(This post was on my wordpress site which I didn’t do a lot with, that’s why the date is from before this site was actually live. I also didn’t do this yet - so it makes sense to me to carry over)
I am planning a network overhaul. It’s been 4 years and I think I’m due. I’m going to build something that’s so secure I will probably lock myself out of it and will need to infect myself with ransomware to get me a backup of my own stuff.
I’m going to lay it all out here. In theory, as I build out each part, I’ll make a dedicated post about it and link to it from here. But don’t hold me to that, I have the attention span of … what was I talking about. Nevermind.
So the plan is 6 VLANs.
- Main VLAN (/24) - my daily use stuff, Home Assistant, NAS, etc
- Guest VLAN (/24) - hahaha like I have guests. But maybe one day.
- Work VLAN (/24) - there’s no way I’m letting all the ‘security tooling’ that comes on a corp laptop explore my homenet
- IOT VLAN (/17) - I don’t have that much IOT stuff, but I want to make logical groupings based on device type and location.
- Space VLAN (/22) - I took Tim Fowler’s class and so now I have delusions of building a vlan for a Space Hacking Lab.
- Quarantine VLAN (/24) - Yeah, this is the weird one. You connect here first and then if you pass the vibe check, you get promoted to whichever VLAN you belong on.
So that means we need Radius and NAC (told you I was gonna lock myself out). Packetfence is looking like the leading contender, but I’m fickle, and who knows what I’ll stumble across while searching the internet.
I’ll probably also use something like Netbox and Snipe/IT to pretend I’m keeping track of my configurations.
But wait, it gets dumber. I’m going full Ubiquiti, but not using one of the Dream Machines, so I don’t have a built in cloud key. So that means I either need a computer up and running to host the software, or I need a cloud key. But I don’t have a network to run the computer that will host the software on. So before I oroboros myself with the Unifi version of Chicken/Egg - I think there’s an option where I can set up for ‘someone else’ so I think that means I can get the router up, get the docker host up, and then install the management software and take ownership of the router without having to nuke from orbit. Everything else on my current network is ubiquiti - just the router is pfsense on custom hardware. I’ll probably convert the router into Wazauh, or maybe SOARCA - since I will have Space stuff on here too. Maybe.
Now that Tailscale has launched Services, I think I am going to misuse that to replace a reverse proxy.
Once (or more accurately IF) I get all that working, then I want a DNS adblock thing. Followed by:
- NextCloud to pull in all my mail/calendars/cloud storage, and to cheat on Obsidian syncing.
- Immich for photo management
- Mealie for recipe tracking
- something for groceries that works with Irish grocery sites
- calibre for my ebook collection
- audiobookshelf for that stuff
- some kind of LLM/AI host
- n8n for weird automation experiments
- plex/jellyfin/some kind of media streaming thing
- someplace for time machine and windows backups,
- and a cartridge in a bare tree. (sing that last part to the tune of 12 days of Christmas - its a throwback to a novelty souvenir I got when I was on vacation as a teenager. Maybe someday I’ll figure out how to add photos to this blog thing.)
Of course I’m going to also want SSO, and I’m leaning towards using Tailscale’s tsidp. I’m sure it’s robust, and that I’m smart enough to deploy it. (If I never post on here again, it might be because I wasn’t smart enough… or because I got distracted.). I could do this earlier in the build, but then when I inevitably f’ it up, I won’t have backup authentication so having it show up this deep in is a design decision and not more evidence of my disorganized thought process. Trying to tie it into the Space VLAN should be incredibly exciting.
Well, you made it this far. Leave a comment or check back to see if I actually document any of my attempts to build this ridiculous network. Assuming I actually have comments enabled. If I don’t it’s not because I’m afraid of comments, just that I’m too dumb to turn them on. (Remember this post is from the old Wordpress site, but this runs on Hugo which is static so I don’t think comments are possible.) Huh, I guess giscus does work, just remember to set showComments to true after you set up giscus. (and actually commit the changes to git before you push the update)