How to overengineer your home network

A guide to overengineering your home network using UniFi equipments, Pi-hole, WireGuard and a lot of time

Published

Time to read

4 min read

Author

Resources

Implementation

Objectives

  • Secure networks for all devices : 0-trust networks by default
  • Fast and reliable internet connection : Up to 10Gbe for servers and mesh wifi for the rest
  • Privacy first : Block ads and trackers for all devices with Pi-Hole (since the Ad-blocker from Unifi is not that great)
  • Remote access to my home network : Using WireGuard VPN
  • Monitoring : Keep an eye on the network with Grafana and Prometheus
  • Backup : Backup all my data with a self-hosted solution

Network description

3 VLANs:
  • 1 : ****Master [10.42.0.0/24] : is used for servers and myself
  • 10 : IoT [10.42.10.0/24] : 0 trust network for all IoT devices (i.e. lamps, sonos, tv, …)
  • 255 : Guest [10.42.255.0/24] : 0 trust network for any friends coming over
3 SSIDs:
  • Go Go Gadget Internet → Master VLAN
  • Go Go Gadget Internet - IoT → IoT VLAN
  • Go Go Gadget Internet - Guest → Guest VLAN
1 AP for the moment broadcasting the 3 VLANs Main devices:
  • TinkyWinky : Workstation with UnraidOS used for storage and compute (Linux VMs and dockers).
    • Specs:
      • Threadripper 1920X
      • 2x 2080 Ti
      • 24TB HDD for storage
      • 3TB NVme for VMs
      • 512GB SSD for cache
      • 10GB RJ45
    • Dockers:
      • Plex for movies and tv shows streamed to TV
      • Bitwarden for password management
      • Caddy for reverse proxy and SSL
LAN firewall rules:
  1. ✅ Allow master to all VLANs
  2. ✅ Allow TV to access Plex on TinkyWinky
  3. ✅ Allow established and related connections (allow other VLANs to communicated if initiated by master VLAN)
  4. ✅ Allow IoT VLAN to access Home Assistant on TinkyWinky
  5. ❌ Drop invalid state
  6. ❌ Block all traffic matching RFC1918 (all local IPv4 addresses)

Dockers

Pi-Hole

Pi-Hole is directly on the the UDM Pro using systemd to create a debian container. I followed the guide from unifi-utilities for UnifiOS 3.x+.

All dockers on tinkywinky

  • Caddy : Reverse proxy and SSL and is the only one exposed to the internet and lan, the others are only accessible from an internal docker network from Caddy.
  • Bitwarden : Password manager accessible through Caddy.
  • Nextcloud : Cloud storage accessible through Caddy.
  • n8n : Automation tool accessible through Caddy.

External access

WireGuard

The plan is to use wireguard to access my home network from anywhere. The only problem right now is that Unifi doesn't support IPv6 for the easy wireguard setup so I'll have to tweak the configuration a bit to make it work.

Limitations

  • IPv6 :
    • First, my ISP only provides IPv6 subnet and no public IPv4 address so for the moment, I can't access my setup from an IPv4 only network, but it could be solved with either another proxy or a VPN on a VPS, or simply using Cloudflare Tunnels but I'm not sure I want all my traffic to be visible by Cloudflare.
    • Unifi doesn't seem to acknowledge the existence of IPv6 for some services (Wireguard, ...), which is a bit annoying.

Future improvements

  • External access : If I want to open some of the instances to the internet, I'll probably switch to Traefik with Authelia for authentication and give access to only trusted users.
1
graph TD
2
    provider[ISP]
3
    modem[Modem]
4


5
    device_tinkywinky[TinkyWinky]
6


7
    switch_livingroom[Living Room Switch]
8


9
    device_tv[Tv]
10
    device_sonos[Sonos]
11
    device_nanoleaf[Nanoleaf]
12
    device_hue[HUE]
13
    device_tuya[Tuya]
14


15
    ap_sonic0[Sonic #0]
16


17
    ssid_gogomaster[Go Go Gadget Internet]
18
    ssid_gogoiot[Go Go Gadget Internet - IoT]
19
    ssid_gogoguest[Go Go Gadget Internet - Guest]
20


21


22
    subgraph "ISP"
23
        provider --> modem
24
    end
25


26
    subgraph "UDM Pro"
27
        port_wan1[WAN1]
28
        port_lan1[LAN1]
29
        port_lan3[LAN3]
30
        port_lan5[LAN5]
31


32
        port_lan3
33
    end
34


35
    subgraph "IoT VLAN"
36
        ssid_gogoiot
37


38
        switch_livingroom
39


40
        device_tuya
41
        device_nanoleaf
42
        device_hue
43
        device_sonos
44
        device_tv
45
    end
46


47
    modem --> port_wan1
48


49
    port_lan1 --> ap_sonic0
50
    ap_sonic0 --> ssid_gogomaster
51
    ap_sonic0 --> ssid_gogoiot
52
    ap_sonic0 --> ssid_gogoguest
53


54
    port_lan3 --> switch_livingroom
55
    switch_livingroom --> device_tv
56
    switch_livingroom --> device_sonos
57


58
    port_lan5 --> device_tinkywinky
59


60
    ssid_gogoiot --> device_tuya
61
    ssid_gogoiot --> device_nanoleaf
62
    ssid_gogoiot --> device_hue
63


64
    style provider fill:#f9f,stroke:#333,stroke-width:4px
65
    style modem fill:#bbf,stroke:#333,stroke-width:2px
66
    style device_tinkywinky fill:#ff9,stroke:#333,stroke-width:2px
67
    style switch_livingroom fill:#9f9,stroke:#333,stroke-width:2px
68
    style device_tv fill:#f99,stroke:#333,stroke-width:2px
69
    style device_sonos fill:#99f,stroke:#333,stroke-width:2px
70
    style device_nanoleaf fill:#9ff,stroke:#333,stroke-width:2px
71
    style device_hue fill:#f9f,stroke:#333,stroke-width:2px
72
    style device_tuya fill:#ff9,stroke:#333,stroke-width:2px
73
    style ap_sonic0 fill:#9f9,stroke:#333,stroke-width:2px
74
    style ssid_gogomaster fill:#f99,stroke:#333,stroke-width:2px
75
    style ssid_gogoiot fill:#99f,stroke:#333,stroke-width:2px
76
    style ssid_gogoguest fill:#9ff,stroke:#333,stroke-width:2px