It’s been super long since I post anything here, I was quite busy with work and other personal matter, but it gave me time to think a bit on what I want to do here, more on this later. In the personal projects shelf I was really busy with setting up my new LAN. And here is a quick overview on it and how i managed to do it.
First things, first: What the hell is a LAN, and why pushing it to 10Gb/s?
So for those who don’t know this: a LAN (Local Area Network) is what we call the part of a network that is local (obviously), for IPv4 it’s the part located in the private IP range.
Local means: What happens in this network stays in this network. For you computer to communicate with internet it uses a router, and more likely what we call NAT (Network Address Translation). You computer asks the router to send a request a server over internet, the router sends the request, and when the server reply forwards the response to your computer. While when your computer contacts a server directly in the LAN.
In France, it’s more likely than your router will be the internet box provided by you ISP. But basically, if you’re here, it’s more than likely than you know this stuff already.
Most of the time you will have somewhere between 1Gb/s or 2.5Gb/s bandwidth in your LAN, mean you can transfer date at theses speed from one computer to another.
Recently I told you how I recycled an old computer I had into a hypervisor using ProxMox. Well a bit after I bought a nice NAS, and put both to work together, storing disk images in the NAS, and also handling backups there. The issue is that files transfers between both take a lot of bandwidth. And I knew I wanted to rework my LAN to have more security, setting up VLANs and such.
Here is where I went a bit crazy and decided to push my LAN to the future with a 10Gb/s setup that will allow me to do all I want and more. So most of my network is now 10Gb/s capable, this allows fast transfers between server, with the 40Gb/s link to the router, I have enough to go to the router and back to another VLAN without struggling with bandwidth and no bottle neck to go to internet.
Let me explain my network:
Network diagram
So it might seem a bit complicated, I use VLANs, this is a technology that allow to have multiple LAN running in the same physical infrastructure. For this schema you can see that I use 7 VLAN, the red links materialize the 10Gb/s links.
- Infrastructure VLAN, is the VLAN that holds all of the infrastructure level hardware, router, switches, WiFi Access Points, etc… They can be administrated only using this very VLAN, a VM allows to enter the VLAN using SSH, this VM is only accessible by computers in the Trusted VLAN. While it’s in red, the link between the router and the link aggregator is a 4x 10Gb/s link using link aggregation, as all communication between VLANs needs to go to the router that will act as firewall.
- Server VLAN, is the VLAN that contains servers and such, most are virtual servers hosted either on the proxmox server or the nas that runs virtualbox. I also have some plan on making a kubernetes cluster running on raspberry pies (more on this later, again). Note than none of these are accessible via internet, any port redirection will go to a load balancer running on Kemp in a specific VLAN and acting as Web Application Firewall as well (more on this later). Servers are accessible from Trusted VLAN. This part is not set yet.
- Utility VLAN, that’s the useful devices like printers, 3D Printers, more building stuff coming someday in the future. Accessible for Servers and trusted with no limitation, and for Corporate via a print server that will keep track on the number of pages printed by computer.
- Trusted VLAN, that’s the main LAN, where all end user trusted devices are (this exclude any android/apple devices obviously). For the moment, WiFi from this networks uses WPA2, but I plan to move this identification to a Radius Server (another topic for the future).
- Corporate VLAN, I work from home, so does my wife, and it’s not that I don’t trust the security from corporate devices, nor my home security, but this network is isolated (understand devices can only communicate with internet, and not together, in fact there are not even aware of each other).
- IOT VLAN, It’s well known that IOT are security concern, understand not secured, plus they are subjected to the good will of external company for respecting our privacy. As such they are non trusted entry door, and I don’t want any of these devices to be able to see what happens in my home. I include into this set our phones. I plan to set a new VLAN for media, move phones, and TV, and anything that I would allow to share data together. But I’ll need to run some investigation on how to do this without compromising with security.
- Guest VLAN, I basically trust no external device, if I can’t audit it, it’s not trusted, plus it would be extra inconvenient to have friends having a setup certificates to connect to the WiFi. So I have this network, with bandwidth limit, restricted access, isolation, identification using time limited tokens.
Isn’t this a bit too much for my home?
I won’t argue on the server part, that’s my lab, I play with it and obviously not everyone will need it. But the isolation of your corporate devices, IOT are not anything to joke with.
First IOT are notorious not secure, here a nice article from trend micro on the topic. But basically even if you are a random nobody in the field, don’t mean that you don’t have a hack value. For me any unsecured IOT is an entry point for ransomware, worms, etc…
There is also the privacy issue, letting IOT devices access your network allows the provider to see when you get home (phone connecting to WiFi) how much time you spend on you PC, on your gaming console, all this level of habits that can be used for targeted marking when you are lucky. I know this sounds paranoid, but is it really? If you have the skills and means to protect the small amount of privacy you still have, isn’t it worth it?
I’m obviously not an expert on the field, but I know enough on the topic than if I can take a small amount of privacy back by something as simple on setting up a VLAN, I’ll do it.
It might seem a bit overkill to take the extra step of also isolating home office devices. But we all have already had echoes of people loosing their jobs over something posted on social networks. Is it that far away of having corporate installing extra level of security that allows to scan your local network, especially with home office, this makes sense, and if I was asked if it would be a relevant step to take for corporate security, I’ll do it.
It makes sense to check if the network used by you employee are not compromised. From this extra step, how far are we to have the small boss who hates you asking for a deeper check? As I said I work for a different company than my wife, is it so unbelievable to think and my LAN could be used to industrial spying? On whom the responsibility of these kind of data theft will fall? I mean it’s not like big company were examples virtue.
Here again, that’s not a big risk, for now, I don’t know of any precedent, but I can imagine it happening, it’s only 1 VLAN setup to avoid it. Pretty worth the effort for me.
Conclusion, and future
I would say, if you have the base knowledge to split your network into VLANs: do it.
I have a few more posts to create, on how technically setting up VLANs, I’ll go over it, on my current router + switch, and try go give an abstract overview here. So more on this topic later, and I think network stuff will make more of the posts for a few months.
I also think of reviving my old twitch channel for a regular talk show (hate this name) on IT related topics. I’m thinking of a 3 parts show: new stuff review, free topic explanation (about 30min on a specific topic to make it understandable to anyone) and coding/hacking tutorial.
There are already many youtube channels on these topic in english, a few twitch channels too, but very few in french, and I’ld like to be a part of it, this still need refinement and deeper thought.
I’ll try to come back to a more regular posting schedule, so let’s try this.
0 Replies to “The 10Gb Lan Adventure”