Home Network Advice?


#1

I’m moving to a new place soon, and I figured it would be a good time to get some experience with more networking stuff.

The area I’ll be in unfortunately only has Comcast as a viable ISP, so I’m stuck with them. But as far as the rest of the setup goes, I’d appreciate some recommendations and best-practices. The diagram below is the very rough schematic of what I have in mind.

Basically, I’d want laptops and phones on wireless for everyday web browsing.
I’d also like to host my own Nextcloud instance to have files available across my network. I’d like to keep this storage isolated within my network, but presumably allow some sort of VPN access so that I could access it while I’m away from home.

So my questions are:

  1. Is this a smart/good arrangement? If not, what should be changed?

  2. What are some free/libre hardware/software recommendations?
    For example, I’ve found Turris Omnia, which looks nice, but would there be any sort of compatibility issues with using it in the US? It doesn’t look like there are even any distributors in the US

  3. What are some good resources to learn how to properly set up the firewalling and VPN access for the storage?

  4. If I wanted to eventually host my own website, what would be a secure way to do that without exposing the rest of the network to more risk?

Sorry if these are vague and sweeping questions. Any help focusing them would also be appreciated. I’m happy to teach myself, but pointers to good resources can speed up the process!


#2

You might also want a pihole


#3

Thanks, yeah, forgot about that. Definitely a nice addition


#4

My 2cent

  1. see below
  2. best solution is pfsense, cheaper but good solution is to ise openwrt
  3. your config is not secure because if someone compromise your server is inside your lan, best solution is to have isp modem linked to router nothing else, than setup your router with 2 different vlan one for your home network ie 10.0.2.0 the other one 10.0.3.0 for your server, than you should setup a firewall using your router softwer between the vlans to deny traffic between them, so if your server get compromised your lan is still secure or it should be, ofcourse if they exploit also your router it’s gameover but as normal user you shoud not be a target

#5

Thanks for the input!

When you say server, are you referring to my cloud storage? If so, how could I access the files in my cloud if traffic gets denied between the two VLANs? Do I need to VPN into the cloud’s VLAN or something? Is that possible?


#6

Do you want to access your file only over lan or over internet?


#7

I imagined only accessing my files from my local network (though from devices both wired and wireless), while also being able to VPN into my home network to access them if I’m not at home.


#8

So i suggest you to make different vlans and firewall as i wrote with little difference

On firewall zone you should allow the traffic from your lan to your server, and deny the opposite.
So when from your homelan start a connection to your server the firewall allow it, but if a malicious code or hacker breached on your server the firewall block all incoming request from your server to your homelan


#9

Ah, ok, I misunderstood what you initially wrote.

Thanks! That’s very helpful.


#10

Unless you would like to build a x86 box for router, I would advise using EdgeRouter from Ubiquiti Networks. The firmware is a VyOS/Vyatta fork with nice looking Web UI. It has Juniper like configuration system, and capable of small business environment. It is pretty overkill for a home network, but you don’t really want a customer grade router with crappy firmware full of zero day exploit. For Wifi, you would need a another device for wifi. You can reuse an old wifi router as a wifi bridge for your internet router.

Just don’t use any consumer grade router, even with DD-WRT or Tomato. It is pain in the ass to flash a consumer grade router and have proper security upgrade. Even with everything is okay, DD-WRT or Tomato still lacks version controlled configuration system, where you could revert to any previous commit on each configuration change. And everything must go through the Web UI do configuration. The cli way is poorly documented and you may brick the router if you are not careful.


#11

Thanks for the input. I’ll look into that.

I also forgot to mention I was considering hosting my own email server as well. What is the best/most secure way to do that? Should I set up an additional VLAN for the email server? Not sure how I’d want to firewall it, because I’d presumably want to be able to check email from anywhere.

Or is hosting your own email actually discouraged?


#12

I don’t have any experience on setup a email server, though I have found a tutorial to setup on a VPS.

For a home network, I would say two separate VLAN for email administration and Internet traffic, but I would be more concern about the backup system and high availability, and it is difficult to do it right. Protonmail should be sufficient privacy focus paid email service if you can fail to build your email server anyway.


#13

I do not suggest to make your own email service, because is not easy to setup and mantain it in a secure way for not professional people

My2cents


#14

They could use mail in a box but even then i second this


#15

It’s okay to build your own email server for learning purpose, but you definitely need a backup plan. The simplest way is to use existing email service as backup like Gmail. If you own a domain name, you could add Gmail or whatever provider you like into MX records, and set your email server as highest priority. This way you will not lose any email, but the down side is you have to check your webmail provider if your mail server is down. Of course, you could always forward all mail from your webmail provider to your mail server.


#16

Thanks for all the input everyone. Yeah, I might set up a dummy server just for the experience, but it seems like there’s a lot more hoops than I initially realized (as far as having domains easily get blacklisted and also having to coordinate with ISPs), so I’ll probably end up sticking up something like Protonmail.