Recent posts

#51

Proposed Network Designs / Re: First wired network - some...

Last post by Home Network Guy - October 01, 2021, 06:47:12 AM

Sounds like you have a good situation for being able to easily cool the room. I don't think you'll regret adding ventilation especially if you start adding devices which run a little hotter. Heat builds up easily in an enclosed room.

If you're running Cat6 for the cameras, you might as well run it for everything. It's not super expensive and you can run at 10Gbit speeds up to 55m (~180ft). The cameras and PoE would run fine on Cat5e (and everything else) but why not future proof a little bit and use a better quality cable (then you won't have to redo anything later).

Also if you are running through walls (and between floors which doesn't apply to you as a 1 story house), you should get riser rated cable since it doesn't spread fire as easily throughout your home. It will be called CMR in the description if not spelled out.

#52

Proposed Network Designs / Re: First wired network - some...

Last post by SAOS_Boss - September 30, 2021, 10:51:07 PM

Thank you for the quick response and sage advice!

Luckily my planned network closet shares a wall with the AC return intake, so the intake duct runs directly through part of the closet.  I am thinking I can just install a vent in the duct that is inside the closet in this situation.

I am planning to run solid core Cat5e cables underneath the house...this should be sufficient in your experience, correct?  If I end up setting up POE cameras I will be sure to run Cat6 for those though.

#53

Proposed Network Designs / Re: First wired network - some...

Last post by Home Network Guy - September 28, 2021, 10:18:43 AM

Below are some of my thoughts after building out my own home network over time:

1) It depends on how much it costs. I personally love having my modem, router, switches, and servers all in a centralized location where it out of sight. Not only that, it makes connecting everything together easier. If you decide later to move your ISP connection to a different location (if you rearrange your living room or remodel, etc), it is more of a hassle than if it's in a centralized location where it will likely never need to be moved again. If you want a quicker, cheaper solution that you may be able to accomplish yourself, running an Ethernet cable from the ISP or private owned modem/router to your centralized location will work as long as you don't exceed 100 meters (~328 feet).

2) If your network closet is completely enclosed, you most likely need some sort of ventilation especially if you are going to have servers in the closet. If it's just a network switch, you may not need it. PoE switches run hotter but if you don't have a heavy load on it, it might not get too hot. Some people install a fan in the top and bottom of their door to draw in cold air and blow out hot air. Others blow hot air into the next room. Since I am working to finish the basement in my house, I was able to build a 4.5 ft. x 6 ft. server room. I was fortunate in that I have a return air trunk that runs parallel to the one of the walls so I only needed to run a few feet of ductwork. I installed an AC Inifinity 6" inline duct fan which has a temperature control so it runs when it gets too warm. I am able to keep the overall temperature at 73-74 degrees or below without running the fan in its maximum power (only run it at 40% since that seems to be enough without generating too much fan noise). I have 2 servers, 3 switches, 1 router, 1 modem, a NVR, and a Raspberry Pi and it stays that cool with the fan/ventilation. I also put a passthrough vent down low on the wall near the door to allow more air to be drawn in. It looks clean and it works great. Since it's in my basement, it naturally stays cooler so that helps. In the winter, it will definitely stay plenty cool since it's on the corner of the house (I have a walkout basement).

One thing you will want to avoid is to blow the hot air outside your house. I've heard of others doing it, but when I researched it, some have said it's harder on your HVAC because it creates negative pressure. Also even though it's warm air, it is still conditioned air (still may be cooler than the outside air in the summer and in the winter, you don't want to blow the warm air outside of your home). Therefore, blowing the warm air into your return air vent works well.

3) I had to redirect some of my Ethernet/coax cable from the closet under the stairwell in the basement to the server closet I built, and I used PVC pipe inside the walls. I could barely fit all of them in the size I chose, but I didn't want to use to wide of a pipe to weaken the studs. I chose the maximum size for the maximum recommended hole you can cut into studs. I only needed to run it through a couple of studs since it was close to the corner of a wall. Then I ran more PVC conduit (used gray plastic electrical conduit) above the ceiling in the server closet to my HVAC room so I can run the wires from the closet under the stairs, across the HVAC room and into the server closet. I used two 2" conduits, and I nearly filled both of them! I wish I had ran 3" conduit but I was able to do what I needed done with 2". I don't plan on adding too much more since I tried to plan ahead and ran a bunch of drops in my basement (20 drops -- 4 at 5 different locations). The 2 floors upstairs have 16 drops in comparison (that is what I had the builder to run -- I wish I had a few more ran, but I didn't want it to cost too much).

4) If you don't have the ISP connection to your house relocated, I know that a lot of people on Reddit show off their "lack racks" that are made out of Ikea furniture or custom built out of wood. With the price of lumber these days, it's probably cheaper to buy a low end server rack. For home use, cheap racks work great (or if you can find a solid used one that a business is throwing out). Being in the living room, I understand you would want it hidden. You would want to make sure it has some ventilation since routers can get pretty hot depending on what you are using.

One thing I didn't see you mention: since you are planning to run cables and use PoE switches, you may want to consider using wireless access point(s) that are powered via PoE. Since you have a small 1 floor house, you may be able to get away with one centrally located access point. If your closet will be near the center, you won't have to run a cable very far. You could just put the access point in your closet, but it could be better if it was mounted to the ceiling near the center of your house. If your house is more rectangular, you may need 1 AP on each side of the house (or if you want to extent coverage to your yard without getting outdoor APs but range may still be limited).

#54

Troubleshooting / Re: [OPNsense] Need help reach...

Last post by Home Network Guy - September 28, 2021, 09:45:18 AM

The main difference between associated an unassociated rules is when you make changes to the NAT port forward rule, it will be reflected in the associated rule. The unassociated rules won't get updated. You have to delete them to recreate them. I don't think there is a bug with how that works since it was intentionally designed that way for different purposes. I'm not quite sure when you would want an unassociated rule unless maybe you are worried someone will change the NAT port forward rule. However, if you did make changes and didn't realize you had an unassociated rule, it might make troubleshooting the rules more difficult.

Are your 2 private networks connected to the same OPNsense box or is one network on the ISP router and the other is on the OPNsense router? If they are on 2 separate routers, you should be able to create NAT port forward rules similar to if the WAN was connected directly to the Internet. This of course requires you uncheck blocking of private networks/bogons on the WAN interface (although I'm not sure if unchecking bogons is critical unless you are planning to use those specially reserved IP address ranges in your internal networks).

#55

Proposed Network Designs / First wired network - some con...

Last post by SAOS_Boss - September 27, 2021, 10:26:12 PM

Hello All,

I am looking to create my first wired home network. I have a few initial concerns first that I hope some of you might know something about.

First I want to lay out the basics of my situation:

- Small one-story home, plan to mount small network rack + patch panel in centrally-located closet
- ISP connection is Fiber-to-the-Home (FTTH)
- Plan is to run cables from central closet, under the house through the crawlspace, and then up to each room
Potential Future Plans:
- Install security network DMZ (POE cameras, POE Switch, and NVR)
- Install Network Attached Storage (perhaps also DMZ)
- Install Firewall/ VPN connectivity

Some basic questions/concerns:

1) My ISP connection was run to the Living Room (before I purchased home).  Does it make sense to pay to move the connection to my future network closet?  The alternative I guess, would be just run a cable between network closet and current router location.

2) Will I need to provide ventilation/cooling to my network closet?  I am not sure whether I will be purchasing equipment that need cooling/fans.  I do want some advanced features (port security, etc..)

3) What is the best way to create a conduit (for cabling) between network closet and crawl space? PVC pipe? I don't want insects to find a way into house through the conduit.

4) Building on Question 1, I don't like having my router in the Living Room, does anyone know of any furniture (side tables, etc..) that also function as a network rack?

Any help or guidance is appreciated.

Thanks,

#56

Troubleshooting / Re: [OPNsense] Need help reach...

Last post by C18uj8Ms - September 27, 2021, 03:58:48 PM

Hello,
A bit of a necrobump but I have kind of a similar problem.
What helped me resolve part of the issue was looking at Log Files -> Live View which will show you which rules are firing.

I think that there might be a bug in the OPNSense NAT -> Port Forward -> Add -> Filter rule association selection.

I have tried Add unassociated filter rule/Add associated filter rule and neither of them work. The only thing that works for me to do a port forward between 2 private networks is to use the Pass option.

On another note when creating an unassociated filter rule, I would expect that I would be able to edit this rule but I can't which makes me suspicious that there might be a bug there.

And finally, one of the reasons why I couldn't forward between private networks is because there was a rule by default to deny from private to private which you can deselect.

#57

Troubleshooting / Re: Purpose of VLANs in OPNSen...

Last post by Home Network Guy - September 10, 2021, 09:17:15 AM

VLANs are a way to logically divide up your network into separate smaller networks. It is useful when you want to put restrictions between devices on both networks. So you can keep your employees or guests in your house on a separate network so they can't access more critical parts of the network. VLANs can be used to improve security but by itself, it doesn't improve security. You have to have the proper firewall rules in place. VLANs + firewall rules provides you with improved security.

VLANs are not required to use but are commonly used because it saves money (it saves physical rack space, hardware costs, electricity, etc). You can accomplish the same thing without VLANs but you would need to have a separate network switch for each separate network. That is how they could separate networks before VLAN technology existed. They would use separate routers/switches to create physically separate networks.

VLANs allow you to be more efficient with your hardware. You only need 1 switch (but you can have more if you need more ports or if you want some PoE ports you can save money and buy a switch with fewer ports). You can create several networks using one router and one network switch. It will appear as though they are separate physical networks but they in fact are not on physically separate hardware. Another benefit of VLANs is you don't have to physically have every device that's on the same network plugged into the same switch. This can cause problems if you have switches in different locations in your office or home since you have to make sure the device is plugged into the proper switch. If you want to switch networks, you have to physically move the Ethernet cable. With VLANs, you can simply change which network a device belongs to by changing it on the switch itself without needing to move any cables. So you can reconfigure your network very easily with VLANs since there in increased flexibility.

If you have multiple interfaces, you could plug a small unmanaged switch (which is cheaper) in each port and have separate networks without VLANs or you could use 1 (or more) interfaces with 1 bigger network switch (depending on how many devices you want to connect) that supports VLANs and you can create 1 or more VLANs to start separating your traffic. VLANs add a little more configuration in OPNsense but it's not a lot different than setting up the physical interfaces. You just have an extra step of creating your VLAN tag(s) and then you assign the VLANs to a physical LAN interface. You will have extra configuration for your network switch. You create the same VLANs in your network switch (making sure that the port that connects to the router from your switch is set to TRUNK or allows all VLAN tags to pass through -- different switches have slightly different terminology but the concept is the same).

It sounds like your firewall is allowing all connections for all of your interfaces. If you want your traffic to be isolated, you will need to add rules to block traffic between the interfaces while still allowing traffic to the Internet (unless you want an offline network which is handy for security cameras for instance if you worry about being exposed to the Internet).

#58

Troubleshooting / Purpose of VLANs in OPNSense

Last post by ejayb9 - September 09, 2021, 03:51:19 PM

What's the purpose of the VLAN's in OPNSense? I'm trying to figure out under which circumstances a VLAN is required, and also under which circumstances is it plain useful. Or if it just complicates a configuration.

Only thing I can come up with is if it is an unmanaged switch then a VLAN would be needed. I'm using a 4 port Protectli and each port (WAN, LAN, OPT1, OPT2) can be configured to an interface (em1, em2, etc...) so, I don't see the reason to add a VLAN on top of that.

But I do notice that machines in OPT1 can talk with machines on OPT2, even though they are in different IPs. For example, if OPT1 is 192.168.2.100-125 and OPT2 is 192.168.3.100-125. They can ping/telnet whatever to each other unless I put in a block rule for each interface. I'm not sure if a VLAN would stop that from happening, I haven't had much luck configuring VLAN's on a Protectli.

Thoughts? Should VLANs be used always, or for specific situations, or only when absolutely necessary?

#59

Tech Discussions / Re: Firewall rules - OPNsense ...

Last post by ejayb9 - September 09, 2021, 03:25:40 PM

Thanks! I'll give this a try.

#60

Proposed Network Designs / Re: Learning Networking by Muc...

Last post by codeangler - September 07, 2021, 05:05:12 PM

Thanks for the input.  I'll read some more of your pieces on an OPNsense router.

I completed an experiment just before weekend and prior to your reply and set my Buffalo Air station to different subnet and now when I'm on it, I can print.  But I lost wifi admin access so I need to sort that our to plug in to directly.