Feedback on home network design? (split tunneling?)

Discussion in 'Networking, Telephony & Internet' started by T1tan, May 4, 2019.

  1. T1tan

    T1tan Member

    Joined:
    May 8, 2002
    Messages:
    5,908
    Location:
    2605 / caaaaanbwa
    Hi there

    So I'm not really that knowledgeable when it comes to networking. I currently have a reasonably simple network at home consisting of two IP ranges (if that's the right way to describe it):

    IP Range 1:
    Bridged Modem > Router 1 (on 192.168.1.*) > general

    IP Range 2:
    Router 1 > Router 2 (Asus RT-AC68U on 192.168.2.*) on Express VPN openVPN connection > Anything I want behind the vpn.

    Currently:
    [​IMG]

    I'm looking to add a 3rd IP range for CCTV, but I want to give it internet access for the remote app, and im contemplating how to block it off (would forcing it onto a VPN do this or would I just use a firewall? or is both a good idea?).

    I'm thinking it's time to re-evaluate what I'm doing now. I have the following assumptions:
    • I will be buying google wifi (or whatever works well and easily)
    • I will be buying an NVR (hikvision nvr is likely)
      • I assume the NVR acts as a DHCP enabled router on it's own IP range.
    • I am looking to update my Asus RT-AC68U to merlin and maybe incorporate split routing.
    My bright idea:
    [​IMG]

    I think this might be the simplest design... I'm all ears for any input.

    I have some additional spare routers that I can use if need be (an ASUS DSL-AC68U, Netgear D7800). I'm also not afraid of diy router pc but I really don't know if I can be bothered anymore. It's been a few years since I looked at iptables or any form of routing smarts and I'm starting to become energy conscious. I'm happy to purchase a new router(s) if it makes life and management easier.

    Feedback is appreciated :)

    Cheers!

    Nik.
     
    Last edited: May 4, 2019
  2. s4mmy

    s4mmy Member

    Joined:
    May 20, 2004
    Messages:
    2,142
    Location:
    Melbourne
    To be honest the above looks like a bit of a mess.
    If you were to re-do your network what would your budget be?

    Also...
    How many PoE devices?
    How many Non-PoE devices?
    How many Wireless devices?
    Area to cover with Wireless?
    Do you have existing Cat cabling?
     
  3. waltermitty

    waltermitty Member

    Joined:
    Feb 19, 2016
    Messages:
    1,019
    Location:
    BRISBANE
    Fucking hell

    Two words
    VLANs and VRF
     
  4. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    37,497
    Location:
    Brisbane
    Why? What's the design rationale here? Do you need to keep these systems separate and prevent them from seeing one another? What's the harm in a single subnet to grossly simplify your setup?
     
    Pugs likes this.
  5. OP
    OP
    T1tan

    T1tan Member

    Joined:
    May 8, 2002
    Messages:
    5,908
    Location:
    2605 / caaaaanbwa
    The second router currently exists purely for the VPN of tv & streaming service devices. It was a quick and easy solution. Ive wanted to clean it all up for a while.

    After a day of research, I just bought a pfsense USFF PC W/ 5 ports. The reasons for this are numerous:
    - per device vpn tunneling with horsepower to go (no more separate IP Range)
    - I think my ac68u is struggling to do wifi, VPN encryption, routing at the same time
    - this causes frustration, especially to the wife
    - I think it's reliability was in question before I was using it to do anything like acting as a vpn client


    - can control who can see what (I don't want cctv on same network as home network)
    - will use pfsense to monitor for ongoing dropouts of NBN
    - it does all the stuff I've wanted to do but never got around to like ad blocking, VPN hosting, etc.

    As for the questions:
    - will be 7 POE cameras + nvr
    - coverage of ~400m house including extensions tba, two levels. 320m at the moment.
    - I'm planning on getting a few cables laid on the main level. 3 to Tv area, the rest around the house. Contemplating buying a reel of 300m and saturating my ceiling cavity. My house is a 1970s build, double brick, chasing isn't something I'm fond of right now. I'm looking to drop cables into closet space and having the sparky come by and finish off with a properly done outlet and accompanying 240v. My study is roughly in the middle of the house.
     
  6. waltermitty

    waltermitty Member

    Joined:
    Feb 19, 2016
    Messages:
    1,019
    Location:
    BRISBANE
    What pfSense box did you buy? An official one? Make sure it's got AES-NI
     
  7. OP
    OP
    T1tan

    T1tan Member

    Joined:
    May 8, 2002
    Messages:
    5,908
    Location:
    2605 / caaaaanbwa
    Last edited: May 6, 2019
  8. money_killer

    money_killer Member

    Joined:
    Apr 10, 2010
    Messages:
    2,345
    Location:
    Sunshine Coast
    i got a linksys 1900acs (express vpn firmware) dont need 2 routers. you can select what device is protected and what is not. maybe something like that is the go to simplify it
     
  9. Symon

    Symon Castigat ridendo mores

    Joined:
    Apr 17, 2002
    Messages:
    4,593
    Location:
    Brisbane QLD
    Good move going the pfsense route. While you are running cabling in the roof pick a good spot and put up a decent wifi AP, I used a ubiquiti unifi AC pro and haven't looked back.

    Why aren't your putting your private network through the VPN, but your IoT stuff is? I've gone the other way around, the private network is via the VPN, and the IoT stuff bypasses the VPN for Netflix and Stan. The NVR sits on the private network, but we have taken the HDMI output from that to our TV's via cat5 extenders.
     
  10. callan

    callan Member

    Joined:
    Aug 16, 2001
    Messages:
    4,799
    Location:
    melbourne
    Not once have I ever seen running multiple IP subnets on the one network segment ever work out. The theory is sound but the practice sucks: anything broadcasty screws things over, and since so much these days uses broadcasts, from DHCP to DLNA - without a carefully setup VLAN switch you'll come unstuck - so you might as well keep to one subnet and use VLANs to achieve what you want. VLANS will also sort out your camera issues: VLAN capable switches can be had for a poofteenth of what they used to, so there's no excuse not to go that route.

    Chromecasts of any flavour won't work without an active internet connection, and there is no way to set them up without a DHCP IP allocation. Bear that in mind.

    Callan
     
  11. OP
    OP
    T1tan

    T1tan Member

    Joined:
    May 8, 2002
    Messages:
    5,908
    Location:
    2605 / caaaaanbwa
    OK,
    Thanks for the advice people!
    • I got pfSense working with aliases (grouping) of hosts, and those groups are setup for VPN split routing. This is the important bit. The concept is operational.
    • I converted my Netgear router to an AP for now. All good.
    • Removed the Asus router from the network. All good, I thought...
    • Interestingly, when my streaming devices are connected to the Netgear router which is now set up as an AP, netflix runs like a complete dog on multiple streaming devices. Not on my phone though.
      • Initially I thought it was my split routing setup. and scratched my head for a while.
      • Before messing with the pfSense setup, I decided to try the Asus DSL-AC68U router again (which doesn't run as a AP ffs, the router version does but not the dsl router, need to investigate alternative firmware).
    • If I run it via the Asus router, again on the seperate IP range, it runs OK.
    • This time though the Asus is running in the split route device pool and not doing the VPN encryption work. Works well. Obviously not ideal though with the second IP range (forced onto me)...
    ...So it's still a messy topology but the wife is happy with the streaming, and I can see pfSense concepts are working, and pfSense is doing the heavy lifting well, just not in the configuration I want. But I like that if I want to add a device to sit behind a VPN, no worries, add it to the list.

    So I've decided on the following:
    • On top of pfsense, I am now going to go the Ubiquiti router & POE Unifi AP-PRO-v2 route, effectively redoing my home network from a week ago.
    • pfsense will do all routing,
    • ubiquiti will just be a uniform way of doing the wireless.
    • Cameras will still be hikvision etc. I'm not paying for ubiquiti ones.
    I will be laying cable from the study to wireless AP locations, but also laying cable so that every permanent device (streaming boxes, tv's etc) is wired back to the study, wired is always ideal.
     
    Last edited: May 14, 2019
  12. Bradzac

    Bradzac Member

    Joined:
    Aug 17, 2003
    Messages:
    1,702
    If you're going ubiquiti, I wouldn't bother with pfsense. Get a USG, cloud key, switch and AP's and you're set. USG can plug direct into your ntd, and if you're with Telstra and have the modem with 4g back up you can set it as failover on wan2. The less shit in front of the ubiquiti gear the better it works.

    The APs can broadcast multiple ssid's so you can set up Dedicated iot network on it's own vlan to keep it isolated from the rest of your home network.

    Hikvision NVR does run its own DNS for the camera's. I've just been through all this myself so happy to have a chat about it if you want.
     
    Last edited: May 14, 2019

Share This Page

Advertisement: