsletter is to inform you of the latest offers from Computer Lounge. If you prefer not to receive future newsletters, please Unsubscribe here. Or if you have been sent our email by a friend and wish to get one all for yourself, click here to Subscribe.

 

 

 

 




1664 posts

Uber Geek
+1 received by user: 188

Subscriber

  Reply # 1605714 7-Aug-2016 00:08
Send private message

Gotcha - my switch is only *Instock at supplier* - bugger!

 

GoWifi have them for about $415 delivered and have them in stock.

 

Watched that video - looks like a pretty comprehensive UI with a 1000 more options than I will ever need! 

 

Think I might be getting close - $415 is a bit nearer to what I was hoping to spend...


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.