• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

Eagle's Home Brew Domain Development Build & Upgrade

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.
unsafesteagle

unsafesteagle

Member
Joined
Oct 16, 2014
Location
Allagash, Maine
Ok Guys Here Goes,

I'll use this thread as a build log to my home network improvements!

Key Points Moving Forward:
  1. Non-Vendor Specific
  2. Following the OSI 7 Layer Model
  3. DMZ Segment
  4. Private Space NAT Gateway Bastion Host Segment
  5. Open Source Operating Systems and Applications
  6. Performance vs Price
  7. Custom, Expansion and Upgrade Builds.
From the bottom up, im preparing to work on layer 6 of the OSI Structure.

I have some work remaining in layer 5 and below in my current setup. Layer 6 im excited to get VPN, Proxy, VOIP and Presentation Templates implemented.
The tasks im most recently looking to achieve is segment my DMZ and NAT Gateway on the physical level and also complete a split dns working structure.

With new architectures about to be released and decreased pricing of current generation electronics ive decided to upgrade my atx and micro atx boards to the higher chipsets for the cpu installed.
This also gives me a chance to correct some misconfigured performance concerns within the network. Also involves alot of OS reinstallation and work around.

Itll be fun for me to document, share and learn from the experience here in the forum.
:cheers:
 
My Network build has 3 micro atx systems & 2 atx systems.
None of the memory kits are above 3200mhz and also none of the builds are pcie 4

cpu's installed are:
DMZ; Ryzen 5 5600G, Ryzen 3 3200G, Intel i3 10300
NAT Private Space; Intel i5 7600K, Intel i7 10700F
 
Gotcha. As mentioned earlier, these PCs are a 'network' so lower speeds would work the same/won't be a bottleneck. I wouldn't sweat that detail...and save some cash in the process. :)

I'm not a networking guy, but this seems overly complicated, five PC's for networking? I can't wait to see how this is set up and shakes out.

EDIT: What's the relevance of the PCIe 4.0 comment in all of this?
 
Last edited:
PCIe 4.0 is relevant for 10Gbp/s file transfers and a couple years future proofing.

From a security perspective advancing a firewall is a very large project. The firewall functions mostly at layer 4 of the OSI model. This requires learning and configuring services on both sides of layer 4.
Going not much further than that, open source OS such as debian is only left to fully developing the 7 Layer OSI model. And it is overly complicated.

I dont know who or what kinda genius can make an AIO solution, simple and small. I bet theyll be rich tho.
 
So, excuse my ignorance here. The five PC's you mention, these are simply connected to your network like any other, correct? You are not using five different PC's to setup/configure this network... because that's what I got from your post(s) and it's just not clear (at least to me), what's going on. :)

Thanks in advance for your patience and for explaining things more clearly and concisely with only relevant details. :)

PS - Happy to clean this thread up... removing the irrelevant memory tangent....... just LMK. THread's a bit confusing at this point.
 
2 of the pc's are setup with PFSense Open Source Operating System as routers and firewall.
2 of the pc's are setup with Debian Linux as Web Servers for more customization with advanced services that PFSense does not need to run.
1 of the pc's is setup with TrueNAS Open Source Operating System providing Network Attached Storage.

Also, theres Raspberrry Pi clusters for backups, dns and low wattage redunancy
 
As a person who runs a windows domain at home with layer 3 equipment I got a couple questions.

Do you have a network diagram of what's going on here? For those of us confused as to what's going on.

The dual pfsense machines has my interest piqued as I run multiple networks off of one machine.

What software are you running for the homebrew setup?

What's the end goal of this project?

What does homebrewing use 5 machines for?
 
Hey Wagex,

Alot of ways its just a personal build/project. Daily use as im the only user Office tasks, Business tasks, Printing/Scanning, Online Banking, Web Browsing, Video Streaming, Music Streaming and Social Media. Occasionally I play PC Games on Steam and mess around with Rendering movie discs. Online Classes.

Ill explain in more detail going forward heres some basic flow

ISP Modem -> NAT Disabled Bridged -> PFSense Firewall Public Space Transparent Bridge "DMZ" -> POE 1Gbp/s Switch & SFP+ 10Gbp/s Switch <-> Debian Webserver <-> Raspberry PI Cluster <-> PFSense Firewall NAT Private Space Gateway -> Edge Endpoint Services

Im running Bind9 dns including hosting my Publicly Registered Domain. Id like to get fully connected into ARIN Registry.

A "DMZ" effectively is IP public space only and only accessible from other IP public space. It should be Physically segmented also.
Mixing IP Public Space and IP Private Space is simpler, a looser security strategy and has challenges in Authoritative DNS Servers and also Public Assessible DNS Resolvers.
 
Maybe I'm just not smart enough about networking, but couldn't the segmenting be done in one pfsense machine using multiple network adapters? physically separating them seems kind of moot if they are connected via network to each other, the only thing actually separating them is rules in pfsense whether you're using one or multiple pfsense machines.

Also curious as to why using bind 9 for DNS instead of using unbound in pfsense? Pfsense also has a bind addon so you don't have to run it on an external machine. Not saying it's bad practice or anything, but, any reason why one would want to run it on a network machine instead of the router? only reason I ask is router's don't get shut down or rebooted often so no chance of breaking everything when that machine handling DNS goes down.

In your DMZ do the machines have public ip's assigned individually or are you just using subdomains for them eg server1.wagex.com and so on?

here's the flow i was thinking that would simplify it a bit just my one 1 cent tho. lol

------------------------------------------opt1 DMZ > public facing machines
router (nat disabled) > pfsense (bind) |
------------------------------------------opt2 Local lan > private machines

just set rules to where opt 1 cant see opt 2 in pfsense (vice versa), and bind the domain to the DMZ in pfsense, configure the dmz (opt1) network to have full access to WAN and no access to opt 2, configure the local network to ignore the DMZ but connect to the internet.


Maybe i'm under thinking this setup lol. But it would take less machines running to keep it going and simplify the configuration a lot.

I been running a domain at my house for a few years so i more or less understand what you're talking about, just not sure as to configuration as my network is obv different.
 
I do not believe the full setup can be done without bind9 or the setup can be done with a single pfsense router. The flow your thinking is how my network is currently segmented.
In my network the NAT mechanism is somehow still breaking split dns from fully working. Im banking that with the second PFSense Router ill easily get working split dns.

A windows domain controller automates most of that as far as i know but when it comes to email, authentication and directory services theres need for advanced domain zone records.

Unbound DNS suggests remote dns forwarding or remote dns record hosting. Perhaps renting an advanced remote dns service would make a single PFSense box more feasible.

My ISP assigns to my modem routable Public Subnet with 11 usable Public IP Address's. I manually assign them as needed. Ideally, achieving dynamicDNS would be fabulous.

I havent needed to delegate subdomains yet. Debian and most all machines i believe, require a domain name and fully qualified host name.
The domain is more of a zone and is also the same with authentication as a realm. The domain essentially has no address because its meant to summarize many address's.
The host is just a prefix added to the domain. So a sub-domain could easily be confused with a fully qualified host name.
 
Last edited:
unsafesteagle said:
I do not believe the full setup can be done without bind9 or the setup can be done with a single pfsense router. The flow your thinking is how my network is currently segmented.
In my network the NAT mechanism is somehow still breaking split dns from fully working. Im banking that with the second PFSense Router ill easily get working split dns.
Click to expand...
You can add bind9 into pfsense. , you can setup multiple domains multiple networks multiple network segments all on a single pfsense router ;) pretty crazy stuff you can do with it. I run 1 domain but it's limited to my network, I share networks with my cousin down the street and we each have our own pfsense machine though we could have done it with one. We have seperate ip's and Internet connections, but have full access to eachothers networks pretty neat we did it so we could share files back and fourth without taking forever with our slow upload speeds, we use an antenna pointed between the houses.
unsafesteagle said:
A windows domain controller automates most of that as far as i know but when it comes to email, authentication and directory services theres need for advanced domain zone records.
Click to expand...
I run a windows domain controller, works great.
unsafesteagle said:
Unbound DNS suggests remote dns forwarding or remote dns record hosting. Perhaps renting an advanced remote dns service would make a single PFSense box more feasible.
Click to expand...
That's the reason I asked if you knew about the bind9 addon for pfsense, you dont gotta use unbound in pfsense you can install bind9 on there.
unsafesteagle said:
My ISP assigns to my modem routable Public Subnet with 11 usable Public IP Address's. I manually assign them as needed. Ideally, achieving dynamicDNS would be fabulous.
Click to expand...

unsafesteagle said:
I havent needed to delegate subdomains yet. Debian and most all machines i believe, require a domain name and fully qualified host name.
The domain is more of a zone and is also the same with authentication as a realm. The domain essentially has no address because its meant to summarize many address's.
The host is just a prefix added to the domain. So a sub-domain could easily be confused with a fully qualified host name.
Click to expand...
yeah I make that mistake often and my cloud host reminds me every time I make the wrong distinction lol.

Makes sense now, thanks for the clarification. Good luck with your network I'll be staying tuned!
 
Hi Wagex,
that sounds like a great way to both learn and enjoy networking with the neighbors.

I didnt have much luck with bind9 package installed on pfsense. the system seemed sluggish and buggy.
Also, ive put a large effort into learning ipv6 specifically Hurricane Electric Free Tunnel Broker Service. I gotta say the learning curve is difficult compared to ipv4

Of which 12 hours of my life is lost as i tried to get ipv6 icmp6 working behind Mikrotik SFP+ Switch with 7.1.x firmware. :rain::screwy:
 
ipv6 is a good way to create issues in you network lol just a heads up. I turn ipv6 off on everything I can. it ends up messing up all kinda stuff.
 
After 3 or 4 OS reinstallations i was able to get the Raspberry PI 4 accessed remotely. Problems with screen flickering on the hdmi mini port were a pain in the ***.
Other problems was creating a custom gateway on the secondary NAT device to connect the 2 routers.

Heres some pics as-is, i cant do alot of tear down for cosmetic wire management with my leg broken. Soon tho.
 

Attachments

  • 20220622_041859.jpg
    20220622_041859.jpg
    718.7 KB · Views: 2
  • 20220622_041949.jpg
    20220622_041949.jpg
    990.4 KB · Views: 2
Opened up the Ryzen 5600G rig, added a PCIe 3.0 boot drive and reinstalled PFSense!
Heres an internal snapshot!

20220622_061653-2.jpg


I had exported a configuration from the original OS. Problem encountered was PFSense 2.6.0 did not include NIC Driver for Realtek onboard copper adapter.
The expansion cards are 1Gb and 10Gb Fiber. I could have used 1 of the new SFP copper adpaters, i guess. Left-over in a box was this gem. I was able to convert copper to
1Gb fiber from the modem and install the driver.

-2.jpg

(y)
Post magically merged:

Windows 11 Ryzen rig in the signature, the OS is about 285 Gb in size.
Added in this secondary 500 Gb PCIe 4.0 storage device ADATA
Imaging C: Drive to the backup completed in 10 minutes or less.


20220622_093507-1.jpg
 
Last edited:
You must log in or register to reply here.

Similar threads

B
Ethernet Cables and Best Cat Rating. Some Thoughts
Replies
3
Views
196
Railgun
Railgun
D
A new gaming build for 2024
Replies
3
Views
330
BugFreak
BugFreak
Nebulous
My kid's new build
Replies
1
Views
444
Nebulous
Nebulous
msddos
Superfluous build for home server
Replies
4
Views
843
MaddMutt
MaddMutt
eaglepi
Would appreciate some suggestions on a new CPU MB combo
4 5 6 7 8
Replies
157
Views
6K
eaglepi
eaglepi
Back