Network design for home lab environment (DMZ, clients, etc)

I

idea

Gawd
Joined
Jan 24, 2005
Messages
615
Hey everyone,

I have a pretty vanilla set up here. I don't think it's anything unusual. I am looking for "best practices" when dealing with clients, servers, virtual guests, DMZ, etc. Does anyone has any examples (hopefully network diagrams) of how a home lab network should be set up? I am not that experienced with networking so please explain it like I am 5 years old. ;) Thanks!

I have available to me:
  • Cablemodem w/ single port
  • WRT54G Router w/ Tomato
  • Netgear 48-port Managed Switch
  • ESXi+Solaris All-in-One with 2 NICs, could add more if necessary
  • 20 virtual guests (5 of them provide services to internet)

I don't mind virtualizing some of my network services, but not all. At the very least I need a physically separate VPN server.
 
in my previous life my ESXi host with 2 NICS was configured as such.
inet--nic1(inet vswitch)--wan port on virtual m0n0wall router
wan--nic2-(wan vswitch)--lanport on virtual m0n0wall router--switch--lan--lan pc's n the like.
(dmz-vswitch with no physical nic)--dmz port on m0n0wall router--dmz resources

I would never implement the above in production, however it was secure by design without considerations for exploits.

And there is no telling you how to do this like a 5 year old, it is your best interest to learn how this all works on your own before jumping head first.
 
Last edited:
My setup is basic and may not be ideal or according to best practices but it I hope it helps.

In vSphere I have port groups (virtual switches) for Management, NFS, VM Network 1 and 2, WAN, and test network. Each port group can be given one or more physical NICs, or you can use the same NIC for more than one port group, it's really up to you and how you want to set it up. When I first started I only had one Intel NIC and everything went through it, including the WAN, which was coming from the cable modem plugged into my switch on a separate VLAN. Very ghetto set up and something you would never want to do for production, but it worked. Later I added a quad port 1Gb card so I could dedicate physical ports to virtual port groups, like WAN or NFS. The cable modem is connected directly to the WAN port group and NFS has a dedicated 1Gb link. If this were production I would dedicate physical connections to management (also vMotion/FT in a cluster) and use another quad nic for redundancy but for home use I don't really care.

It really helps if you use a software router because they are quite versatile and feature packed, and can be given as many interfaces as you need. I use a virtual pfSense router/firewall with 5 vNICs, 1 for WAN, 2 for VM Network 1 and 2, 1 for DMZ, and 1 for test network. It makes it very simple when you can just create another virtual switch and give its members gateway access by adding a vNIC to the virtual router and dropping it in the same port group. I also have an Astaro VM router/firewall that runs the test network that I use for testing routing protocols and other things. Every port group has a separate VLAN, and my Wi-Fi AP/dumb swich is on a separate VLAN as well. Each VM has a vNIC in a VM network or the test network, or a combination as needed. VMs that need DMZ access have a vNIC in the DMZ port group.

Use your imagination and set it up any way you want, you can always change or start over.
 
Last edited:
You must log in or register to reply here.
Back
Top