Everything has a purpose, unlike many "home labs" where people are just tinkering. There's nothing in here that would require fussy maintenance. It seems pretty reasonable to me given the functionality.

In my experience, the main issue with setups like that is IoT/convenience devices being subtly broken because of all the firewalling. Then you suddenly find yourself trying to figure out why you can't just airprint from your ipad or why your guest's iphone sees a HomePod, tries to activate airplay, but it just silently fails. Really fun to debug, especially when you need that document printed right now or when you have a party going.

But what's the alternative? Unsafe home network where one rogue device can act as a tunnel for bad actors(bots more often tbh)?

The alternative is roughly what google called BeyondCorp — not trusting your network and doing explicit auth everywhere it matters, maybe with a sprinkle of Tailscale to simplify auth and encryption.

If you're worried about your network being saturated for DDoS by a random IoT device, I suspect you'll notice it even without explicit monitoring.

Besides, risks need to be weighed by their probabilities. It's a small chance of name-brand IoT devices "going rogue" vs the certainty of random things not working when they should, and I don't think this tradeoff leans towards VLANs for most people.

If you buy devices from trustworthy brands and replace them when they stop getting security updates, it should be fine, right? After all, aren't 99% of home networks 'unsafe' according to your definition?

>After all, aren't 99% of home networks 'unsafe' according to your definition?

Prevailance of home ip addresses in DDoS attacks and in proxy pools does suggest so ¯\_(ツ)_/¯

It doesn't follow. There are a lot of homes, so even if 1% of all home networks had "rogue" devices in them they'd dominate DDoS attacks. Besides, it's not HomePods or Withings smart scales or Hue bridges doing that as far as I'm aware, it's mostly cheap, unsupported, noname crap, so you can reduce your risks substantially by not buying questionable products.

There are plenty of CVEs in brand name things across IoT spectrum.

Vetting devices you introduce to network is of course solid advice, but a little bit of paranoia never hurts in tech.

How many of those get exploited on firewalled networks before they're remotely patched though?

My whole point above that it does actively hurt, with devices randomly misbehaving at exactly wrong times. It's not enough to set up everything once because devices get updated and change ports, domains, and protocols. It also makes everything more brittle, requiring multiple inter-VLAN proxies to be running at all times for seemingly unrelated devices to work. That SD card in your raspi died? You decided to update Docker on it and run into problems? No Sonos for anyone in the house until it's fixed.

There's a real cost to that paranoia, it's just another case of security/convenience tradeoff.

Let's agree to disagree, I think in the end it comes down to priorities and pain threshold for having to tinker with stuff.

If they think this network is convoluted they should see mine!

My home cactus garden has an unnecessary number of cacti in it, as compared to the average home. I also expend unnecessary calories when hiking to places I don't need to go.

(edit: admittedly the five or six times I've setup a home network more complicated than just connecting to a router I've ended up regretting it after a few months)

Sometimes I even just walk in a big circle and end up where I started! What a waste of time!

Building my home network though is teaching me IPv6.

Agreed, but it's neat.

Every time I try setting my home network up like that (smart firewall, traffic graphs, etc), I just end up going back to a $30 router/AP.

Had a similarly convoluted network for some years... over time you realize it's just pointless to waste time maintaining and troubleshooting said setup.

Today it's ISP router + separate AP (better coverage). Chinese hackers aren't attacking my network, and if they did, cool, have at it. Basic firewall + NAT + AV covers 99% of use cases, even in a business, with the right configuration. Turns out I don't miss pfSense either.

Makes sense for keeping skills up to date, though, and as a hobby, I can see how one can get into it. Reddit's r/homelab has some crazy builds to check out.

I essentially have a foot in both camps... I like having the control and autonomy of open-source networking hardware but I don't have enough spare time to make it a full-on hobby. Right now my "happy spot" is:

1. An OPNSense firewall between my cable modem and the rest of the network running on a low-power PC Engines APU2. The web-based UI is funky but workable, full SSH access to the box for digging into the internals when needed, online upgrades are a cinch.

2. An 8-port gigabit unmanaged switch that everything hangs off of.

3. A Netgear WAX218 business-grade access point for wifi, running the stock firmware. Web UI is decent and doesn't require any cloud-based management bullshit. For around $100, it works much better than it has any right to, given the prices of mid-range APs and wifi routers these days.

4. A small fleet of Raspberry Pis for miscellaneous tasks.

If I get more into IoT, it shouldn't be much of a hassle to add VLANs and maybe another switch.

That sounds like a good "happy spot" and doesn't veer in hobby territory IMO. More like an interest.

In retrospect, I lied a bit about not missing pfSense (or OPNSense in your case) because truthfully I miss the monitoring, packages, configuration and expandability options. At the same time, I also don't miss them, because 0 headaches and actually better latency is still a plus. Just need to login to that god awful ATT interface to open up a port, but these are 1st world problems... there's always VPNs and cloud VPS to fix that.

Unless you're really into managing a small fleet of devices for basic functionality I'd highly recommend replacing them with a single Intel NUC or similar. I did the same after one too many SD card failures and was very happy with the results - you get a significantly more powerful server for a power footprint about the same as all the horribly inefficient USB power adapters running a bunch of Pis.

I'd sub the ISP router for a £120 topton box with vyos on it, just because it can handle smart queues at line rate. It's really nice when you have exactly the same low ping and jitter regardless of other load on the network, with bandwidth splitting equally, and ISP routers just can't do that in my experience. It just works and requires zero fiddling.

TBH, haven't gone into anything deeper than a ping and jitter benchmarks, so not terribly in depth or long-term besides occasional tests out of curiosity.

ATT fiber 300 up/down provides 4 ms consistent ping to google's closest's datacenter, sometimes at 3 ms, which is of course nuts. Might as well be in my apartment block. Perfectly happy with provided unit, although it's an older one.

Tangential, but have used vyOS some years ago to create a makeshift 10G switch using commodity hardware and an old PC. Routed and switched amazingly fast - the demise was related to what I could guess were broadcast storms.

I'm with you in spirit however. Want and will probably need to switch back to a more customizable router.

I have something relatively similar, a bunch of old datacenter equipment (cheapest way to get 10+ GB!) and some mikrotik, and then I have hardcoded DHCP leases for my IoT shit, and extensive blocking at the firewall for those devices/MAC addresses.

Good enough for me.

Do you not have any hobbies? I find this to maybe not be practical, but that’s not the point of it.

Are Fritz!Boxes available in the US? They're built by AVM (a german brand) and are pretty neat if you want something that's secure, supported for a long time and easy to configure. Add some of their wireless repeaters for coverage via mesh networking and you'll have a guest wifi available everywhere and all is well.

I had one of these boxes and found it to be beyond infuriating

I would set up something simple like port-forwarding to a static IP and test that it worked

then I'd come back a few days later to use it and found the router had helpfully changed the IP to another one

and this happened with several different features (IPv6, DHCP, etc)

I replaced it with a much cheaper Mikrotik box and that's worked flawlessly ever since

I would not recommend the Fritzbox to my worst enemy

If you select a host in the network overview, there is an option Always assign this network device the same IPv4 address. If you tick that the address never changes. Also in modern Fritz!Boxes port forwarding is associated with a particular host, so I think it also works without the static assignment enabled?

Anyway, I have logged on to my headless GPU machines remotely through port forwarding for years and never had an issue.

In the US when a device is "on the fritz" it is failing intermittently, and the classical solution is to smack it firmly until it works. I suppose a Fritzbox might be perpetually on the fritz.

Same, I have used Fritz!Boxes for years, they are reliable, get updates and are quite configurable. The labs version even has Wireguard support now (they had IPsec before).

Sure, you can use the ISP modem and a laptop on wifi.

But that sucks ass.

Wouldn't you rather have real monitors/screens, a solid wired connection to a network and a real keyboard and mouse? Yea it takes space and time but its way better.

> Wouldn't you rather have real monitors/screens, a solid wired connection to a network and a real keyboard and mouse? Yea it takes space and time but its way better.

I do for most things, but better is personal.

Saying that OP's setup is overly convoluted or better is entirely missing the point -- it's what they want to do for enjoyment. Personal taste doesn't need to be justified.

Direct hit to the heart *cries in BGP and big enterprise switches*