Critique my Home Network Setup

P

pipati

n00b
Joined
May 16, 2013
Messages
23
Hi all,

I plan a new setup for my network at home. I intend to set up a DMZ and a LAN physically seperated via different NICs on a pfSense firewall/router.

Please see my drawing.

A key component in my setup is an ESXi server on which I plan to have virtual machines connected to the DMZ segment or the LAN segment. No VMs will be connected to both segments.

What is the recommended setup on the ESXi networking to achieve this?
Can I create two virtual swithces, attach them to seperate NICs on the host as indicated on my drawing. Is there anything else I need to do on my host?

I expect some traffic from the ESXi Server LAN segment to my NAS, and both servers have a free NIC. Can I do something clever to allow the two servers to communicate via these two NICs directly? (See dark blue squares in drawing) Please advise.

All comments and critique of the setup is appreciated. I know I could have done a simpler setup with less NICs and VLANs, but wanted physical a split.

Thanks in advance for you feedback :)
 
Last edited:
Looks like a good setup.

What you have proposed to do for your DMZ regarding virtual switches is exactly the same procedure for how you can achieve a link between your VMs and your NAS. Create a new vSwitch with the free NIC in your ESXi host as a component of that switch. Call it "NAS LAN" or some such. Then connect your NAS and the ESXi host together, and assign RFC1918 IPs to each device. Then to allow the VMs to communicate on that LAN, just create a new network adapter for that VM and assign it to the NAS LAN.
 
Thank you for your feedback. Why did I not think of that solution for the additional vSwitch :eek:

I updated my drawing ...

Now, I only need some downtime accepted in my home to set things up :)
 
Last edited:
jdk said:
Looks like a good setup.

What you have proposed to do for your DMZ regarding virtual switches is exactly the same procedure for how you can achieve a link between your VMs and your NAS. Create a new vSwitch with the free NIC in your ESXi host as a component of that switch. Call it "NAS LAN" or some such. Then connect your NAS and the ESXi host together, and assign RFC1918 IPs to each device. Then to allow the VMs to communicate on that LAN, just create a new network adapter for that VM and assign it to the NAS LAN.
Click to expand...

Why would you want to have the VM's access the NAS over this isolated, non-routable "NAS LAN". How would you handle segmented DNS? Host files? Good luck. A potential solution would be to utilize this "NAS LAN" for NFS or iSCSI traffic on your VM Datastores. This would be totally transparent to the guest VMs, and only have to be configured on the hypervisor itself. Otherwise, adding an additional "NAS LAN" is unnecessary and wasteful of physical and logical resources.

Something "cleverer" would be to leverage both extra physical interfaces for link aggregation or failover on your ESXi server and NAS device.

Also, connect your ESXi host and pfSense router directly to the LAN switch. No need to have extraneous traffic pass through the E4200.
 
Similar to above, you are making it more complex then needed. Use the router, a managed switch, and an access point with dual band, and use vlans to segment the traffic on the network. I don't think there is a need that I know of in putting the esxi host in the DMZ though.
 
Hi,

Thank you for the feedback.

I do not own a managed switch, which is why I did not plan for a VLAN setup.
My LAN switch is unmanaged.

I do see the point of reducing traffic through the e4200. Swapping the the LAN switch and the e4200 in the setup is perhaps more efficient.

(The e4200 is my dual band access point for 4 laptops, 2 pads and 4 smarthpones, and I also stream media wirelessly to 3 media players in the house, which is why it ended up being the central component.)

The ESXi host will be managed via the LAN link, not the DMZ link.
My plan was to place some VMs in the DMZ. Is that not possible without exposing the host?!

I am undecided on the two free nics on the NAS and the ESXi host. Reason for not using them as redundant connections nor link aggregation is due to lack of free nics on the switch/e4200. I do not have any VMs on the NAS via iSCSI or NFS at the time being, so I am still open for suggestions for how to utilise these nics :)
 
You can put dd-wrt on the e4200 and that will give you many features such as vlan, and its free
 
Last edited:
Thanks, I will consider dd-wrt. I have used it before on a WRT54GL.
My impression from my research some time ago, is that dd-wrt had issues on E4200 (I have V1 of e4200).
Have these problems been solved?
 
The support is based on the router that you plan on using. What build was it, because the latest build is 10020, or version 24. I use the wndr4500 and its finally a work in progress
 
Hi all,

I will probably go for my orignal design as my LAN switch nor my e4200 support link aggregation.

The ESXi host is managed on the LAN interface, so it is not exposed in the DMZ as per my research.

The separate vSwitch between the NAS and the ESXi host can easily be removed if I find it cumbersome to manage.

Two simplifications does seem to be available:

1. Installing dd-wrt on the e4200 enabling me to simplify my setup with use of VLANs. I have decided not to go that way, as I want to do my configuration on the pfSense box, and I like the physical separation.

2. Replacing my LAN switch with an 8-port switch supporting link aggregation to enable use of two nics for the LAN interface on the ESXi host and the same on the NAS.
This implies removing the e4200 in the setup, replacing it with an AP connected to a nic on the LAN switch. This is probably my next upgrade. I could could sell the e4200 as I have a good AP available, good suggestions for such a switch much appreciated.

Thanks again for your responses.
 
Last edited:
You must log in or register to reply here.
Back
Top