Home lab networking advice

[techfan84]

Hi All,
 

I’m setting up my first home lab and am looking for advice on best practices and input on my current networking plan. Any inputs are much appreciated!
 

See the attached diagram for an overview of my proposed network setup:
 

I am thinking that I’d like to keep my current router/modem from my ISP. It is doing a good job of providing wifi coverage to the house and many family member devices already use it that I don’t want to have to reconfigure. Particularly, I like the idea that if I break something in my home lab there will still be this ISP device in place to provide internet access to the rest of the family.

In that case, I am thinking of connecting my own router to the ISP router and using that to manage my home lab. Currently I am thinking of using a mini PC (will need to buy a network card for it I guess to get a second ethernet port for WAN and LAN) running OPNSense.
 

I would like to be able to remotely access my homelab devices via a VPN. I would also like to access them from home from my work laptop and phone, and work station PC. The laptop and phone could be connected to the home lab network via a dedicated wifi access point just for those devices (I am thinking of getting a Ruckus R720). I have a wired connection between my work station PC and the ISP router which are in different rooms, and the server gear is in a third room. So I don’t want to run additional ethernet cables between rooms and am hoping to use the current setup. Where possible I would like to use multiple VLANs as an added layer of isolation and security.
 

My understanding is that I can achieve this by putting this second router in the DMZ of my ISP router then using the second router to manage all firewall setup, VPN access, etc.

Does this approach make sense or will I run into fundamental problems? Is double NAT going to be a problem here, and if so are there good ways to overcome this?
 

Any suggestions or alternative approaches would be very helpful, thanks for your time!

[BINBASH]

Here's my take on this network. Similar approach to yours, but less interconnectivity between different segments of the network, in following with the best practices of POLP and general well-architected models. Note that both the ISP and OPNSense are single points of failure, but without additional hardware it would be impractical to solve that issue. If you plan to authenticate remotely, there should be an AAA Server somewhere in this plan, otherwise any configuration you apply to allow remote access to administrative services and hardware could be easily compromised. Let me know if you have questions!

[BINBASH]

Here's how I'd infiltrate your network as you had it. The fact that you had your phone and laptop positioned as a critical pivot point for threat actors essentially means that the OPNSense is useless, it may as well not be there. The OPNSense works because it is supposed to be the ONLY way in/out of that part of the network. The path that I show in the diagram has only the ISP security and whatever little security the R720 has on it, neither are going to stop a threat actor if they've already determined they can circumnavigate your firewall. 

[techfan84]

Thanks Binbash for taking the time to go through this so carefully, much appreciated! I am very new to networking and so I probably have a bunch of misconceptions, please double check if what I am saying sounds wrong because it probably is... I am keen to learn though, but want to do so in a safe way given the significant risks involved and am very open to your advice. 

 

13 hours ago, BINBASH said:

Note that both the ISP and OPNSense are single points of failure, but without additional hardware it would be impractical to solve that issue.

 

You note that the ISP router and OPNSense router are single points of failure, but additional hardware may overcome this. Is this worth pursuing, or prohibitively complex/expensive for this application? 

 

 

13 hours ago, BINBASH said:

If you plan to authenticate remotely, there should be an AAA Server somewhere in this plan, otherwise any configuration you apply to allow remote access to administrative services and hardware could be easily compromised. Let me know if you have questions!

Can you elaborate on what you mean by remote authentication? Is this in regards to remote VPN access? I have not considered the details of this yet but am hoping that some software can be run on a home lab machine eg. Wireguard/Tailscale and then combine this with protocols like multi factor authentication for added security. I have not come across the AAA server term before, but will look into this. 

 

11 hours ago, BINBASH said:

Here's how I'd infiltrate your network as you had it.

I was not aware of the pineapple device, but it looks like an interesting threat to be aware of. This vulnerability you have highlighted was certainly something I was not sure about in my plan. I will go back to stating my goals in the hopes we can work out a better approach:

 

1. I use my personal devices (laptop and phone) for personal and work purposes. For personal internet browsing I expect I am at a higher risk of attack (eg. accidental malware download or whatever) and so was thinking to limit my personal usage to when I am on the wifi network provided by the ISP and not have a direct connection to the more secure home lab network whilst doing this. Whenever I want to manage the home lab network, I would then switch to the link via the Lab Wifi which my intention was to be protected by the OPNSense router and secured. 

 

2. Since my ISP router does not allow VLAN setup, I figured I would have to use my dedicated WIFI access point via the lab switch to limit the network access to just devices on the lab Wifi network/VLAN to get this safety. I intended to use rules that allow the Admin VLAN to access the Lab VLAN at this stage. 

 

3. As I said, this part is not clear in my understanding and I think you have already pointed out its flaws eg. such a setup can directly bypass the OPNSense router which I had not realised. 

 

The main difference that I see in your proposed solution is that my personal admin devices no longer connect to the lab devices via wifi. Is the intention instead for them to communicate via wired connections from the managed switch? This poses a logistical challenge in that I mostly use my personal devices (Laptop, phone, and workstation) in the Work Room which only has an ethernet link to the ISP router in the Common Room. Also, neither the laptop nor the phone have an ethernet port so I would need some form of adapter which I'd rather avoid. 

 

Can you explain further how your solution allows me to safely manage my lab devices from my personal devices whilst I'm at home? Or is it the case that even when at home I should be connecting to them via a secure VPN connection (presumably at the cost of latency?)? 

 

Thanks again for your great advice! 

[BINBASH]

It does not have to be a nuisance to remove the obstacle of SPOF (Single Points of Failure), we can
remove this flaw with something as simple as an additional "mini-pc" as you've mentioned, with two links
from the 7250 instead of one, one link would provide service as the default gateway and the other would
act as a failover using VRRP (Virtual Route Redundancy Protocol) and would take over as the lab networks default gateway should the other machine fail for any reason. I should be clear that this is not a 'need-to-have' rather a 'nice-to-have' feature of your HomeLab. Also, the more I think about implementing VRRP with an ISP router the more I want to bang my head against a wall...so let's put a pin in that one. 

 

Jumping to your question about authentication, what I'm referring to is an Authentication-Authorization-Accounting Server (AAA), this refers to either a RADIUS server (Remote Authentication Dial-In User Service) or a TACACS+ server (Terminal Access Controller Access-Control System Plus). I know, a mouthful. 

 

I want to be clear about something; never in a MILLION years would I choose to allow remote (offsite) access into my home network without either one or both of those two technologies protecting that access. I want to make sure you understand the danger you put yourself in by choosing a remote access solution, I have seen, heard and witnessed firsthand the danger, greed and filth of those who would LEAP at an opportunity to break into networks not properly configured, and this danger only grows by the day. I am fortunate, truly, to have found a career in cybersecurity but it has made me painfully aware that my job security is built on the backs of those less fortunate than I. I don't say this to scare you away from your plan, in fact the opposite. I love that the layman is beginning to show interest in the field I'm so deeply passionate about, and you are proof of that. The fact of the matter is that if you do this RIGHT, then you have little to fear, no less than you already do. I urge you to do some deep research and learning about AAA, RADIUS and TACACS+ before implementing remote access. 

I will link some articles here about AAA, Radius and TACACS+.

 

What Is TACACS? Understanding Network Protocols By WireX Systems

 

What Is AAA Security? | Fortinet

 

What Is the RADIUS Protocol? | Fortinet

Moving on to your question about the lab Wi-Fi, my decision to axe the lab Wi-Fi from my version of your network is purely because of those pivot points. Despite being only connected to one network at a time your devices still have network credentials logged and stored away. From my perspective that presents a security issue and a violation of the principle of least privilege (POLP). Admin devices should be contained to areas and networks where they are absolutely necessary, nowhere else. Let's pretend for a moment that I'm a threat actor attempting to break into your lab network. Using a device such as a Wi-Fi pineapple I've successfully gained a reverse shell onto your ISP router. YOU DO NOT WANT ME TO FIND DEVICES WITH CREDENTIALS TO YOUR PRIVELEGED LAB ENVIRONMENT. Any threat actor worth his weight in gold will eat. that. up. It's like a Venn-diagram. Your phone and laptop sit in between the two circles and give me a way to jump from one end to the other, regardless of whether you're careful about what you do on which network. In my mind I picture a machine in your lab room, (see Admin Devices *VLAN 30 on my revision of the network) that is the sole administrative machine for the whole of the lab network. When accessing the lab remotely, this is the machine you would be accessing initially. From here you could jump to other machines using RDP or SSH.

My mind is spinning with ideas so if you have any other questions, please let me know. Also, take into consideration that I am heavily biased as a Cybersecurity Engineer, my opinions are my own and you of course being free to your own devices (no pun intended) can choose or not choose to do any of these things.

[techfan84]

Thanks for the detailed and very interesting response! It is really great to get direct feedback from someone with your expertise and experience. I hope together we can find a setup that I am able to implement that meets my goals with peace of mind! 

 

On 5/12/2024 at 4:17 PM, BINBASH said:

 

It does not have to be a nuisance to remove the obstacle of SPOF (Single Points of Failure), we can
remove this flaw with something as simple as an additional "mini-pc" as you've mentioned, with two links
from the 7250 instead of one, one link would provide service as the default gateway and the other would
act as a failover using VRRP (Virtual Route Redundancy Protocol) and would take over as the lab networks default gateway should the other machine fail for any reason. I should be clear that this is not a 'need-to-have' rather a 'nice-to-have' feature of your HomeLab. Also, the more I think about implementing VRRP with an ISP router the more I want to bang my head against a wall...so let's put a pin in that one. 

 

 

Yeah, the ISP router is probably a big non-ideal part of this setup.... All things considered though, it does tend to stay online so as you say it may not be the worst single point of failure problem at the moment. 

 

Do you think my motivations for keeping the ISP router are justified, or am I better off trying to remove it entirely? eg. I like the idea that whatever tinkering/breaking I do to my lab network, the ISP router can always give independent network access to other family members. Plus it is doing a good job of providing wifi to the house devices already and I don't want to have to set them all up again and manage them myself. Since nobody else will be doing anything complicated on the network (eg. requiring remote access, port forwarding, etc), it feels okay to me to rely on the ISP device and provided firewall for those devices. I also suspect that the ISP will prefer having their device on the edge of the network, particularly for troubleshooting and for changes to their infrastructure eg. when they roll out fiber to the home in the coming years.  

 

On 5/12/2024 at 4:17 PM, BINBASH said:

I want to be clear about something; never in a MILLION years would I choose to allow remote (offsite) access into my home network without either one or both of those two technologies protecting that access. I want to make sure you understand the danger you put yourself in by choosing a remote access solution, I have seen, heard and witnessed firsthand the danger, greed and filth of those who would LEAP at an opportunity to break into networks not properly configured, and this danger only grows by the day. I am fortunate, truly, to have found a career in cybersecurity but it has made me painfully aware that my job security is built on the backs of those less fortunate than I. I don't say this to scare you away from your plan, in fact the opposite. I love that the layman is beginning to show interest in the field I'm so deeply passionate about, and you are proof of that. The fact of the matter is that if you do this RIGHT, then you have little to fear, no less than you already do. I urge you to do some deep research and learning about AAA, RADIUS and TACACS+ before implementing remote access. 

 

I have a lot of respect for the risks involved in what I am trying to do. Unfortunately I have not studied this area extensively and come from a background of learning what I need to to complete my projects as I only have so much spare time. I am interested to learn and try and implement these setups, but I also worry that their complexity will be too much to manage alongside my other goals. 

 

Do you think there are sufficient guides and resources online for someone like myself to setup a secure and usable system? In the ideal case I would like to learn how they work on a basic level and then implement a robust setup following the instructions of others who know what they are doing and then it is just a matter of simple maintenance and updating on my end. If it becomes a lot more involved than that, I would worry that my limited spare time would be diverted from the projects themselves towards just maintaining this secure but complex network.  

 

 

On 5/12/2024 at 4:17 PM, BINBASH said:

I will link some articles here about AAA, Radius and TACACS+.

 

Thanks for the links explaining AAA, Radius and TACACS+! 

 

Am I correct in my understanding that AAA (eg. Radius or TACACS+) is of most use to systems that have many users with various levels of access requirements (eg. the Authorisation part)? In my case I would just need to Authenticate one user for accessing the network (myself) and would require complete Authorisation to manage all parts of the home lab. I do like the idea of Accounting, though in a practical sense since I'm the only one using it it is perhaps mostly of use for recording my work, rather than protection? 

 

For my case, I am wondering what advantages TACACS+ would provide over the authentication that can be provided eg. with the likes of Wireguard? This can be secured using passkeys and multi factor authentication as far as I can understand, which should be reasonably strong in its own right? 

 

Given that only I will be accessing this network, can I find additional security measures due to this? Eg. can I only allow my own devices to access (eg. based on MAC address) and with other identifying information unique only to myself? 

 

I am now wondering where to start with setting up these tools myself and what hardware is required. For example, I am now considering a more performant option: OPNsense DEC2752 for my OPNSense router/firewall. This should be capable of running IPDS which I am hoping will be a useful added layer of security, once I work out how to implement it. Does that sound reasonable to you? How many other dedicated devices will I need for such a setup? 
 

On 5/12/2024 at 4:17 PM, BINBASH said:

Moving on to your question about the lab Wi-Fi, my decision to axe the lab Wi-Fi from my version of your network is purely because of those pivot points. Despite being only connected to one network at a time your devices still have network credentials logged and stored away. From my perspective that presents a security issue and a violation of the principle of least privilege (POLP). Admin devices should be contained to areas and networks where they are absolutely necessary, nowhere else. Let's pretend for a moment that I'm a threat actor attempting to break into your lab network. Using a device such as a Wi-Fi pineapple I've successfully gained a reverse shell onto your ISP router. YOU DO NOT WANT ME TO FIND DEVICES WITH CREDENTIALS TO YOUR PRIVELEGED LAB ENVIRONMENT. Any threat actor worth his weight in gold will eat. that. up. It's like a Venn-diagram. Your phone and laptop sit in between the two circles and give me a way to jump from one end to the other, regardless of whether you're careful about what you do on which network. In my mind I picture a machine in your lab room, (see Admin Devices *VLAN 30 on my revision of the network) that is the sole administrative machine for the whole of the lab network. When accessing the lab remotely, this is the machine you would be accessing initially. From here you could jump to other machines using RDP or SSH.

 

Your approach does seem significantly more secure. My only concern is a matter of practical usability. My hope was to use my personal devices (phone, laptop, and workstation) as my direct human access to the homelab devices where I would run projects. It would be very inconvenient for me to have to go to the Server Room whenever I want to check on things, run new projects, or make edits to things. 

 

It seems like a classic balance between security and convenience. Are you aware of scenarios where I could still work from my preferred devices at home? Is it the case that even when I'm at home, I should be connecting via the VPN link in a secure way? This seems a bit crazy given I am actually physcially at home and would surely incur some latency? But maybe that is a necessary evil in the name of assured security, which is very important to me? 
 

On 5/12/2024 at 4:17 PM, BINBASH said:

My mind is spinning with ideas so if you have any other questions, please let me know. Also, take into consideration that I am heavily biased as a Cybersecurity Engineer, my opinions are my own and you of course being free to your own devices (no pun intended) can choose or not choose to do any of these things.

 

Thanks again for taking the time to help me with this! It is great to benefit from your expertise. It may be a bias, but I think it is a good one as it is very important to be careful with this stuff. In that sense, I am very willing to learn from your experience in this area. 
 

 

 

 

 

[BINBASH]

To your first point, the short answer is yes, you can absolutely keep your ISP router. 
At your current stage I see no need to replace it, doing so would only be more work for you and unless you had a 
specific piece of hardware that you wanted to replace it with there's no need at this time. It will provide adequate security
& connectivity and best of all, NOT upgrading hardware is free! woo-hoo!

 

Your second point; don't let the complexity intimidate you. Alot of these concepts seem daunting at first but are 
conceptually not too difficult to grasp. Set aside some time every now and then to learn about them and with expert 
help you can definitely tackle a project like this. You're also correct in assuming that AAA is typically meant for 
teams larger than one, but the A in AAA that were interested in is 'Authentication' as you've pointed out, which will tie 
into your question about practical usability (I'll touch on this further down in my reply). The other two A's 'Authorization / Accounting'

are not quite as relevant in your situation. Any AAA/RADIUS implementation would solely focus on the authorization part of the AAA model,

as you really have no current need for the rest, unless you like the idea of keeping logs and maybe storing them for posterity. 

 

Side note: It slipped my mind that TACACS+ is indeed Cisco proprietary, meaning it is only available on their hardware, so 
you can focus your learning efforts on RADIUS.

 

If you want to get some hands-on practice with the ground level concepts of AAA or just
networking in general, I recommend downloading Cisco Packet Tracer which is free after you make an account with Cisco Networking Academy

(also, free). Packet Tracer is a network simulation tool I use very often for everything from brushing up on my CCNA skills to just shootin' the shit

with random network devices. Sometimes I even use it to plan ahead for jobs to make sure I know that what I have in mind will work the way I

want / need it to. It's a really well-rounded tool.

 

To your comment about allowing access based on MAC addresses; many routers have MAC filtering options so you could choose to go that
route. I do like this idea; it adds another slice of security but I'm not familiar with all the configuration options that OPNSense 
offers so you may find that it's not there when you go to look for it, or maybe it will be, I have honestly no idea.

 

About the OPNSense 2752, I really couldn't have made a better recommendation myself. From a cost~value perspective it's fantastic
choice, I've heard nothing but good things from colleagues who've worked with the 2700 series from OPNSense. With that thing at the
border of your lab network, you'll be in good shape. I wouldn't worry about additional hardware. Just hook it up to the 7250 the same
way you would've with the mini-pc and you're golden. You can implement your IPSec VPN with the 2752 which greatly simplifies your 
plan for remote access.

I'll circle back to my point about the 'Authentication' in AAA. The way I would personally implement this with the VPN is as follows:
You could allow through MAC filtering or other means, your personal devices to access the lab network (from home) but the traffic MUST FLOW through
the OPNsense. While at home there is no need to connect to your VPN, only while working remotely would you need to do so. However, all
access, whether remote or at home must first hit the AAA server before you're allowed to do anything to have you authenticated as who you say you are. 
This way no passwords to lab devices are stored locally.

 

In short:

 

At Home

-------------

OPNSense > AAA > Lab Access

 

Remote

-------------

VPN > OPNSense > AAA > Lab Access

 

If you need to use a password manager on your personal devices to store your AAA password, I highly recommend KeePass 2 by Dominik Reichl. 

I think that this way of doing things balances your desire for both security and practicality.

 

I think that covered everything you asked, let me know if I missed something.
 

[techfan84]

18 hours ago, BINBASH said:

To your first point, the short answer is yes, you can absolutely keep your ISP router. 
At your current stage I see no need to replace it, doing so would only be more work for you and unless you had a 
specific piece of hardware that you wanted to replace it with there's no need at this time. It will provide adequate security
& connectivity and best of all, NOT upgrading hardware is free! woo-hoo!

 

Great to hear, I am a lot more comfortable with having it included! 

 

18 hours ago, BINBASH said:

Your second point; don't let the complexity intimidate you. Alot of these concepts seem daunting at first but are 
conceptually not too difficult to grasp. Set aside some time every now and then to learn about them and with expert 
help you can definitely tackle a project like this. You're also correct in assuming that AAA is typically meant for 
teams larger than one, but the A in AAA that were interested in is 'Authentication' as you've pointed out, which will tie 
into your question about practical usability (I'll touch on this further down in my reply). The other two A's 'Authorization / Accounting'

are not quite as relevant in your situation. Any AAA/RADIUS implementation would solely focus on the authorization part of the AAA model,

as you really have no current need for the rest, unless you like the idea of keeping logs and maybe storing them for posterity. 

 

Side note: It slipped my mind that TACACS+ is indeed Cisco proprietary, meaning it is only available on their hardware, so 
you can focus your learning efforts on RADIUS.

Also good to know! When you say expert help, do you mean consulting with someone such as yourself, or are there good resources online that are sufficient for learning this stuff to the level that I require? 

 

Noted Re: focussing on RADIUS! 

 

18 hours ago, BINBASH said:

If you want to get some hands-on practice with the ground level concepts of AAA or just
networking in general, I recommend downloading Cisco Packet Tracer which is free after you make an account with Cisco Networking Academy

(also, free). Packet Tracer is a network simulation tool I use very often for everything from brushing up on my CCNA skills to just shootin' the shit

with random network devices. Sometimes I even use it to plan ahead for jobs to make sure I know that what I have in mind will work the way I

want / need it to. It's a really well-rounded tool.

That sounds very useful, I will download that soon and give it a go! 

 

18 hours ago, BINBASH said:

To your comment about allowing access based on MAC addresses; many routers have MAC filtering options so you could choose to go that
route. I do like this idea; it adds another slice of security but I'm not familiar with all the configuration options that OPNSense 
offers so you may find that it's not there when you go to look for it, or maybe it will be, I have honestly no idea.

I will investigate this! I have a mini PC at home already that I can setup OPNSense on and start playing around with, just on the local network without internet exposure. Will see what I can find.

 

This ties to another question I have actually. In working on my current network which has been used by all sorts of family devices, is there a good way for me to assess the integrity of this network? ie. To check if it has somehow already been compromised/attacked without me currently realising. I would hope not of course, but it would be great to have some peace of mind on this. Particularly as I start setting up more secure systems (it would be disappointing if I go to this effort and such devices would be compromised from the beginning somehow, just because the network itself has already been infiltrated...). 

 

18 hours ago, BINBASH said:

About the OPNSense 2752, I really couldn't have made a better recommendation myself. From a cost~value perspective it's fantastic
choice, I've heard nothing but good things from colleagues who've worked with the 2700 series from OPNSense. With that thing at the
border of your lab network, you'll be in good shape. I wouldn't worry about additional hardware. Just hook it up to the 7250 the same
way you would've with the mini-pc and you're golden. You can implement your IPSec VPN with the 2752 which greatly simplifies your 
plan for remote access.

 

Nice, I will proceed with acquisition of this device then! When you say I don't need additional hardware, are you suggesting that even the AAA can be run on this OPNSense device? I see that OPNSesne supports freeRADIUS, so perhaps that is a nice all in one solution? Have you used freeRADIUS before and can recommend it? 

 

On the topic of hardware, I am still wondering about potential problems from having two routers in this setup (ISP and OPNSense). Does this introduce a double NAT situation, and does this cause practical problems, or for my use case is it a non issue? 

 

18 hours ago, BINBASH said:

I'll circle back to my point about the 'Authentication' in AAA. The way I would personally implement this with the VPN is as follows:
You could allow through MAC filtering or other means, your personal devices to access the lab network (from home) but the traffic MUST FLOW through
the OPNsense. While at home there is no need to connect to your VPN, only while working remotely would you need to do so. However, all
access, whether remote or at home must first hit the AAA server before you're allowed to do anything to have you authenticated as who you say you are. 
This way no passwords to lab devices are stored locally.

That does sound ideal! I am just wondering from a practical sense then, how do I make the connection from my wireless laptop and phone to the homelab, given that your advice is to remove the wifi access point from the arrangement? Is there some way of bringing this back in without pivot attacks? Or would I still need to somehow link these devices to a wired ethernet link (which is not so practical for my case)? 

 

18 hours ago, BINBASH said:

If you need to use a password manager on your personal devices to store your AAA password, I highly recommend KeePass 2 by Dominik Reichl. 

I think that this way of doing things balances your desire for both security and practicality.

Both my laptop and phone are Apple products, so I would hope to continue using the Apple password manager for this setup. The biometric-protected passkey system they use seems quite nice to me. It would be great to make use of that also in this setup! 

 

 

 

[BINBASH]

On 5/14/2024 at 10:32 AM, techfan84 said:

Also good to know! When you say expert help, do you mean consulting with someone such as yourself, or are there good resources online that are sufficient for learning this stuff to the level that I require?

Either one is good, it depends on how comfortable you personally feel with the subject matter.

 

On 5/14/2024 at 10:32 AM, techfan84 said:

Nice, I will proceed with acquisition of this device then! When you say I don't need additional hardware, are you suggesting that even the AAA can be run on this OPNSense device? I see that OPNSesne supports freeRADIUS, so perhaps that is a nice all in one solution? Have you used freeRADIUS before and can recommend it? 

You could do it either way, with a dedicated AAA server or with the freeRADIUS that OPNSense has onboard. However, if you had a dedicated AAA server, I'd probably recommend freeRADIUS anyways so maybe just kill two birds with one stone and do it on the OPNSense.

On 5/14/2024 at 10:32 AM, techfan84 said:

On the topic of hardware, I am still wondering about potential problems from having two routers in this setup (ISP and OPNSense). Does this introduce a double NAT situation, and does this cause practical problems, or for my use case is it a non issue? 

You will need to place on of the routers into bridging mode. from a practicality standpoint it would be your ISP router that get placed in bridging mode, which may require a phone call to your ISP. From a security standpoint I'd have to take a closer look to determine which router being put in bridging mode would be more secure for both networks. I don't work with consumer grade ISP routers very often thus I can't tell you with much confidence about how they behave in bridging mode.

 

On 5/14/2024 at 10:32 AM, techfan84 said:

That does sound ideal! I am just wondering from a practical sense then, how do I make the connection from my wireless laptop and phone to the homelab, given that your advice is to remove the wifi access point from the arrangement? Is there some way of bringing this back in without pivot attacks? Or would I still need to somehow link these devices to a wired ethernet link (which is not so practical for my case)?

Your personal devices would send traffic to your default gateway (your ISP router) then the router would direct the traffic to the OPNSense. Doing this removes the pivot because now the OPNSense can't be as easily bypassed, it is now directly handling all traffic in/out of the lab. It's not foolproof but it's much better than the other option. 

On 5/14/2024 at 10:32 AM, techfan84 said:

Both my laptop and phone are Apple products, so I would hope to continue using the Apple password manager for this setup. The biometric-protected passkey system they use seems quite nice to me. It would be great to make use of that also in this setup! 

Whatever works best for you!

[BINBASH]

On 5/14/2024 at 10:32 AM, techfan84 said:

This ties to another question I have actually. In working on my current network which has been used by all sorts of family devices, is there a good way for me to assess the integrity of this network? ie. To check if it has somehow already been compromised/attacked without me currently realising. I would hope not of course, but it would be great to have some peace of mind on this. Particularly as I start setting up more secure systems (it would be disappointing if I go to this effort and such devices would be compromised from the beginning somehow, just because the network itself has already been infiltrated...).

Forgot to address this, the short answer is; you'd have to hire someone in the cyber field such as myself (Cybersecurity Engineer or a Malware Analyst / Security Architect) if you want a 100% accurate answer to that question. There are plenty of tools you can find with a quick google search but a lot of them are paid services and enterprise packages etc. Not really worth the pound of flesh they'd have you pay, at least not for a one-man-show like yourself. The process of doing what you're asking is a very good practice, so props for thinking along those lines but it is also very resource intensive and time consuming (and wallet draining), completely up to you if you want to go down that road.

[techfan84]

10 hours ago, BINBASH said:

You could do it either way, with a dedicated AAA server or with the freeRADIUS that OPNSense has onboard. However, if you had a dedicated AAA server, I'd probably recommend freeRADIUS anyways so maybe just kill two birds with one stone and do it on the OPNSense.

Combining them into one device sounds good to me. I do like the idea of modularity and allowing dedicated resources for critical things in general. But my impression is that this specific piece of hardware should be very capable and hence I would expect it to be fine to handle this task along with its others. Reducing ongoing power costs from fewer devices is always a nice thing. 

 

10 hours ago, BINBASH said:

You will need to place on of the routers into bridging mode. from a practicality standpoint it would be your ISP router that get placed in bridging mode, which may require a phone call to your ISP. From a security standpoint I'd have to take a closer look to determine which router being put in bridging mode would be more secure for both networks. I don't work with consumer grade ISP routers very often thus I can't tell you with much confidence about how they behave in bridging mode.

 

This is something I have been trying to make sense of for a while. My ISP router does seem to support bridging mode, but in my understanding if I do this then it will lose much of its capabilities eg. it would no longer provide wifi access points, manage firewall and network access to my family devices that connect to it, and so on. This defeats one of the core goals of this setup in my eyes. Or am I misinterpreting this? 

 

I have also heard an option to avoid this would be to put my OPNSense router/firewall in the DMZ of the ISP router. What are your thoughts on such an approach? 

 

Alternatively, this 'double NAT' issue may not be something worth concerning about anyway in my setup? It is not clear to me exactly what troubles it would cause.

 

10 hours ago, BINBASH said:

Your personal devices would send traffic to your default gateway (your ISP router) then the router would direct the traffic to the OPNSense. Doing this removes the pivot because now the OPNSense can't be as easily bypassed, it is now directly handling all traffic in/out of the lab. It's not foolproof but it's much better than the other option. 

Gotcha! I had initially felt a bit cautious about sharing a network (the ISP family wifi network) with devices that I cannot guarantee the integrity of, but I can see that this is a lesser concern than the previous pivot setup. My ISP router supports the creation of a guest wifi network. Would there be a security benefit to using this for only my trusted devices, perhaps providing an added layer of isolation? 

 

10 hours ago, BINBASH said:

Forgot to address this, the short answer is; you'd have to hire someone in the cyber field such as myself (Cybersecurity Engineer or a Malware Analyst / Security Architect) if you want a 100% accurate answer to that question. There are plenty of tools you can find with a quick google search but a lot of them are paid services and enterprise packages etc. Not really worth the pound of flesh they'd have you pay, at least not for a one-man-show like yourself. The process of doing what you're asking is a very good practice, so props for thinking along those lines but it is also very resource intensive and time consuming (and wallet draining), completely up to you if you want to go down that road.

I was worried/expecting that might be the answer... tricky stuff! I wonder if there are at least a few especially good value/trusted tools that I can run to check now (and ideally in an automated ongoing way) for signs of intrusion/compromise to the network, without breaking the bank by going after everything? eg. a tool that can check for more obvious things that I just am not doing already/aware of.

 

I would hope that the IPDS of the OPNSense is a step towards this, though I still need to learn exactly what this does. I expect this is only one small aspect of the suite of tools that would be ideal to have running.