5.7 KiB
5.7 KiB
sidebar_position, title
| sidebar_position | title |
|---|---|
| 2 | Network |
The gate to my HomeLab is a UniFi Cloud Gateway Ultra. It is connected to a 1 Gbps fiber optic from my ISP and manages 3 static WAN IP addresses.
Hardware
---
config:
look: handDrawn
theme: forest
---
flowchart TB
gateway(UniFi Cloud Gateway Ultra)
poe(UniFi Switch Light 8 PoE)
wifi1((UniFi U6+))
wifi2((UniFi U6+))
ISP <--> gateway
gateway <--> lan1[LAN]
gateway <--> poe
poe <--> lan2[LAN]
poe <-->|PoE| wifi1
poe <-->|PoE| wifi2
WAN
Port forwarding
---
config:
look: handDrawn
theme: neutral
---
flowchart LR
W8[WAN IP *8]
W9[WAN IP *9]
W0[WAN IP *0]
montgomery("`Synology NAS
_DSM Web UI, Hyper Backup Vault, Drive Server_`")
plex(Plex external access)
ingress50("`ingress-50
_Zoraxy_`")
ingress1("`ingress-1
_Zoraxy_`")
WAN1 --> W8
WAN1 --> W9
WAN1 --> W0
W8 --> montgomery
W8 --> plex
W8 --> qbt(qBittorrent)
W9 --> gitssh(Gitea SSH)
W9 --> ingress50 --> pub(Public services)
W0 --> ingress1 --> per(Personal services)
Firewall rules
In addition to default rules.
| Name | Action | Source Zone | Destination Zone |
|---|---|---|---|
| Allow UniFi remote access | Allow | External | Gateway |
Local network
VLANs
| Name | Subnet | Description | Isolate network |
|---|---|---|---|
| Default | 192.168.1.0/24 | Default local network for laptops, family phones and tablets | No |
| Pub | 192.168.50.0/24 | An isolated VLAN for public services | No |
| Guest | 192.168.5.0/24 | An isolated VLAN for guest WiFi access | No |
| IoT | 192.168.6.0/24 | An isolated VLAN for connected home appliance | No |
- Device Isolation is disabled for all networks
Firewall zones
| Name | Built in | Networks / Interfaces |
|---|---|---|
| Internal | ✅ | Default |
| External | ✅ | Primary (WAN1) Secondary (WAN2) |
| Gateway | ✅ | - |
| VPN | ✅ | Hearthstone VPS |
| Hotspot | ✅ | Guest |
| DMZ | ✅ | - |
| VLAN 50 | ❌ | Pub |
| VLAN 6 | ❌ | IoT |
Zones access rules
Additional Firewall rules allowing or blocking zone-to-zone or subnet-to-subnet communications.
| Source Zone | Destination Zone | Source | Destination | Action | Description |
|---|---|---|---|---|---|
| Internal | VLAN 50 | All | All | Allow with return | Allow all traffic from Default network to Pub |
| Internal | VLAN 6 | All | All | Allow with return | Allow all traffic from Default network to IoT |
| VPN | Internal | VPS subnet | All | Allow only return | Allow return traffic from VPS subnet to Default |
| VPN | Internal | VPS subnet | All | Block | Block VPS VPN clients from accessing the Default network |
| VPN | Hotspot | VPS subnet | All | Block | Block VPS VPN clients from accessing the Guest network |
| VPN | DMZ | VPS subnet | All | Block | Block VPS VPN clients from accessing the DMZ zone |
| VPN | VLAN 50 | All | Hearthstone | Allow all | Allow Hearthstone VPN clients access to Pub network |
| VPN | VLAN 6 (IoT) | All | Hearthstone | Allow all | Block Hearthstone VPN clients access to IoT network |
| VLAN 50 | VLAN 50 | All | All | Allow all | Allow Pub network clients accessing each other |
VPN
There are two Wireguard servers configured:
- Hearthstone. Subnet 192.168.3.0/24. For external access to all local networks.
- VPS. Subnet 192.168.4.0/24. For accessing VPS servers as local network devices.
DNS Server
I use my gateway as a local DNS server with additional records for internal services, allowing them to be accessed using domain names like beszel.int.example.com, but only from the LAN or VPN. Almost all internal domains are pointing to the ingress1 (Zoraxy reverse proxy), that also manages SSL termination.