nacho network

nacho network.md

nacho network

This document started out as my notes for building my home network. I was keeping notes because I knew I would have to start over many times and because writing them down helps me remember them.

I thought I would put this online to help others learn.

This document is heavily inspired by https://nguvu.org/pfsense/pfsense-baseline-setup/#Install%20pfSense with a lot of help from nguvu and various folks on reddit.com and https://forum.netgate.com/.

table of contents

1. nacho network
2. table of contents
3. overview
   1. objectives
   2. zones
   3. my devices
   4. my wiring
   5. miscellaneous to do
   6. references
4. configuration data
5. set it up
   1. before starting
   2. pfSense
      1. setup wizard
         1. General Information
         2. Time Server Information
         3. Configure WAN Interface
         4. Configure LAN Interface
      2. system settings
         1. System > General Setup
         2. System > Advanced > Admin Access
         3. System > Advanced > Firewall/NAT
         4. System > Advanced > Networking
         5. System > Advanced > Miscellaneous
      3. VLANs, interfaces, and DHCP
      4. NTP
         1. Services > NTP > Settings
      5. DNS
         1. Services > DNS Resolver > General Settings
         2. Services > DNS Resolver > Advanced Settings
      6. firewall
   3. hook everything up
   4. unifi
      1. installation
      2. networks (VLANs)
      3. wifi
      4. trunk port for personal desktop and unifi VM
      5. switch 8 lite port VLAN assignments
   5. other stuff

overview

objectives

• VLANs to seggregate zones/devices/traffic and minimize exposure between zones (see table below)
• centralized NTP server -- all LAN/VLAN NTP requests should be handled by the pfSense router
• centralized DNS server backed by CloudFlare DNS -- all LAN/VLAN DNS requests should be handled by the pfSense router

zones

zone	purpose	to do
trust	trusted devices: personal computers, phones, Roku, etc... open internet access controlled access to other zones (i.e. SSH to servers)
iot	IoT devices open internet access no access to other zones or anything else
guest	guest devices open internet access no access to other zones or anything else
serve	home server with various Docker containers (Plex, Samba, etc...) controlled/limited internet access no access to other zones or anything else
dmz	internet exposed Docker containers (web site, Plex, etc...) controlled/limited internet access no access to other zones or anything else	yes

my devices

alias	device	zone	notes	status
fios	FIOS ONT		ethernet port enabled
pfs	pfSense box		em0 = WAN em1 = LAN
switch 8 lite	Unifi Switch Lite 8 Poe	LAN
wifi 6 lite	Unifi 6 Lite Access Point	LAN
personal desktop	personal desktop	trust	wired
unifi	Unifi controller	LAN	running in VM on personal desktop
personal laptop	laptop	trust	wireless
phones	family cell phones	trust	wireless
roku	Roku	trust	wired
st	SmartThings HUB	iot	wired	to do
iot	various IoT devices	iot	wireless	to do
work desktop	work laptop	guest	wired
work laptop	work laptop	guest	wireless
nuc	Intel NUC	serve	Debian server
www	web site	dmz	Docker container	to do
samba	Samba	serve	Docker container	to do

my wiring

• fios ethernet -> pfs WAN (em0)
• pfs LAN (em1) -> switch 8 lite
• switch 8 lite:
  1. wifi 6 lite
  2. work desktop
  3. personal desktop
  4. nuc
  5. roku
  8. pfs

miscellaneous to do

• new pfSense server with one 10G for LAN (to avoid switch to router bottleneck) and AES-NI
• new switch with one 10G for uplink

references

• https://nguvu.org/pfsense/pfsense-baseline-setup/#Install%20pfSense
• https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html
• https://blog.flippedbits.io/2020/07/wrangling-dns-on-your-network-part-2-forcing-pfsense-dns/
• https://blog.linuxserver.io/2019/11/13/pfsense-unifi-wifi-vlan/
• reddit and pfsense forum posts

configuration data

https://docs.google.com/spreadsheets/d/1L-rZIr-zx0nmQWmY8F8IweCcH0Wr6OeO1OPCs1ltiVI/edit#gid=0

set it up

before starting

• make sure WAN on pfs is not connected to internet until the FW rules are added
• do a factory reset on pfs, switch 8 lite, and wifi 6 lite just to make sure we're starting from scratch
• default pfSense username and password for pfs:
  • username: admin
  • password: pfsense

pfSense

https://docs.netgate.com/pfsense/en/latest/install/download-installer-image.html for how to install pfSense.

setup wizard

General Information

group	setting	sub setting	value
General Information	Hostname		pfs
General Information	Domain		local.lan
General Information	Primary DNS Server		1.1.1.1
General Information	Secondary DNS Server		1.0.0.1
General Information	Override DNS	Allow DNS servers to be overridden by DHCP/PPP on WAN	unchecked

Time Server Information

group	setting	sub setting	value
Time Server Information	Time server hostname		0.pfsense.pool.ntp.org
Time Server Information	Timezone		America/New_York

Configure WAN Interface

group	setting	sub setting	value
RFC1918 Networks	Block RFC1918 Private Networks	Block private networks from entering via WAN	checked
RFC1918 Networks	Block bogon networks	Block non-Internet routed networks from entering via WAN	checked

Configure LAN Interface

group	setting	sub setting	value
Configure LAN Interface	LAN IP Address		192.168.1.1
Configure LAN Interface	Subnet Mask		24

system settings

System > General Setup

group	setting	sub setting	value
DNS Server Settings	DNS Server Override	Allow DNS server list to be overridden by DHCP/PPP on WAN	unchecked
DNS Server Settings	Disable DNS Forwarder	Do not use the DNS Forwarder/DNS Resolver as a DNS server for the firewall	unchecked

System > Advanced > Admin Access

group	setting	sub setting	value
webConfigurator	WebGUI redirect	Disable webConfigurator redirect rule	checked
webConfigurator	WebGUI Login Autocomplete	Enable webConfigurator login autocomplete	unchecked
webConfigurator	Anti-lockout	Disable webConfigurator anti-lockout rule	unchecked

System > Advanced > Firewall/NAT

group	setting	sub setting	value
Firewall Advanced	Firewall Optimization Options		Conservative
Firewall Advanced	Firewall Maximum States		1632000
Firewall Advanced	Firewall Maximum Table Entries		2000000
Bogon Networks	Update Frequency		Monthly

System > Advanced > Networking

group	setting	sub setting	value
IPv6 Options	Allow IPv6	All IPv6 traffic will be blocked by the firewall unless this box is checked	unchecked

System > Advanced > Miscellaneous

group	setting	sub setting	value
Power Savings	PowerD	Enable PowerD	checked
Power Savings	AC Power		Hiadaptive
Power Savings	Battery Power		Hiadaptive
Power Savings	Unknown Power		Hiadaptive
Gateway Monitoring	Skip rules when gateway is down	Do not create rules when gateway is down	checked

VLANs, interfaces, and DHCP

1. Interfaces > Assignments > VLANs: add VLANs with priority 0 using the VLAN data in configuration data

2. Interfaces > Assignments > Interface Assignments: add all the available network ports

3. Interfaces: Go through the OPT# interfaces and configure them:

   heading	setting	sub setting	value
   General Configuration	Enable	Enable interface	checked
   General Configuration	Description		set to associated VLAN description
   General Configuration	IPv4 Configuration Type		Static IPv4
   Static IPv4 Configuration	IPv4 Address		from configuration data
   Reserved Networks	Block private networks and loopback addresses		unchecked
   Reserved Networks	Block bogon networks		unchecked

4. Services > DHCP Server: Go through the VL##_* interfaces and configure them:

   heading	setting	sub setting	value
   General Options	Enable	Enable DHCP server on ... interface	checked
   General Options	Range		from configuration data

NTP

Services > NTP > Settings

group	setting	sub setting	value
NTP Server Configuration	Interface		LAN VL10_trust VL20_iot VL30_guest VL40_serve
NTP Server Configuration	Time Servers		0.pfsense.pool.ntp.org
NTP Server Configuration	Time Servers	Is a Pool	checked
NTP Server Configuration	NTP Graphs	Enable RRD graphs of NTP statistics (default: disabled).	checked

DNS

Services > DNS Resolver > General Settings

group	setting	sub setting	value
General DNS Resolver Options	Network Interfaces		LAN VL10_trust VL20_iot VL30_guest VL40_serve Localhost
General DNS Resolver Options	Outgoing Network Interfaces		WAN
General DNS Resolver Options	System Domain Local Zone Type		Static
General DNS Resolver Options	DHCP Registration	Register DHCP leases in the DNS Resolver	unchecked
General DNS Resolver Options	Static DHCP	Register DHCP static mappings in the DNS Resolver	checked
General DNS Resolver Options	Custom options		local-data: "local.lan. 10800 IN SOA pfs.local.lan. root.local.lan. 1 3600 1200 604800 10800"

Services > DNS Resolver > Advanced Settings

group	setting	sub setting	value
Advanced Privacy Options	Query Name Minimization	Send minimum amount of QNAME/QTYPE information to upstream servers to enhance privacy	checked
Advanced Resolver Options	Prefetch Support	Message cache elements are prefetched before they expire to help keep the cache up to date	checked
Advanced Resolver Options	Prefetch DNS Key Support	DNSKEYs are fetched earlier in the validation process when a Delegation signer is encountered	checked
Advanced Resolver Options	Harden DNSSEC Data	DNSSEC data is required for trust-anchored zones.	checked
Advanced Resolver Options	EDNS Buffer Size		4096

firewall

1. Firewall > NAT > Port Forward: use the port forwarding data in configuration data to add the requried port forward rules
2. Firewall > Rules: use the firewall data configuration data to add the required firewall rules for each interface
   • some FW rules will already be there; these are linked to previous settings and port forward rules

hook everything up

• now would be a good time to make sure everything except the WAN on pfs is hooked up.
• mind what devices you plug into what port on switch 8 lite; you'll need to know what is plugged in where when configuring the VLANs in unifi.

unifi

• we want all of the unifi stuff, including the controller, on the default LAN interface (untagged VLAN)
  • the switch 8 lite and wifi 6 lite will automatically be on the LAN interface (by default)
  • to make the unifi controller running on a VM on personal desktop, we have to set the NIC of personal desktop to VL10_trust and the NIC of the VM to untagged
• some of the settings in the unifi controller are not available in the new UI and you may need to switch to the classic UI

installation

1. make sure everything is hooked up, especially: pfs, switch 8 lite, wifi 6 lite, and personal desktop
2. create a Debian VM for unifi in personal desktop
3. in the hypervisor, set personal desktop to VL10_trust and make sure the unifi VM is untagged
4. once Debian installed in the VM, install the unifi controller: https://community.ui.com/questions/UniFi-Installation-Scripts-or-UniFi-Easy-Update-Script-or-UniFi-Lets-Encrypt-or-UniFi-Easy-Encrypt-/ccbc7530-dd61-40a7-82ec-22b17f027776
5. once the unifi controller is installed, navigate to https://[IP of the VM]:8443 where [IP of the VM] is the IP of your unifi VM
6. follow the on screen instructions to create an account and set things up
7. adopt the switch 8 lite and wifi 6 lite
8. configure your mail server in Settings > Controller

networks (VLANs)

1. in https://[IP of the VM]:8443 go to Settings > Networks

2. Create New Network for each of of the VLANs:

   group	property name	propery value
   Create New Network	Name	name/description from VLANs
   Create New Network	Purpose	Corporate
   Create New Network	Interface	LAN
   Create New Network	VLAN	VLAN Tag/ID from VLANs
   Create New Network	Gateway Type	Default
   Create New Network	Gateway IP/Subnet	IPv4 Address from VLANs
   Create New Network	DHCP Mode	DHCP Server
   Create New Network	DHCP Range	DHCP range from VLANs

wifi

1. go to Settings > Wireless Networks and create the wireless networks per need
2. to associate a wireless network with a VLAN, select the appropriate network for the Network option

trunk port for personal desktop and unifi VM

1. go to Settings > Profiles > Switch Ports

2. create a new port profile

   group	property name	propery value
   Create new switch port profile	Profile Name	[whatever you want]
   Create new switch port profile	PoE	Off
   Networks/VLANs	Native Network	LAN
   Networks/VLANs	Tagged Networks	VL10_trust = checked

switch 8 lite port VLAN assignments

1. go to Devices > click on the switch > click on Ports
2. edit the port personal desktop is connected to and set the Switch Port Profile to the trunk you created in trunk port for personal desktop and unifi VM
3. after you apply, reboot personal desktop so it gets an IP in VL10_trust
4. after you reboot, (re)start the unifi VM and navigate to https://[IP of the VM]:8443 where [IP of the VM] is the IP of your unifi VM
5. navigate back to navigate to https://[IP of the VM]:8443 and associate the other ports on switch 8 lite with their associated network/VLAN as needed
   • make sure the wifi 6 lite stays on the default All Switch Port Profile because we control which VLAN each wifi is on at the wireless network level (from wifi above)

other stuff

1. add email capability to pfSense: System > Advanced > Notifications

   group	setting	sub setting	value
   E-Mail	E-Mail server		smtp.gmail.com
   E-Mail	SMTP Port of E-Mail server		465
   E-Mail	Secure SMTP Connection	Enable SMTP over SSL/TLS	checked
   E-Mail	Validate SSL/TLS	Validate the SSL/TLS certificate presented by the server	checked
   E-Mail	From e-mail address		gmail email address
   E-Mail	Notification E-Mail address		gmail email address
   E-Mail	Notification E-Mail auth username (optional)		gmail email address
   E-Mail	Notification E-Mail auth password		gmail email password
   E-Mail	Notification E-Mail auth mechanism		PLAIN