Network layout showoff

[jagdtigger]

Just basic stuff:

• good firewall (pfsense in my case)
• use VLAN's to segregate devices that need it(security cameras, windows machines etc)
• forget vnc and rdp
• use a password manager with 2fa instead of reusing passwords
• ssh set to key auth only
• dont use admin accounts for accessing shares
• enable auto updates (except windows, it mostly does more harm than good)
• isolate publicly exposed services onto their own VLAN, all of them is virtualized and backed up regurarly.
• made sure i have at least 2 copies of important files locally and one remote backup (encrypted client side so the remote location has no idea whats inside my backups)

[charlie_root]

[Ryois]

Recently sorta redid my network. This network has been added on starting around 2017 with my Ubiquiti Edgerouter-X and then going from there...Now in 2020 I'm using this for learning for certifications and career. I'm currently still in high school, so this lab is a nice way to learn enterprise networking and such.

There is usually 55 wired devices according to UniFi, and usually 29 wireless devices.

Network Components 

• "Core Switch" - Ubiquiti Networks UniFi US-48
• "Access Switch" - Cisco Catalyst 2960S-48LPS-L
• "Hallway AP" - Ubiquiti Networks UniFi UAP-AC-Pro
• "Garage AP" - Ubiquiti Networks UniFi UAP-AC-Lite
• "Porch AP" - Ubiquiti Networks UniFi UAP-AC-M
• "Living Room Switch" - Ubiquiti Networks UniFi US-8-60W

VLANs

• 666 - Management VLAN 10.0.0.0/24
• 10 - VMs VLAN 10.0.10.0/24
• 20 - Home VLAN 10.0.20.0/24
• 30 - IoT VLAN 10.0.30.0/24
• 40 - Guest VLAN 10.0.30.0/24
• 69 - ONT VLAN
• 200 - DMZ 172.16.0.0/24

Wireless - UniFi handles wireless, the main SSID "Skynet" is WPA2-Enterprise using Active Directory from my domain controllers on VLAN 20, "Skynet IoT" is normal WPA2-PSK for IoT devices on VLAN 30, "Skynet Guest" is using VLAN 40 with UniFi captive portal.

Router - My pfSense router is virtualized on ESXi-03, it has three virtual interfaces, VLAN 69 WAN twice and one trunked interface for VLANs. DHCP is also handled by pfSense.

Virtualization/Servers - All servers boot from a USB 3.0 flash drive running ESXi 6.7u3

• R620 ESXi-01 - Dual Xeon E5-2560s, 64GB of DDR3 ECC RAM, 3x600GB HDD 10K RPM, 1TB ADATA SX8200 Pro (before the controller swap) 
• ESXi-02 - Old gaming laptop I had, Core i7 6700HQ, 24GB of DDR4 RAM, 1TB HDD 7.2K RPM, 512GB Samsung OEM NVMe
• ESXi-03 - Dell Inspiron, Core i5 4460, 8GB of DDR3 RAM, 1TB 7.2K RPM.

VMs (Oh my god so many, I should consolidate some)

HOST: ESXi-01

• Domain Controller #1  - Windows Server 2019
• vCenter
• DNS1 - Ubuntu Server 20.04 LTS Pi Hole (DNS2 is backed up on a RPi 3 for failover)
• GitLab - Ubuntu Server 20.04 LTS
• Docker - Ubuntu Server 20.04 LTS
• Home Assistant - HassOS
• NGINX Proxy - Ubuntu Server 20.04 LTS
• Observium - Ubuntu Server 20.04 LTS
• Pterodactyl - Ubuntu Server 20.04 LTS
• UniFi Controller - Ubuntu Server 20.04 LTS
• WireGuard - Ubuntu Server 20.04 LTS
• Database Server - Ubuntu Server 20.04 LTS
• NGINX + PHP Web hosting - Ubuntu Server 20.04 LTS
• ShareX Image Hosting - Ubuntu Server 20.04 LTS
• Utility VM - Debian 10 
• School Projects VM - Ubuntu Server 20.04 LTS

HOST: ESXi-02 

• Domain Controller #2 - Windows Server 2019
• Rocketchat - Ubuntu Server 20.04 LTS
• UNMS (UISP Ubiquiti management) - Ubuntu Server 20.04 LTS
• Wiki.JS - Ubuntu Server 20.04 LTS
• Invidious - Ubuntu Server 20.04 LTS

HOST: ESXi-03

• pfSense Router

I only included basic wired networking in the diagram. No wireless devices are shown and there are additional wired devices on the network.

Edited December 8, 2020 by Ryois
Clarified DNS and DHCP

[camieabz]

Simplicity

 

[Sir Asvald]

On 1/28/2021 at 4:49 PM, camieabz said:

Simplicity

 

 

Image not showing up. 

[camieabz]

It's fine here.

[brwainer]

3 hours ago, Sir Asvald said:

Image not showing up. 

Image shows up for me.

[Sir Asvald]

43 minutes ago, camieabz said:

It's fine here.

 

11 minutes ago, brwainer said:

Image shows up for me.

 

Spoiler

 

website cannot be reached for me..

 

[Lurick]

20 minutes ago, Sir Asvald said:

 

 

  Reveal hidden contents

 

website cannot be reached for me..

 

Same here, I get a Strict HTTP (HSTS) issue.

[Wait_____u_____what]

Thought I'd add mine to the mix!

[RicenShine]

Noob: why is there so many DNS? Isn't one enough?

[brwainer]

4 hours ago, RicenShine said:

Noob: why is there so many DNS? Isn't one enough?

The tone/meaning of this question is unclear. Was this a rhetorical question, presented from the perspective of a noob, as an inside joke for people who know the answer? Or is this a serious question that you are asking as a noob?

[RicenShine]

52 minutes ago, brwainer said:

The tone/meaning of this question is unclear. Was this a rhetorical question, presented from the perspective of a noob, as an inside joke for people who know the answer? Or is this a serious question that you are asking as a noob?

Serious question from noob

[brwainer]

1 hour ago, RicenShine said:

Serious question from noob

If you only have one DNS and it goes down, then the computers using it are effectively offline completely. So inside a private network you should always run two DNS servers - and if Active Directory or similar is being used, you want more than one domain server anyway, because like backups “two is one and one is none”.

 

Outside of a private network, or even for some very large companies, a specific DNS IP, like 8.8.8.8 for Google, doesn’t actually go to a single server but rather to dozens or hundreds or thousands of servers across the globe, using a method called Anycast. This is partially for redundancy purposes, but also to decrease latency to the user and to spread out the load and traffic amongst many datacenters. But even then they’ll have a second IP, like 8.8.4.4 for Google, that goes to a completely separate set of servers. If soemthing happens to the nearest server for the primary IP, the network won’t realize this quickly, and will keep sending your traffic to it, so having the second IP going to a different server keeps you the user un-impacted.

 

DNS is profoundly important. When there’s a DNS issue, to most users its the same as their ISP having a complete outage.

[RicenShine]

On 4/6/2021 at 10:17 PM, brwainer said:

If you only have one DNS and it goes down, then the computers using it are effectively offline completely. So inside a private network you should always run two DNS servers - and if Active Directory or similar is being used, you want more than one domain server anyway, because like backups “two is one and one is none”.

 

Outside of a private network, or even for some very large companies, a specific DNS IP, like 8.8.8.8 for Google, doesn’t actually go to a single server but rather to dozens or hundreds or thousands of servers across the globe, using a method called Anycast. This is partially for redundancy purposes, but also to decrease latency to the user and to spread out the load and traffic amongst many datacenters. But even then they’ll have a second IP, like 8.8.4.4 for Google, that goes to a completely separate set of servers. If soemthing happens to the nearest server for the primary IP, the network won’t realize this quickly, and will keep sending your traffic to it, so having the second IP going to a different server keeps you the user un-impacted.

 

DNS is profoundly important. When there’s a DNS issue, to most users its the same as their ISP having a complete outage.

I thought that DNS was something I have to register with cloudflare/google or a known DNS provider needs to be done. Not that I have to host my own DNS.

I actually thought the DNS was for pihole blocker type something, but this was informative thanks!

[brwainer]

7 hours ago, RicenShine said:

I thought that DNS was something I have to register with cloudflare/google or a known DNS provider needs to be done. Not that I have to host my own DNS.

I actually thought the DNS was for pihole blocker type something, but this was informative thanks!

If you want to have your own domain, and point that at some place, then yes you need to have some DNS server somewhere be “authoritative” for your domain, meaning it is the one true source of information. And again, frequently there will be two-four. This can be provided by the company you buy the domain from, or it can be someone else, or you can even host it yourself.

 

The reason to host local DNS for your internal clients to use for lookups is either because you want to have internal/private domain names (servers within a company or a house), you want to filter the DNS responses, or you want the slight privacy improvement and bandwidth reduction of having just one device in your network making the actual DNS lookups on behalf of all the others and caching the results.

[RicenShine]

On 4/11/2021 at 5:05 AM, Grumpy Old Man said:

Almost everything is already except I need two NUC11

 

That cat fight is painful...  >_<

[Chris Hasinski]

Here is mine, just the wired part, wireless is kinda pointless as it is just a list of devices I own.  I could use some recommendations for a good 10Gbit network card   Already got one.

[BananaBoat]

No subscription services for me or my friends & family >_>

[brwainer]

3 hours ago, BananaBoat said:

No subscription services for me or my friends & family >_>

That's a nice service flow diagram, but this thread is more about the physical and internetworking side. Router, switch(es), AP(s), where the ISP and server connect into; is it all 1Gb? Any 10Gb? Using any non-ethernet connection methods (powerline, MoCA)?

[RaddyKewl]

I don't think mine is quite as elaborate as everyone else's. Also don't have any redundancy for if a point fails... though I'm not running anything too mission critical that I can't just run to a store and pickup a new switch.

 

Not pictured are the wireless devices.

The Bedroom access point has a bathroom heater, air purifier and an Amazon Echo Show.

I also have a Macbook, iPhone, iPad, and Windoze laptop which connect to either access point, depending where I'm at in the house.

 

[jec6613]

Here's my current network - end devices not shown because it starts becoming too cluttered and such, but here's a quick rundown of the networking gear:

• Netgear M5300-28GF3 Layer 3 Core

45U 2-Post rack for networking and HA equipment:

• Netgear M4300-28G-PoE connected to patch panel
• Netgear M4100-26G connected to patch panel
• Netgear WC7600v2
• Netgear M4100-D12G connected to the various HA devices in the rack

45U 2-Post rack for AV equipment:

• Netgear M4100-26G for devices in that rack

25U 4-post rack for servers:

• Two stacked Netgear M4300-12X12F for primary server connectivity
• Netgear M4100-26G for OOBM and as a secondary cluster communication switch

Garage:

• Netgear M4100-D12G-PoE for cameras

Access points:

• Two WAC720 for garage and basement
• Three WAC730 for main house coverage

Gateway:

• Cisco RV340

 

[n0x103]

Started expanding my home network during the pandemic and got a little carried away with vlans. need to prune it a bit...

 

 

 

 

[misterpumpy]

ISP: Frontier Fiber 500/500
ONT: Motorola ONT1000GJ2
Router(s): ASUS ZenWifi AX1200 XD4 Mesh Network *I have three, but only two are needed in our current apartment
Switch: TP-Link TL-SG108 unmanaged Gigabit switch

I have both primary computers in the apartment connected to the switch, as well as my NAS, the other mesh node for ethernet backhaul, our Apple TV, and our Philips Hue Bridge. 

Our other devices utilize the wifi from either of the mesh devices depending on where we are in the apartment. 

 

Potential upgrades: In our next apartment we are looking to possible upgrade our system to a multigig infrastructure, so 2.5g wan and lan on routing, switching, etc. Primarily for the home network, as I am pretty sure we will only go up to Gig fiber speeds from the ISP side (we just do not have a functional usecase for more at the moment). 

 

I've been looking into Ubiquiti or TP Link Omada and there's a lot of neat stuff out there, but everything I want to do either costs too much to do exactly as I want with those companies or I don't get exactly what I want for a price I'm willing to pay; alas, I will continue using consumer grade stuff. 

[Sir Asvald]

Updated network:

 

I have 3 domains within my environment:

 

1. Netgear VLAN 21 (IP 10.1.21.0/24) 
2. HP VLAN 22 (IP 10.1.22.0/24)
3. Cisco 3750 - VLANS 172 & 20 (IPs 172.16.0.0/16 10.1.20.0/24)
4. Cisco 2960C-LL is used for outbound traffic
5. Cisco ASA 5506-X Firewall used for my AnyConnect VPN
6. Lenovo PC is the ESXi host 6.5  - VMs I have 4 (2 running on this host and one running on a dedicated ESXi host) DCs for domain, and 3 (1 on the dedicated ESXi Host) for the others. Kemp loadmaster, and Email filter (Proxmox Mail Gateway)
7. Lenovo Tiny is the Exchange Host
8. Dell PE R210 II is the SCCM Host

Not pictured is my HP Microsoft Server Gen8 is my physical DC Running 2019.

 

Any questions please ask away.

 

Spoiler