HomeLab

EDIT: I found the following tutorial after posting this (and then finding some sites not resolving properly): https://labzilla.io/blog/force-dns-pihole .... this tutorial better describes the 3 NAT rules that are implemented and detail how they operate. I have seen that these rules operate better than how I have things configured.

Previously, I have setup multiple AdGuard Home instances on my personal network and have all VLAN's pointing to those instances. This works well, like 99% of the time. However, there are times where kids or others have devices (Amazon tablets, Roku TV's, etc) that have external DNS resolvers (like google dns) as a fallback in case there are issues with the local DNS. Now... I literally want to avoid this. Part of this is due to restricting children's access on the Internet, some is due to making sure that everything gets logged. When these devices are permitted to bypass local DNS resolvers, it opens up the Internet for wide consumption, such as being able to access YouTube without restriction.

Here is my method of forcefully redirecting all DNS requests to AGH on OPNsense.

Now, I understand from others, that I have a complicated setup and I have only continued to complicate this network, all in the name of network security and segregation since there are some services that I expose publicly.

First, since I have two AGH instances and then two Windows Server Active Directory servers as primary DNS, I setup an Alias for those instances:

Firewall > Aliases

Create a new Alias, providing a name that relates to AGH... I chose "AdGuard_LAN_DNS_Servers" ... it specifically identifies that it is AdGuard related, but also specifies that it is for LAN.

• Type: Hosts
• Categories: enter something if you want... I chose "DNS"
• Content: Enter each individual IP, pressing Enter after each.

Save.

Go to Firewall > NAT > Port Forward, create a new rule. (we'll refer to this as Rule 1 as a reference for this post)

Enter the following:

• Interface: LAN
• TCP/IP Version: IPv4
• Protocol: TCP/UDP
• Destination/Invert: Checked
• Destination: LAN net
• Destination port range: DNS
• Redirect target IP: AdGuard_LAN_DNS_Servers (use alias name from above)
• Redirect target port: DNS Pool Options: Round Robin or Random. I chose Round Robin with Sticky Address
• Category: DNS (not necessary though)
• Description: enter something if you want
• NAT Reflection: Use system default
• Filter Rule Association: create system rule

Save. Apply changes.

At this point, the rule should cause redirection to occur. You can test this. For instance, on Linux, when the above rule is disabled, if you run the command host yahoo.com 8.8.8.8, this will force an NSLookup using the name server 8.8.8.8 (google's DNS) and will return valid values. However, once you enable the rule and apply the configuration changes, if you attempt the same command again, it should fail.

I have applied the same rules for every single VLAN that I have setup and every VLAN is now unable to access external DNS.

The only remaining permission that I needed to have added is to permit my AdGuardHome instances to effectively "bypass" the restrictions that OPNsense has now put in.

Firewall > Rules > LAN:

Create rule (we'll refer to this as rule 2)

• Protocol: TCP/UDP
• Source: AD_DNS_Servers
• Destination: any
• Gateway: WAN

This permits my AD DNS Servers to access the internet, without going through the port forwards.

Create another rule: (we'll refer to this as rule 3)

• Protocol: TCP/UDP
• Source: AdGuardHome_LAN_DNS_Servers
• Destination: AD_DNS_Servers
• Port: DNS

Save; This gives permission for AGH instances to access my local primary DNS servers that are "upstream" of AGH.

Finally, We need to make sure that our Firewall rule ordering is in order, to make sure to permit access without causing blockers.

I have rules configured in the following order on Firewall > Rules > LAN:

2, 3, 1

This permits all DNS Servers to access WAN. Then Permits AGH to access AD DNS Servers port 53. Finally, the port forward that reflects all DNS requests to AGH.

If you have questions, please feel free to ask below!

You just end up creating an desolate community full of noise, since the op will never see the replies.

It hurts lemmy users who don't realize this and wonder why there's no engagement.

For example: https://lemmy.ml/comment/17284093

Blindly copying posts from reddit is not the way to grow a healthy lemmy community.

I’m looking into switching from 1gig Ethernet in the network to at least 2.5gig for my core switch. I’d love to be able to do intervlan routing with a layer 3 switch but am unsure whether it’s worth my time and effort.

Should I instead just setup my OPNsense with LAGG of 3-4x 1gig ports and just continue routing VLAN traffic with it?

I know it’s not optimal, but I’m also looking to do things relatively within budget. I don’t want to spend $500+ on a 2.5/10gig layer 3 switch… especially but if that’s my options I’ll consider it.

Edit: I made my decision. I found the Brocade ICX6610-48P. It ticks almost all the boxes that I’m looking for.

• more than 4x 10gbps SFP+
• layer 3
• has plenty of expansion for both SFP+ ports and for Ethernet ports.

I know that it doesn’t have 2.5/5g speeds natively, but I’m understanding that if I set the SFP ports to 10G but have transceivers that are capable of negotiating 2.5 or 5g speeds. Then it still works. Currently, I’ll continue using 1G speeds on my mini pcs, but my NAS and my proxmox node that hosts OPNsense will be 10G, even though I won’t necessarily need it since I’ll be switching to Layer 3 routing on the switch and not OPNsense. Eventually, I’ll play around with some 2.5/5g USB dongles for the mini pcs since they aren’t compatible with any additional modules for Ethernet. I think it will eventually completely replace my SG2428P since it doubles the amount of ports and has POE. Now it’s just the uphill battle to learn a new system and integrate it with my network and cause multiple outages at the same time 😂

I’ve got a few upgrades that I’m looking to do to my homelab and am looking for some suggestions on what to approach first.

I’ve currently got the following mini pcs:

• 2x HP ProDesk 400 G4 i5-8500t, 32gb ddr4)
• 2x HP EliteDesk 800 G3 (i5-7500t, 32gb DDR4)

I’m looking to upgrade these units to 64gb ddr4 as I recently discovered that HP claims only 32gb supported but found there are people running 64gb in these. So that’s what I’d like to move to as well.

Additionally, I don’t use the WiFi cards in these, I run everything hardwired. I have seen some folks changing to a 2.5gb Ethernet adapter that uses the WiFi slot since the flexio port doesn’t support Ethernet in these generations. What adapters are supported?

Over the last year, I have been trying to work through getting VLAN's setup and operational in my Homelab... so that I can not only experiment, but also to start segregating services from PC's and putting things like IOT devices and Guest devices on their own VLANs.

I come to you today, with a working solution for my own homelab. This post is mainly just to discuss the current state of my homelab, but also look for suggestions on how you would make any changes to my layout.

Current Hardware:

1x TP-Link Omada TL-SG2428P (my core switch)

3x TP-Link Omada TL-SG2210P (leaf switches on different floors)

2x HP EliteDesk 800 G4 (i5-8500T 6C6T, 32GB DDR4) aka Hyper2, Hyper3

2x HP ProDesk 800 G4 (i5-7500T 4C4T, 32GB DDR4) aka Hyper5, Hyper6

Whitebox server (i7-4790k, 32GB DDR3) aka Hyper4

TrueNAS whitebox (AMD FX-6350 6C6T, 32GB DDR3 ECC) aka TrueNAS

VLAN's:

50 Infrastructure

51 KVM's

52 VPN's 

53 Jumpboxes

60 Trusted

70 IOT-Secure (No internet access)

71 IOT-Insecure (Internet Access)

99 Guest

1 LAN (default)

All servers are running Proxmox as my hypervisor. Proxmox nodes are NOT configured with VLAN and currently only reside on LAN. Haven't made the move to put those on VLAN ... when one of them hosts the system that controls traffic to those VLAN's... so thinking just leaving them on LAN and limiting access.

VM's & Containers:

Hyper2:

Ubuntu VM (Frigate) VLAN 50

Ubuntu VM (RDT-client) VLAN 50

Hyper3:

Ubuntu desktop VM (crashplan) VLAN 50

Ubuntu VM (Immich, Immich Power Tools, Remmina, Tautulli, Vikunja, Mealie, Paperless-NGX, Linkwarden) VLAN 50

Hyper4:

AdGuardHome LXC VLANs 1, 50, 60, 70, 71, 99,

WireGuard LXC VLAN 50

Windows Server 2022 vm VLAN 1, 50

OPNsense VM (DHCP)

Ubuntu VM (*arr stack, Adguard-Sync, Uptime Kuma, Gitea, Minecraft Bedrock) VLAN 50

Ubuntu VM (NGINX) VLAN 50

Ubuntu VM (OpenVPN) VLAN 50

Hyper5:

MQTT LXC (for home assistant) VLAN 50

Ubuntu VM (Home Assistant focused: MariaDB, Zigbee2MQTT, RTL-433; Nextcloud [app, redis, mariadb]) VLAN 50

Ubuntu VM (Prowlarr, NZBGet, QBittorrent, flaresolverr) VLAN 50

Home Assistant OS VM (HAOS) VLAN 50

Ubuntu VM (Wazuh) VLAN 50

Hyper6:

AdGuardHome LXC VLANs 1, 50, 60, 70, 71, 99,

WireGuard LXC VLAN 50

Windows Server 2022 (AD, DNS) VLAN 1, 50

Ubuntu VM (Omada controller) VLAN 1, 50

Ubuntu VM (nothing running yet) VLAN 50

Ubuntu VM (Plex, ErsatzTV, Maintainerr x2, Immich Machine Learning) VLAN 50

Ubuntu VM (OpenVPN) VLAN 50

This all works pretty well currently. I've been doing some more research and finding that folks have done things a bit different with their server VLAN's... and just trying to get opinions on what would be better. I recognize that currently, my reverse proxy is in the Infra VLAN, which would be fine... but it's the same RP that is used for public access... which has me thinking that it should go in the DMZ OR I should setup a second RP (but introduces an issue with keeping TLS Certs in sync ...

Tear my setup apart... let me have it. What suggestions do you have? What am I doing wrong? What am I doing right (if anything)?