Day 3 involved some network planning. I currently run pfSense+ as my router of choice on a dedicated 1U SuperMicro server. I'm planning some shifts to my VLAN / subnetting setup and at the same time considering moving over to a Unifi Dream Machine SE.

The rest of my network hardware is Unifi so that would give the single pane of glass. They have recently added a lot of new features including Wireguard support, some limited ad blocking, and better overall experience on the dashboard. I previously used a USG-3 but moved over to pfSense for the broader functionality.

The downside would be that I would lose the use of my HAProxy module at the router level. It allows me to reverse proxy pretty much everything on my network and do SSL termination. This has been especially handy as its always online no matter the state of my various docker hosts, or my newly created kubernetes cluster. Though, this could be replaced with the same functionality I've been working on with the Nginx Ingress proxying from Day 2. Or moved to a Raspberry Pi 4 that I have had in my rack for a few months with no real usage yet.

I would also lose the ability to natively do split horizon DNS from that one machine. I could always run CoreDNS or a PiHole cluster, but its just another thing to take into consideration.

On the subnetting front, I currently have 8 VLANs with another I'm planning out for K8s workloads:

• MANAGEMENT (UNTAGGED) - Where core network devices live so its easier to access if I lock myself out via my LAN vlan
• LAN - Where all of our personal devices live (Phones, Laptops, Tablet)
• GUEST - A segmented network for guest devices. This SSID is usually turned off unless we are expecting guests.
• VPN - A segmented network for remoting in via Wireguard. This has many of the same capabilities as LAN but segmented so its apparent where the traffic is coming from
• IOT - Where all of the internet of things devices live including Thermostats, Amazon Echo Dots, Fire TVs, etc. This is segmented from all of RFC1989 and can only access the internet and some select IPs and ports for things like Plex locally
• NOT - Where everything that can be cut off from the internet but still needs WiFi lives. This includes smart switches, smart plugs, smart relays, etc.
• CCTV - This is where all of the cameras live. This is cutoff from the internet and most of the internal networks. The only thing that can access this network directly is the NVR which has 2 NICs, one on the 10 gigabit server network and the other on the 1 gigabit CCTV network to receive the camera traffic.
• HOMELAB - This is a dumping ground for a bunch of VMs and various services I tinker with on the homelab side. This is currently a /16 which I'd like to pair down into a /23 as I split out the containers into Kubernetes on it's own VLAN
• KUBERNETES - This is a work in progress VLAN which is reserved for K8s VMs, MetalLB, Containers, etc.

I'm going through each of these subnets and planning their sizing better than when I knew less. Many are /22 with some /16 sprinkled in that I would like to get down to a /23 maximum.