homelab/docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8a9a361a4b04feabfaf02ff394a67e80534ef706
docs/content/articles/2025-04-02-Network.md
Michael Housh a53e808aec
All checks were successful
CI / release (push) Successful in 6m9s
Details
feat: Updates to network article.
2025-04-08 13:36:39 -04:00

137 lines
5.4 KiB
Markdown
Raw Blame History

---
date: 2025-4-02
updated: 2025-4-08
author: "Michael Housh"
tags: network, infrastructure
primaryTag: infrastructure
---
# Networking
All of the networking setup is done through [unifi](https://unifi.ui.com). The
network is segmented into several different networks to isolate communication.
> Note: If you are unable to connect to the unifi management console linked
> above or if the internet is down, you can connect directly with the management
> console at `http://192.168.1.1`.
## Backup
The network management console get's backed up automatically each week (Sundays
@2:30am), however you can manually backup the server by going to
`Settings -> Control Plane -> Backups`. This is where you can also restore from
a backup if needed.
## Networks
A brief overview of the networks that are setup, their uses, and why they are
needed.
| Network | VLAN ID | Subnet | Usable IP's |
| --------- | ------- | ---------------- | ----------- |
| Default | 1 | 192.168.1.0/24 | 249 |
| Main | 10 | 192.168.10.0/24 | 205 |
| Phones | 20 | 192.168.20.0/28 | 13 |
| IoT | 30 | 192.168.30.0/24 | 249 |
| housh.dev | 50 | 192.168.50.0/28 | 12 |
| Guest | 60 | 192.168.60.0/26 | 61 |
| Mangement | 254 | 192.168.254.0/24 | 249 |
### Default Network
The default network can not be deleted, it comes as the default network on the
unifi networking gear. It is also generally the network a new device will go if
it is plugged into an ethernet cable / switch. For this reason this network is
isolated from communicating with other networks.
New devices that end up on this network should be configured / moved to the
appropriate network by a network administrator.
### Management Network
This network is for unifi equipment (wireless access points, switches, etc.).
This network is isolated from other networks to reduce any attack surface if
someone gained access to the network.
### Main Network
This is where the majority of "trusted" devices should be placed on the network,
such as computers, mobile phones, etc. This is also the network used when people
join the non-guest WiFi.
This network has the ability to communicate with most all other networks,
therefore only trusted devices should be allowed on this network.
### housh.dev Network
This is the network where the majority of servers are placed. This network is
primarily setup to allow "responses", but not allowed to initiate communication
with other networks. This is to help reduce the risk if one of the servers gets
compromised, an attacker should not easily be able to transition to another
network.
### Phones Network
This is the network where all the VoIP phones are on. It is considered
"untrusted" and should not be able to communicate with any other network.
This is merely considered "untrusted" because there's no reason for anything on
this network to try and reach anything else. It should only handle phone
traffic.
### IoT Network
This is the network where IoT (internet of things) devices are. This is
considered an "untrusted" network and communications with other networks are
minimized to what is actually needed to work. This network is not able to
communicate with the internet, because these devices are made by so many
different companies with unknown intentions, this adds an extra layer of
security by ensuring all communications are internal to our networks.
The exception to items placed on the IoT network are "apple" specific devices,
such as home-pods and apple-tv because there are network challenges with these
devices operating properly when placed on the IoT network, such as airdrop and
screen casting (which may be resolved in the future).
### Guest Network
This is the network where guests are placed, it is considered "untrusted" and
should only be able to access the internet. Devices on this network are also not
able to communicate with other devices attached to the guest network.
## Wifi Networks
The following wifi networks are setup and broadcast via the access points. All
networks require a password to use. Ask Michael for passwords if you need them.
| Wifi SSID | Network |
| ------------------------ | ----------------------- |
| Center of Monroe | Main |
| Jarvis | IoT |
| Center of Monroe - Guest | Guest |
| Housh Home Energy | Main (VPN traffic only) |
## Firewall
The unifi management console is what handles firewall rules for the networks. It
is accessed via `Settings -> Security -> Firewall` on the management console.
![firewall](/static/img/firewall.png)
This is where settings are made to either allow or deny traffic on the networks
from communicating with other networks or the internet.
> Note: Be aware that making changes here may break things / render networks or
> services to be unusable. It is recommended to make a backup prior to making
> changes. One of the biggest things to _not_ do is block traffic from
> `Main -> Gateway`, most everything else done is recoverable.
## DNS
DNS is what translates IP addresses to domain names (i.e.
`po.housh.dev -> 192.168.50.6`). This is managed by the unifi management console
and is accessed via `Settings -> Routing -> DNS`.
We primarily use wildcard records, which allow the actual routing to be handled
by the servers to the correct service.
Reference in New Issue View Git Blame Copy Permalink