This post will be used to add context of the hardware, services, and firewall rules that I work in without having to take up space in my normal posts. This configuration doesn’t run under any best practices but works well for my personal use. This type of setup would work well in a corporate office without any internet facing services outside VPN, but is not something I would design for a PCI or HIPAA network.
Home WIFI Network can do almost anything going out to the Internet. The Exceptions are:
- External DNS is limited to only what is provided by my home lab.
- Home WIFI Network can only contact the Home Lab via: DNS, SSH, HTTP, HTTPs
- Guest WIFI
Guest WIFI Network can do almost anything going out to the Internet. The Exceptions are:
- External DNS is limited to only my home lab.
- Guest WIFI Network can’t connect to the home lab in any other way.
- Home Lab is allowed to connect to anything in the Home Wifi, Guest Wifi, and the internet.
- The Home Lab provides DHCP and DNS to both WIFI environments.
- The Home Lab has no limitations to the internet at all
A Ubiquiti Edge-X router is managing my firewall rules.
A Ubiquiti Access Point provides wifi for my Home WIFI, and Guest WIFI.
NetGear 5 port 1GB switch (connected to the same network as the homelab)
The hypervisor is a custom build:
- Shuttle SH97R6,
- Intel Core-i7 4790k Devil’s Canyon Quad-Core 4.0GHz
- Muskin Enhanced 16gb PC3L12800Sticks X2
- OCZ Trion 2.5″ 480GB SSD
- WesternDigital 4tb 7200rpm
- Seagate 8tb External USB
- WesternDigital 8th External USB
This modest system was built 2 years ago, and is running ProxMox as the hypervisor software. This configuration easily runs 7 dedicated VMs, and can handle 3 – 4 more before I start to notice an issue.
Vms and Services I run:
DNS: Dns is handled by Pi-hole running on two debian servers. (These servers are not dedicated to DNS but serve other purposes as well)
SSH: Almost all of my linux servers are headless so SSH is running on all of them. SSH on a non-standard port is the only gateway into my network from the outside world.
DHCP: Debian is running DHCP on all wifi networks. Within the homelab the dedicated VMs have static IPs. I do have a 50 IP range dedicated to the homelab for PXE, VM Templates, etc.
Ansible: CentOS is running as an Ansible Server. This is for linux VM deployment and cookbook testing.
Jenkins (windows instance): Jenkins is running on windows for powershell scripts and several SSH maintenance tasks that run. (Non-dedicated to this VM)
Cacti: A dedicated debian VM is running Cacti to watch for Bandwidth, VM, and hardware usage.
Active Directory: I have a couple of windows VMs that are used for Group Policy or Active Directory post. Both Windows 2012 R2. They do all DNS queries through the Pi-hole servers.
AWS: This WordPress blog is hosted on a t2.micro instance running mysql and apache on Centos. I didn’t use RDS due to cost.
CloudFlare: A free tier of cloud flare is front of the site as well as providing dynamic DNS services as described in this bonus part of the post.
That is a pretty brief overview of my lab. Let me know if you have any questions on how or why I made a design choice. Unless it is about the equipment the answer is this project is on a budget.
Thanks for reading,