Categories
HomeLab The Home Datacenter Company Build Series UniFi

Setting Up my UniFi Dream Machine for my Homelab

The UniFi Dream Machine might not be the Ultimate Firewall for your homelab. pfSense might be more Hands on, or running a Palo Alto of Cisco Firewall more Enterprise like. But the Dream Machine does have all the features I require, Good Support and a Pretty Interface.

The Home Datacenter company also considered all there options and in the end the CIO/CTO/CEO and Wife decided UniFi will do the Job.

I started of by following the Deployment guide to get my Dream Machine up and Running. With my Dream Machine and two Unifi switches setup It was time to create the Networks.

I started of creating only the Necessary Networks.

Management / Default – Used as Management VLAN for Switches and Network Devices
  • Subnet: 10.11.12.0/24
  • Gateway: 10.11.12.10
  • DHCP Scope: 10.11.12.15 – 10.11.12.35
THDC-Infra
  • Subnet: 10.70.10.1/24
  • Gateway: 10.70.1.1
  • DHCP Scope: 10.70.10.200 – 10.70.10.254
THDC-AD
  • Subnet: 10.70.11.1/24
  • Gateway: 10.70.11.1
  • DHCP Scope: 10.70.10.20 – 10.70.10.254
THDC-vSphere
  • Subnet: 10.70.12.1/24
  • Gateway: 10.70.12.11
  • DHCP Scope: 10.70.12.200 – 10.70.12.254
THDC-vMotion
  • Subnet: 10.70.14.1/24
  • Gateway: 10.70.14.1
  • DHCP Scope: 10.70.14.200 – 10.70.14.254
THDC-iSCSI-Routed
  • Subnet: 10.70.15.1/24
  • Gateway: 10.70.15.1
  • DHCP Scope: 10.70.15.200 – 10.70.15.254
THDC-vRealize
  • Subnet: 10.70.13.1/24
  • Gateway: 10.70.13.1
  • DHCP Scope: 10.70.13.200 – 10.70.13.254

Security

The next part was to setup my Default security for my Lab. At this time I did not setup any DMZ’s and also no firewall rules between Subnet. I would be a good idea to do the inter subnet firewall rules at this time then you do not need to go back an retrofit them. But another lesson learned on my side as I did not do it.

I used the UniFi Dream Machine Default Sensitivity Setting on High for my Lab. This still allow for nearly Max Speed on my ISP connection

I also Deployed some Internal Honeypot’s to find any Dodgy stuff I deploy in my Lab.

We are now ready to start deploying Hosts and Services. I will need to come back to the network config to change all VLAN’s DHCP setting to distribute my Own DNS Servers but as we do not have them yet I left it out for now.

In Part 2 We will look at setting Up my Synology NAS to Supply Storage and NTP Services.

Categories
HomeLab

Homelab – Physical Design

The design of my new home network design was guided by the requirement for Internet stability and Segregation between HomeLab and Home Network as far as possible.

Home Networking Design

I decided to have my internet come into my Firewall for the Home Lab. This was to ensure that when I do decide to Expose services to the internet my Attack surface for my Home would be Reduced due to the 2nd firewall between my Lab and Home Network. Part of the risk I still have would be Man in the Middle attacks which reside in my HomeLab. To mitigate this I would run all my Home Network traffic thru a VPN service with the connection established on my Internal Firewall. An added benefit is that all Lab service are Internet Side of my Internal Firewall and I do not need to VPN into my Lab.

The second Firewall is a Dream Router sitting downstream from the Dream Machine in my Lab

My Home network has Wifi From the Dream Router Covering half of the house and the other half covered by a Unifi Nano HD. Every room has a Network Point cabled from the Central Switch which reside in the same Closet as the Dream Router, from there I use the small unifi mini switches to my devices. I prefer to used Cabled over Wifi where possible

Storage

My NAS is used as a Backup location for Our PC’s as well as a Media Server using Plex. I also use my NAS as a Intermediary between Cloud Storage we use in Dropbox/Google Drive/OneDrive and a long term backup in AWS Glacier. We have our most important Data in each respective cloud as well as on my NAS locally. a Subset of Really Important Data (Family Photos etc..) are being backed up to AWS Glacier.

DNS

DNS for my Home is Provided by 2 Raspberry Pi’s running PiHole. Both are running in Docker with domain forwarding setup for my Lab Domain to enable me to resolve hostnames in my lab from my home network. DNS is supplied by DHCP from the Unifi Dream Machine and all traffic on port 53 are blocked in my network except to my own DNS servers.

I run a small 4 Node K3S cluster on a set of Raspberry Pi’s on my Internal network. Not sure what to do with them yet as I tend to break them every Time I touch them.

HomeLab Networking Design

From my Dream Machine in the Lab I Use one Physical port for my Downstream Dream Router and my Home. Two ports from the Dream Machine are used as Uplinks to my two 8 Port Unifi Switches and the Last port is the Uplink to my Cisco SG300 used for Out of Band Networking.

There is ISL between the two Unifi Switches with RSTP value lower than the uplink to the Dream Machine. This was done as the Switch in the Dream Machine does not seem to support Jumbo Frames.

Each host and my NAS is Patched to each Unifi Switch. Additionally the three Workload Nodes have two Nic’s Patched to the Cisco Out of Band Switch which is used for vSAN traffic.

All caballing is done using flat Cat6 cables and at this time is still a real mess.

Future Plans for my Homelab Networking Design

I have a 10GBe upgrade planned as Budget opens up and Time is allocated. I will be replacing the Cisco SG300 with a set of 4 port Microtik 10GB Sfp+ switches. Which will have its Own ISL and uplink to the two Unifi switches. My vSAN and vMotion traffic will run over the 10GB network an I will keep my VM’s on the 1GB.

Conclusion

Ensuring that I prevent any Dependencies on my Homelab from my Home network upped the WAF(Wife Acceptance Factor) a lot. I currently only need to schedule a maintenance window if I need to update the Firmware or Software on the Unifi Kit. The Dream Machine does have a Small network drop when modifying or creating VLAN’s but on the wired connection this is only a single ping. But for the WiFi this causes a disconnect. Because the Downstream Dream Router is Wired there is nearly no impact. I bravely Tested this during one of my Wife’s Video Calls and the fact that I am writing this now, is proof that it works.

Next up we will look at how it all pieces together.

Categories
HomeLab

Homelab – Bill of Material

I will split the Bill of Material between what is used for my House and what is used for my Lab. These two are related but I tried keeping them separate as far as possible. I also reused as much of the Hardware I already own and for which the resale value is really low.

My Home was Already Wired with CAT6a to every room from the central patch cabinet and also Cable Internet connections in every room which can be patch from a central Patch Cabinet but only to 1 room.

Home Hardware

On The Home side I standardized on Ubiquity Hardware.

  • Router/Firewall – Ubiquity Unifi Dream Router (EA)
  • Core Switch – Ubiquity Unifi Switch 8P POE 60w
  • Lounge – Ubiquity Unifi Switch Mini 5
  • Office – Ubiquity Unifi Switch 8P
  • Wifi Extension – Ubiquity Unifi AP Nano HD
  • Rapberry PiCluster – Ubiquity Unifi Switch Mini 5
  • Primary DNS – Raspberry Pi 3b
  • Secondary DNS – Raspberry Pi 4 2GB
  • Storage – Synology DS915+

Lab Hardware

For my Lab the Hardware is a bit more mix and my intension is to keep it mixed up a bit with the future 10GBe upgrade. I kept my Out of Band Networking intentionally of of Ubiquity hardware due to there frequent update cycles and lower stability in my case compared to other Brands. To buy my Homelab all new today would costs around $8000.

  • Router/Firewall – Ubiquity Unifi Dream Machine
  • Primary Switch – Ubiquity Unifi Switch 8P
  • Secondary Switch – Ubiquity Unifi Switch 8P
  • Out of Band Switch – Cisco SG300-10
  • Storage – Synology DS415+ with
    • 4 x Western Digital Red 4TB HDD
  • Management Cluster:
    • 1 x SuperMicro E300-8D with
      • 2 x 32GB Corsair Vengeance LPX
      • 1 x Western Digital SN550 1TB NVMe SSD
  • Workload Cluster:
    • 3 x SuperMicro E301-9D-8CN4 each with
      • 4 x 32GB Corsair Vengeance LPX
      • 1 x Western Digital Red SN700 500GB NVMe SSD
      • 2 x Samsung 870 QVO 2TB SATA III SSD

Shortcomings

I currently do not have any Power Redundancy or backup power. I general the power here is extremely stable except when I short it out with the Toaster, or switch off the wrong smart plug. Part of the redesign was due the the constant need to rebuild my vCenter or appliances due to storage corruption.

The SuperMicro E301-9D is not on the VMware HCL. This was done due to the higher core count available on the EPYC CPU’s over the E300-8D’s Intel CPU’s. The components that usually cause issues like Network and Storage are Server class and not consumer so my hope would be for some longer support life on them.

Another thing to think about is that the SuperMicro server does come with expansion options but the mounting brackets are not included in the initial purchase.

In the next part I will go thru my Physical and Logical Designs.

Exit mobile version