Good morning. First, please let me apologize for basically dropping this all of a sudden. Life happened and I had to be away for quite a while.
I am very sorry, because by the time I came back to be able to sit down in my computer to go over find my notes, I completely forgot about this.
Now, this will be very long, as I have it all documented with as much detail as possible to make sure I can reproduce it if anything goes catastrophically wrong.
As I mentioned, devices and choice of software is very personal. For example, I choose OPNSense vs PFSense for very personal reasons. Additionally, my infrastructure is so ‘hardware-bloated’ because the walls are all concrete, so I needed to make sure WiFi is covering as much as possible, which led to a shitload of APs. This caused me to spends quite some time tweaking the power and channels of each AP to make it easier for devices to move from one to the other without losing connectivity.
Lots of trial and error, but absolutely worth it once deployed.
The 2.5GB and 10GB ports were chosen just to future-proof the setup. My internet is not even 1Gb, but who knows where wee’ll be in 5 years, right?
All cabling is Cat 6A shielded, and everything with a LAN port is wired, with WiFi disabled, this helps with keeping the RF a bit cleaner while ensuring a much more reliable connection for those devices (TVs, PCs, Consoles, Cameras, etc)
The choice of mini-PC for OPNSense is entirely based on the fact that I want to do IPS all the time, and an n95 CPU would choke with the ridiculous amount of devices and hosts in my network.
I would like to see what you guys have as well. This could be fun.
Good morning. First, please let me apologize for basically dropping this all of a sudden. Life happened and I had to be away for quite a while.
I am very sorry, because by the time I came back to be able to sit down in my computer to go over find my notes, I completely forgot about this.
Now, this will be very long, as I have it all documented with as much detail as possible to make sure I can reproduce it if anything goes catastrophically wrong.
Having said that, here goes:
## 1. Hardware, Adapters & Physical Backbone * **Gateway:** MINISFORUM NAB6 Lite Mini PC Core i5-12600H(12C/16T, up to 4.5 GHz) Mini Computer 16GB RAM + 500GB SSD (Dual 2.5GbE Intel i226-V) * **WAN Aggregator:** MokerLink 2G04210GTM (Managed 2.5G RJ45) * **Core Switch #1:** MokerLink POE-2G08110GSM (Managed 2.5G PoE) * **Core Switch #2:** MokerLink POE-2G08110GSM (Managed 2.5G PoE) * **CCTV/Media Switch:** TP-Link TL-SG1218MPE (Managed 1G PoE) * **Transceivers:** * **2x 10G SFP+ to RJ45:** Connects Core #1 SFP+ to Core #2 SFP+ (10G Backbone). * **2x 1.25G SFP-T:** Used in TP-Link SFP slots for Uplink/Media. * **Cabling:** Cat6A Shielded (26AWG) for all backbone, WAN, and high-speed runs. --- ## 2. Phase 1: OPNSense Foundation & Cloudflare SSL ### Installation & CLI Handshake 1. **Boot:** UEFI Mode, ZFS Partitioning (Auto). 2. **Assignments:** * WAN: `VLAN 99 on igc0` (Fiber) * WAN2: `VLAN 98 on igc0` (Starlink) * LAN: `VLAN 1 on igc1` (Management) 3. **Static IP:** Set LAN to `192.168.0.1/24`. Enable DHCP temporarily, disable after assigned IPs(.100 - .200). --- ## 3. WiFi Optimization: Cinder Block "Cellular" Strategy ### A. Radio Policies (Zero-Overlap Logic) * **Transmit Power:** * **2.4GHz:** Custom (6 dBm). Active **ONLY** for Matter-IoT and Guest-WiFi. * **5GHz:** Custom (20 dBm). Active for **ALL** SSIDs except **for Matter-IoT and Guest-WiFi**. Bumped for cinder-block penetration. * **Handoff:** Enable **802.11k/v/r**. * **Min RSSI:** **-75 dBm** (forces device to drop weak signals at cinder-block boundaries). ### B. 5GHz Channel Matrix (80MHz Width) | AP Unit | Location | Floor | 5GHz Block | 2.4GHz (IoT Only) | | :--- | :--- | :--- | :--- | :--- | | **AP 1** | Master Bedroom | 2F | 36 | 1 | | **AP 2** | Master Closet | 2F | 52 (DFS) | 6 | | **AP 3** | Family Room | 2F | 100 (DFS) | 11 | | **AP 4** | Sammy Bedroom | 2F | 116 (DFS) | 1 | | **AP 5** | Oliver Bedroom | 2F | 132 (DFS) | 6 | | **AP 6** | Dining/Living | 1F | 149 | 11 | | **AP 7** | Pantry | 1F | 36 (Reuse) | 6 | | **AP 8** | Guest Bedroom | 1F | 52 (Reuse) | 1 | | **AP 9** | Outdoor (Front) | Ext | 116 (Reuse) | 11 | | **AP 10** | Outdoor (Back) | Ext | 149 (Reuse) | 6 | --- ## 4. Physical Port & Cabling Matrix ### A. WAN Aggregator (MokerLink 2G04210GTM) * **Port 1:** Fiber ONT Input (VLAN 99 Access) * **Port 2:** Starlink Gen3 Input (VLAN 98 Access) * **Port 3:** **MINISForum Port 1 (WAN Trunk)** ### B. Core Switch #1 (POE-2G08110GSM) * **Port 1:** Input from MINISForum Port 2 (Main LAN Trunk) * **Port 2-5:** 4x Indoor APs (VLAN 1, 10, 15, 25, 45, 55, 75) * **Port 6:** 1x Outdoor AP (VLAN 1, 10, 15, 25, 45, 55, 75) * **Port 7:** PS5 (Access VLAN 45) * **Port 8:** **TP-Link SFP Slot 1** (Trunk Uplink for 1, 5, 35, 45) * **SFP+ Slot:** **Core #2 SFP+ Slot** (**Uses 10G Adapter**) ### C. Core Switch #2 (POE-2G08110GSM) * **SFP+ Slot:** **Core #1 SFP+ Slot** (**Uses 10G Adapter**) * **Port 1-4:** 4x Indoor APs (VLAN 1, 10, 15, 25, 45, 55, 75) * **Port 5:** 1x Outdoor AP (VLAN 1, 10, 15, 25, 45, 55, 75) * **Port 6-7:** Proxmox Servers (Access VLAN 5) * **Port 8:** My Main Desktop (Access VLAN 10) --- ## 5. Logical Layer: Subnet, Gateway & WAN Master Table | VLAN | Name | IP CIDR | Gateway | Primary WAN | Wireless SSID | Active Bands | | :--- | :--- | :--- | :--- | :--- | :--- | :--- | | **99** | WAN 1 | ISP DHCP | 192.168.100.1* | Fiber | N/A | N/A | | **98** | WAN 2 | ISP DHCP | 192.168.1.1* | Starlink | N/A | N/A | | **1** | Management | 192.168.0.0/24 | 192.168.0.1 | Fiber | N/A | Wired | | **5** | DMZ/Servers | 192.168.5.0/24 | 192.168.5.1 | Fiber | N/A | Wired/HASS Tablet| | **10** | My Kingdom | 192.168.10.0/24 | 192.168.10.1 | Fiber | **My-Kingdom** | 5GHz/6GHz | | **15** | Wife | 192.168.15.0/24 | 192.168.15.1 | Fiber | **Wife-Net** | 5GHz/6GHz | | **25** | Kids | 192.168.25.0/24 | 192.168.25.1 | **Starlink** | **The-Lords** | 5GHz/6GHz | | **35** | CCTV | 192.168.35.0/24 | 192.168.35.1 | Starlink | N/A | Wired | | **45** | Media/Gaming | 192.168.45.0/24 | 192.168.45.1 | Fiber | **Media-Gaming**| 5GHz/6GHz | | **55** | Matter IoT | 192.168.55.0/24 | 192.168.55.1 | **Starlink** | **Matter-IoT** | 2.4G | | **75** | Guests | 192.168.75.0/24 | 192.168.75.1 | Starlink | **Guest-WiFi** | 2.4G |As I mentioned, devices and choice of software is very personal. For example, I choose OPNSense vs PFSense for very personal reasons. Additionally, my infrastructure is so ‘hardware-bloated’ because the walls are all concrete, so I needed to make sure WiFi is covering as much as possible, which led to a shitload of APs. This caused me to spends quite some time tweaking the power and channels of each AP to make it easier for devices to move from one to the other without losing connectivity.
Lots of trial and error, but absolutely worth it once deployed.
The 2.5GB and 10GB ports were chosen just to future-proof the setup. My internet is not even 1Gb, but who knows where wee’ll be in 5 years, right?
All cabling is Cat 6A shielded, and everything with a LAN port is wired, with WiFi disabled, this helps with keeping the RF a bit cleaner while ensuring a much more reliable connection for those devices (TVs, PCs, Consoles, Cameras, etc)
The choice of mini-PC for OPNSense is entirely based on the fact that I want to do IPS all the time, and an n95 CPU would choke with the ridiculous amount of devices and hosts in my network.
I would like to see what you guys have as well. This could be fun.