My home lab is quite a modest set up. Currently, it consists of Lilo, a HP Microserver Gen8 running a Celeron G1610T and 16GB RAM, and Stitch, a HP Z440 Workstation running a Xeon E5-1650v with 40GB RAM. Both are running vSphere 6, with Lilo hosting various Linux servers, and Stitch hosting Windows servers (Currently a DC and Exchange 2016).
Because my lab growth has been rather organic, the networking side has always been fairly simple:
My ISP provided router acts as a guest wifi hotspot, while a cheap D-Link router flashed with DD-WRT handles everything else. Family wifi, laptops, TV, servers and virtual machines all run on the same subnet, with no additional security.
The biggest problem I have with this setup right now is that it’s just…messy. Everything is dumped into a single box of IP’s and is given one to get on with. As my network grows, this means I’m having to scan my network to find an available IP, and on more than one occasion I’ve deployed a new host only to find a conflict further down the line when I’ve powered up a seldom-used server.
I’ve deployed phpIPAM to help me keep track of my IP allocations, but that doesn’t really deal with the mess. At some point, you’ve just got to bite the bullet and spend the time to migrate to a new scheme. Since my lab uses Windows Server evalutation licenses with a 180 day lifespan, and they’re coming up to their last 60 days, now is as good a time as any to look at it.
This is my proposed scheme:
I’m going to install some kind of virtualised firewall onto each host. I’ve already selected PFSense for Lilo. I’m still in two minds as to whether I’ll do the same on Stitch, or try something different – it’s always fun to compare different products, but consistency means you have one less thing to think about when you’re making changes. I can then create a dedicated subnet on each host, and move all other VM’s into that subnet, so all traffic is being routed through a firewall. I’ve dedicated an entire /16 to each host in case I want to create more than one subnet in the future. I’m only currently intending on using a /24 for each, but it’s always good to plan ahead.
When all VM’s have been moved into a dedicated subnet, I’m going to purchase additional hardware to allow me to move the physical servers on to their own network. I’m still unsure as to whether that will be a PFSense hardware firewall, a Cisco L3 router, or a J1900 based system. I like the J1900 approach because I can potentially squeeze vSphere onto it to get more use out of it. That’s really more for future potential than any immediate need though.
The only thing I don’t really like is that all VM guest traffic is being routed through the Host network. That will probably be a phase two project, since it will involve adding an extra NIC to Stitch and updating the firewalls to use the Client LAN as the WAN side rather than the Host LAN.