I’m moving to a new place soon, and I figured it would be a good time to get some experience with more networking stuff.
The area I’ll be in unfortunately only has Comcast as a viable ISP, so I’m stuck with them. But as far as the rest of the setup goes, I’d appreciate some recommendations and best-practices. The diagram below is the very rough schematic of what I have in mind.
Basically, I’d want laptops and phones on wireless for everyday web browsing.
I’d also like to host my own Nextcloud instance to have files available across my network. I’d like to keep this storage isolated within my network, but presumably allow some sort of VPN access so that I could access it while I’m away from home.
So my questions are:
Is this a smart/good arrangement? If not, what should be changed?
What are some free/libre hardware/software recommendations?
For example, I’ve found Turris Omnia, which looks nice, but would there be any sort of compatibility issues with using it in the US? It doesn’t look like there are even any distributors in the US
What are some good resources to learn how to properly set up the firewalling and VPN access for the storage?
If I wanted to eventually host my own website, what would be a secure way to do that without exposing the rest of the network to more risk?
Sorry if these are vague and sweeping questions. Any help focusing them would also be appreciated. I’m happy to teach myself, but pointers to good resources can speed up the process!
best solution is pfsense, cheaper but good solution is to ise openwrt
your config is not secure because if someone compromise your server is inside your lan, best solution is to have isp modem linked to router nothing else, than setup your router with 2 different vlan one for your home network ie 10.0.2.0 the other one 10.0.3.0 for your server, than you should setup a firewall using your router softwer between the vlans to deny traffic between them, so if your server get compromised your lan is still secure or it should be, ofcourse if they exploit also your router it’s gameover but as normal user you shoud not be a target
When you say server, are you referring to my cloud storage? If so, how could I access the files in my cloud if traffic gets denied between the two VLANs? Do I need to VPN into the cloud’s VLAN or something? Is that possible?
I imagined only accessing my files from my local network (though from devices both wired and wireless), while also being able to VPN into my home network to access them if I’m not at home.
So i suggest you to make different vlans and firewall as i wrote with little difference
On firewall zone you should allow the traffic from your lan to your server, and deny the opposite.
So when from your homelan start a connection to your server the firewall allow it, but if a malicious code or hacker breached on your server the firewall block all incoming request from your server to your homelan
Unless you would like to build a x86 box for router, I would advise using EdgeRouter from Ubiquiti Networks. The firmware is a VyOS/Vyatta fork with nice looking Web UI. It has Juniper like configuration system, and capable of small business environment. It is pretty overkill for a home network, but you don’t really want a customer grade router with crappy firmware full of zero day exploit. For Wifi, you would need a another device for wifi. You can reuse an old wifi router as a wifi bridge for your internet router.
Just don’t use any consumer grade router, even with DD-WRT or Tomato. It is pain in the ass to flash a consumer grade router and have proper security upgrade. Even with everything is okay, DD-WRT or Tomato still lacks version controlled configuration system, where you could revert to any previous commit on each configuration change. And everything must go through the Web UI do configuration. The cli way is poorly documented and you may brick the router if you are not careful.
I also forgot to mention I was considering hosting my own email server as well. What is the best/most secure way to do that? Should I set up an additional VLAN for the email server? Not sure how I’d want to firewall it, because I’d presumably want to be able to check email from anywhere.
Or is hosting your own email actually discouraged?
I don’t have any experience on setup a email server, though I have found a tutorial to setup on a VPS.
For a home network, I would say two separate VLAN for email administration and Internet traffic, but I would be more concern about the backup system and high availability, and it is difficult to do it right. Protonmail should be sufficient privacy focus paid email service if you can fail to build your email server anyway.
It’s okay to build your own email server for learning purpose, but you definitely need a backup plan. The simplest way is to use existing email service as backup like Gmail. If you own a domain name, you could add Gmail or whatever provider you like into MX records, and set your email server as highest priority. This way you will not lose any email, but the down side is you have to check your webmail provider if your mail server is down. Of course, you could always forward all mail from your webmail provider to your mail server.
Thanks for all the input everyone. Yeah, I might set up a dummy server just for the experience, but it seems like there’s a lot more hoops than I initially realized (as far as having domains easily get blacklisted and also having to coordinate with ISPs), so I’ll probably end up sticking up something like Protonmail.
Haven’t recieved my new Purism Librem 15 yet but I have what may be a dumb question. I have no internet in my apartment. It was so slow where I live that I just went back to using my Android dumb phone for a hotspot. I’ve been doing that for years. That way when I go somewhere I don’t need to count on anyone elses WIFI.
In any case, will I have a problem with the Librem hooking up to the hotspot on my phone? I use a VPN service on the phone and my present Dell laptop. Keep in mind. I’ve never used Linux before and when I read this forum my eyes roll back in my head when reading “computer nerd speak”. I find my self looking up various terminoly online just so I can try to understand what I’m reading.
No insult intended at my term “computer nerd”. knowing what I know in this day and age I wish I was one.
If your phone is broadcasting a Wifi network, then the Librem should be able to connect to it. I haven’t received my Librem laptop yet, but running Fedora on a Dell laptop allows me to connect to my phone’s hotspot without any issues, though I haven’t tried through a VPN
