Replumbing the home & home-office network

pjm1 · 16 May 2016

This should ultimately have benefit for my photography storage, so it has some relevance to TP

I'm keen to get the views of any network admins / sys architects etc. Or just people who've been here and done this sort of thing before.

Requirements
A. Have a "home" subnet which allows access to internet and home resources: 1x NAS, 4x FireTVs, 2x NowTVs, Sky, Bluray/smart tvs etc., secured wifi for iPad, tablets, phones including guests/friends who visit and "want a connection". Obviously this subnet needs to be protected from (and connected to) the internet with a modem with firewall, NAT, routing etc. This modem/router will also provide DHCP across this subnet.
B. Have an "office" subnet which allows unidirectional access out to the home network (NAS) as well as internet and then a secured network with a separate wifi (with ACL) containing a desktop PC, a couple of laptops and a networked printer/copier thing. This subnet will be protected from the first subnet with another router (which will also provide the second, secured wifi network).
C. Managed/smart switch (48 port) to manage hardwired connections into each subnet across the house and the connections which allow the routers to talk to one another. The office router allows for load balancing across two WAN connections, so I'm thinking I could potentially double up and get 2Gb/s should I need it between the subnets (although ultimately limited by the Gb connections to any single device).

I'm slowly upgrading my network kit from some basic equipment (basically home user stuff) and I now have:

1 Netgear ProSafe GS748T 48-port gigabit smart switch - this together with a 48p patch panel is what everything will plug into
1 TP-Link TL-ER604W SafeStream WiFi Wireless N Gigabit Broadband VPN Router for the office subnet. It provides DHCP on that second network as well as locked-down wifi access to the same and additional firewalling between my two networks
1 basic wired TP-link 1 port adsl2+ modem for access back to the internet and firewalling
3 access points which are all fully-functioning modems/routers/wifi etc. but which have been repurposed just as access points. The plan will be just to use one of these as an AP for the whole house unless I can get some sort of repeating/expanding thing going on?

Physical layout
The network map isn't quite accurate as I sketched it out when I was previously planning on getting a 24port switch and a non-wifi second router for the office subnet 2 (now changed for the ER604W) but aside from that it's fairly accurate, I think:

At the BT master socket I have the adsl modem plugged in, which then runs a long cat6 from its (100Mb) LAN port cable up to my loft. This is where the switch will be located. Next to the loft hatch is where the second "office" router and wifi point will sit (on the ceiling) with four ethernet and power cables running back up to the loft. One bunch of cables then run from the loft down into my study/office - these all connect into the switch but specifically subnet 2 "office". Another bunch of cables then run outside the house down to various rooms (living room, AV room/photo studio, kitchen, kids' playroom) which will connect into the subnet 1 "home". The NAS will be moved to the loft and also connect to subnet 1 "home" (into the switch, obviously).

So, everything in subnet 2 "office" is nice and fast and secure - subject to the end device having Gb ethernet, the infrastructure is all capable of that speed. The question I have is relating to subnet 1 - because DHCP is being managed by the slow 100Mb router/modem, does all traffic for subnet 1 have to flow back to that device? Or is the smart switch smart enough simply to know that when a connection request to the NAS is made from another port, it simply sets up a route directly to the NAS's port, thereby keeping all traffic at Gb speeds?

I'm kind of hoping and assuming so - otherwise if all subnet 1 traffic has to flow back to the subnet 1 router, it's going to be a big bottleneck even if it were a Gb port (which it isn't). Obviously Gb isn't required for access to the internet since that's the bottleneck at that stage, which is why I haven't bothered to upgrade my ADSL modem to one with a Gb LAN port.

My hope/assumption in terms of a request from my desktop PC for access to the NAS would be:

PC (Gb) subnet 2 -> patch -> GS748T switch (Gb) -> ER604W router (Gb) -> subnet 1 -> GS748T switch (Gb) -> patch -> NAS (Gb) subnet 1

Access between office PCs would be even simpler assuming the switch manages connections directly within subnets:

PC 1 (Gb) subnet 2 -> patch -> GS748T switch (Gb) -> patch -> PC 2 (Gb) subnet 2

Am I missing something or - quite possibly - overcomplicating things? Cheers

The W · 16 May 2016

You're correct that intra-subnet 1 traffic won't all be passed through the router,but will go direct.However that it's a property not of the fanciness of your switch, but the Netmask setting on each computer (one of the things now handled by DHCP). That lets the source computer know when it's trying to talk to a local destination computer, in which case it addresses the data packet direct and the switch will do the rest, or if it's trying to talk to a non-local destination computer in which case it will direct it's data packet to the defined Default Gateway (another setting handled by DHCP, and which be the router) and rely on that passing it on correctly to the wider world. Incorrect subnets and netmasks combinations is one of the settings that will break our desired setup.

pjm1 · 16 May 2016

The W said:
You're correct that intra-subnet 1 traffic won't all be passed through the router,but will go direct.However that it's a property not of the fanciness of your switch, but the Netmask setting on each computer (one of the things now handled by DHCP). That lets the source computer know when it's trying to talk to a local destination computer, in which case it addresses the data packet direct and the switch will do the rest, or if it's trying to talk to a non-local destination computer in which case it will direct it's data packet to the defined Default Gateway (another setting handled by DHCP, and which be the router) and rely on that passing it on correctly to the wider world. Incorrect subnets and netmasks combinations is one of the settings that will break our desired setup.

Cool, thanks for that Paul. I was pretty confident that switches must do something in terms of directing the traffic using MAC addresses or somesuch, but then I had a panic that everything would end up being bottlenecked at the router. Which would be stupid, when I think about it, of course.

I suspect the smart switch is far less smart than the marketing team are wanting to portray and it's basically just a big switch with a web interface. The one I've gone for doesn't have any routing capabilities (save perhaps for simple static routes) so I'm reliant on the routers to move traffic across the two subnets and then obviously outside into the big bad world.

This diagram is probably more helpful in explaining what I'm setting out to achieve:

Andy Taylor · 16 May 2016

That'll work (think of the 48 port switch as 2 separate 24 port switches), but it seems a bit over complex.

A better way would be to use a router and access points that support VLAN tagging. That way you can have both wireless networks everywhere in the house. Access points that support POE are even better, you'd need a POE switch, but no power cables to run, just CAT5

if you are planning to run CAT5 outside, make sure that you use the properly rated exterior cable.

I should probably point out that this sort of thing is my day job.

neil_g · 16 May 2016

Question, do you really need to make it that overly complicated for what sounds like it should be a fairly simple home/small office lan?

Ploddles · 16 May 2016

The other question I'd ask is why do you need this AT ALL?

You are only connecting 1 PC, 1 Laptop and 1 Printer to your 'office' network, so why do you need to keep them separate? Just having the 1 network with everything connect to the switch would surely suffice?

pjm1 · 16 May 2016

neil_g said:
Question, do you really need to make it that overly complicated for what sounds like it should be a fairly simple home/small office lan?

Possibly not! I'm good at overcomplicating things.

In summary, I have totally unsafe connections (from the internet), potentially unsafe connections (from guest wifi, tablet, phone and android set top tv boxes) and finally theoretically safer connections from my work PCs. I don't want any "smart/hackable" device being able to access anything more secure - so basically just two layers of firewall.

What's the best way of achieving that?

pjm1 · 16 May 2016

Ploddles said:
The other question I'd ask is why do you need this AT ALL?

You are only connecting 1 PC, 1 Laptop and 1 Printer to your 'office' network, so why do you need to keep them separate? Just having the 1 network with everything connect to the switch would surely suffice?

I don't want to keep them separate from each other, just the "rest of the world" which is basically everything else in my house and the big bad world outside.

I'm struggling to see how I can achieve the two layers of separation without two separate networks (or at least VLANs)?

Edited to add:

Sorry, just to be slightly clearer on the physical reasons for thinking this setup might be necessary: I do take my work laptop down to the AV room which also serves as a makeshift photo studio, either because I'm working while watching a film (

) or I might be doing some tethered shooting... In either case I want to be able to plug back into a LAN socket in that room which runs back to the master switch and connects me to subnet 2 (office).

But I agree in principle that I'm making life difficult for myself for relatively small marginal gain, perhaps...

pjm1 · 18 May 2016

Andy Taylor said:
That'll work (think of the 48 port switch as 2 separate 24 port switches), but it seems a bit over complex.

A better way would be to use a router and access points that support VLAN tagging. That way you can have both wireless networks everywhere in the house. Access points that support POE are even better, you'd need a POE switch, but no power cables to run, just CAT5

if you are planning to run CAT5 outside, make sure that you use the properly rated exterior cable.

I should probably point out that this sort of thing is my day job.

Hi Andy

Well, the install/upgrade has gone well so far. I haven't done any particularly long cable runs, but the "kit" has been permanently relocated to the loft space (boarded, insulated/soundproofed and with power - basically perfect as a server room!) and holes drilled etc. to get the ethernet to where it needs to be. Making solid core cables is a rubbish job - I hope you don't have to do it too often! I think I'm going to buy a batchload of short run patch cables but the saving on the long runs will be worth the pain...

PoE could have been an option, but I've been lucky to get power in from the floor above the ceiling where I've needed it so far. The smart switch is a bit of a beast - louder than I expected but hidden away in the loft it's not bothering anyone except nPower. The fileserver will be a whole other ball game though - I reckon that'll take a few days to get up and running.

Speed improvement getting everything onto Gb ethernet has been noticeable (Lightroom archive images are now fast again and backup should be similarly improved). However, the prospect of making up 5x 25m runs solid core cables for the basement AV is starting to look less appealing. I hate crimping. I might deploy a cheeky little Gb switch down there and just cable up two runs (one for each subnet). I then have 2x 20m runs for the living room on the middle floor...

Getting there though and the network design hasn't led to any disasters so far.

Andy Taylor · 19 May 2016

pjm1 said:
Well, the install/upgrade has gone well so far. I haven't done any particularly long cable runs, but the "kit" has been permanently relocated to the loft space (boarded, insulated/soundproofed and with power - basically perfect as a server room!) and holes drilled etc. to get the ethernet to where it needs to be. Making solid core cables is a rubbish job - I hope you don't have to do it too often! I think I'm going to buy a batchload of short run patch cables but the saving on the long runs will be worth the pain...

I avoid crimping wherever possible, especially solid core cable. Instead I use RJ45 sockets, patch panels and pre-made patch leads. Much easier to punch down than to crimp.

onomatopoeia · 19 May 2016

Andy Taylor said:
I avoid crimping wherever possible, especially solid core cable. Instead I use RJ45 sockets, patch panels and pre-made patch leads. Much easier to punch down than to crimp.

Agreed, crimping on solid cable isn't the easiest or most reliable. I've made some leads that way and they've lasted, but it's fiddly, a patch panel and punchdown connections is easier and more robust.

pjm1 · 20 May 2016

It was more an interim solution until that patch panel arrived... next week I'll be building the rest of the cables and plumbing everything into the back of the patch panel and wallboxes in each room. Far easier!! (And I've bought patch cables in the two colours required for the two subnet)...

afasoas · 20 May 2016

If you are paranoid enough to separate your home and business networks, surely the adsl modem/router should be replaced with a firewall that has a leg in each network?
Is the NAS storing business data? If so, the same thing applies.

Is the router in the business network actually routing or is it doing double NAT? A firewall with a leg in each network would eliminate the double NAT/routing

I do something similar ... using VLANs to segregate the home network from the guest wi-fi. Firewall does DHCP for the guest wi-fi network.

Excuse the shabby chic drawing

pjm1 · 24 May 2016

Thanks for that afasoas. Does VLAN tagging actually separate access between networks? Is there any way from hopping from one subnet to another? My thinking on routing between them is that I can permit some access between should I want to and have the router's firewall protect against inbound access to the business subnet from the home subnet. Your solution may well accomplish that though.

It's overkill for sure, but I'd rather that that find I've been attacked and could easily have done something about it.

Server arrived yesterday and is up and running. Quite a noisy beast, but plenty of expansion capability with only 5 of the 25 drive bays occupied and space for another 80GB of RAM

Sort of migrated from a sensible "let's get some newer infrastructure" into a full on fiddling project now

Andy Taylor · 24 May 2016

pjm1 said:
Does VLAN tagging actually separate access between networks? Is there any way from hopping from one subnet to another? My thinking on routing between them is that I can permit some access between should I want to and have the router's firewall protect against inbound access to the business subnet from the home subnet. Your solution may well accomplish that though.

VLAN tagging logically separates data packets, so there's no easy way to hop from one to another. The firewall should allow you to set up routing between VLANs.

onomatopoeia · 24 May 2016

afasoas said:
I do something similar ... using VLANs to segregate the home network from the guest wi-fi. Firewall does DHCP for the guest wi-fi network.

Is your firewall in the drawing I didn't quote also acting as a multi-WAN PPPoE router and load balancing (or providing failover) across the two WAN interfaces? Or are you having one VLAN's worth of traffic heading out over the fibre interface and one over the ADSL?

At some point I'll be getting a second WAN connection (same subnets routed to both) and learning how to set up pfSense to load balance, but need some stuff to calm down a bit at work before I start playing with my home IT infrastructure!

pjm1 · 25 May 2016

Andy Taylor said:
VLAN tagging logically separates data packets, so there's no easy way to hop from one to another. The firewall should allow you to set up routing between VLANs.

Thanks Andy. Sounds like it ought to be sufficient segregation then. However, it would have required a similar sort of rejigging of routers to have achieved anyway. My onion/parent-child approach to the subnets seems to be working so far, although I've yet to span the two subnets with my server (not even sure I really need) and I currently have both NICs plugged into the office subnet.

I have been "enjoying" setting up DHCP, DNS and AD on the server though. It should make the whole remote working and consolidated backup regime far easier than my previous method of adhoc cloud-based file storage. Having two PCs (one laptop, one desktop) with shared applications and shared files but quite different working styles (one fixed, one roaming) wasn't ideal. Hopefully with the right AD/user setup it'll now be more efficient. Wondering how best to work that into Lightroom for catalogue and image storage...

afasoas · 26 May 2016

onomatopoeia said:
Is your firewall in the drawing I didn't quote also acting as a multi-WAN PPPoE router and load balancing (or providing failover) across the two WAN interfaces? Or are you having one VLAN's worth of traffic heading out over the fibre interface and one over the ADSL?

At some point I'll be getting a second WAN connection (same subnets routed to both) and learning how to set up pfSense to load balance, but need some stuff to calm down a bit at work before I start playing with my home IT infrastructure!

Sort of. It's a pfSense Firewall with multiple gateways in failover. The aDSL and Fibre gateways are in a group with the Fibre as tier 1 and aDSL as tier 2. That means Fibre is prioritised but when a connectivity problem arises, the aDSL kicks in.

Load balancing multiple WAN connections would be tricky - and as Fibre is 100m/s relative to the aDSLs 7m/s, pretty pointless.

afasoas · 26 May 2016

pjm1 said:
Thanks Andy. Sounds like it ought to be sufficient segregation then. However, it would have required a similar sort of rejigging of routers to have achieved anyway. My onion/parent-child approach to the subnets seems to be working so far, although I've yet to span the two subnets with my server (not even sure I really need) and I currently have both NICs plugged into the office subnet.

I have been "enjoying" setting up DHCP, DNS and AD on the server though. It should make the whole remote working and consolidated backup regime far easier than my previous method of adhoc cloud-based file storage. Having two PCs (one laptop, one desktop) with shared applications and shared files but quite different working styles (one fixed, one roaming) wasn't ideal. Hopefully with the right AD/user setup it'll now be more efficient. Wondering how best to work that into Lightroom for catalogue and image storage...

Is the server replacing the NAS? Or not, in which case it's presumably just taking care of DHCP/DNS/AD on the business VLAN onlys?
Running Active Directory in a home setup is more than a bit dedicated!

pjm1 · 27 May 2016

afasoas said:
Is the server replacing the NAS? Or not, in which case it's presumably just taking care of DHCP/DNS/AD on the business VLAN onlys?
Running Active Directory in a home setup is more than a bit dedicated!

Yes it is - and the server is now doing AD/DNS/DCHP on that subnet. The router between subnet 1 and 2 is running a VPN server which allows me to dial into subnet 2 from the internet (using some funky routing/forwarding) so I also now have a subnet 12 for VPN clients. But that allows me to log in to the domain from the outside world and access files etc. Groovy! Subnet 1 (home) is simple with its router doing DHCP for its network. I also think I cracked getting round double-NATing by setting up a static route in subnet 1's router onto subnet 2, so hopefully that means things are slightly more efficient/better practice.

Of course, I could just do this simply with Google Drive, but where would be the fun in that, eh?

I've lost count of how many times I've installed WS2k8 and now WS12r2 through me messing up something, forgetting to turn on Server Backup

and the like. But that means I'm getting better at it... (downside of having an older server is I need to install WS2k8 using the HP Easy Start system and then install WS12r2 over the top as it's all too old for WS12 to be natively supported by HP).

Not sure what my next toy in the server roles/features list will be... certification and IIS to enable Work Folders perhaps? IIS scares me as it feels as if I'm going to be exposing my stuff to the outside world!