Upgrading Home Network to a Small Business Level

A few months ago I decided to upgrade my home network from an average-consumer setup to a Soho business level. I had been using an ASUS RT-AC68U as my router/switch/wireless-AP for a long time. Although the setup is simple, reliable, and the fact that ASUS-Merlin firmware is more powerful than most of factory default WRT systems, I feel the itch to tinker with prosumer or even business grade network gears. This is for me to learn network knowledge and also to provide a solid network setup for feature homelab projects.

In short, I would like my new setup to have the following capabilities:

  • VLANs: segregating the core network from work computer and IoT devices
  • Ability to assign VLANs to wireless SSIDs
  • PoE: running Wireless AP and IP cameras with a single Ethernet cable
  • (optionally) L3 switching (inter-vlan routing), reducing the traffic for the router
  • Wireguard VPN server (on router or LAN host)

After spending hours and hours on the web (SNBforums and /r/homelab) and listening to podcasts, I finally pulled the trigger on the following gears:

  • (used) Cisco SG300-10MPP: a 10-port Layer 3 gigabit switch with PoE+
  • (used) Cisco WAP371: wireless AP with integrated controller
  • Celeron J4105 processor mini PC with dual gigabit NICs: x86 router build

Networking gears
(New network gears, lots of cables and two Reolink security cameras!)

I was also seriously considering Cisco Catalyst line of switches, which run proper IOS. However, the PoE version all have noisy fans which prevents them from going into my apartment. Used Cisco gears on eBay are mostly cheap, especially those that are going out of support. I managed to spend around $200 USD on the switch and just $60 CAD on the WAP (locally from Kijiji). The x86 mini PC (barebone version without RAM/SSD) from AliExpress only costs $150 USD. I put some spare parts in and it's ready to roll.

Cisco SG300-10MPP switch

It's an awesome little switch for its size and quietness (fanless). It performs as expected, as long as settings are correct. I primarily followed this post How to setup a Guest network on an Cisco SG300-28 layer 3 switch to set up:

  • Layer 3 mode (requires factory reset)
  • VLANs and port membership
  • IPv4 static routes
  • DHCP server
  • Access control list (ACL)

After about 2 months of use, here are some complaints I have about the SG300 switch:

  • The web GUI is slow and confusing at times
  • CLI is slightly different than proper IOS (based on what I heard; I didn't use)
  • The ACL is cumbersome to use: the ACEs (Access Control Entries) of an ACL can only be edited when the ACL is not attached to any VLAN. This is extremely inconvenient as if I want to keep IoT VLAN from accessing other VLANs at all times, I have to shutdown or disconnect all IoT devices within the VLAN before I can safely edit its ACL
  • Updated ACL won't take effect unless I reboot the switch. Auh!

The biggest caveat, however, is the lack of ports. I almost immediately regretted that I purchased the 10-port version after I received it. Maybe in the future, as my homelab grows, I can use it as a dedicated PoE switch and uplink it to a 48-port main switch. Hmm, one always has to plan for expansion.

WAP371

This wireless access point is actually very awesome. It's only 802.11ac, but it has a built-in controller for features like seamless roaming (with 2 or more APs) and Captive Portal (guest login page), among other things. When used solo, as in my case, I don't necessarily benefit from the controller, but it enables feature expansion possibilities. I will have to buy the same exact AP for the mesh to work, but they are getting cheaper and abundant as support ends in a year.

Setting up Cisco WAP371 access point is relatively easy. A few things to watch out for:

  • The SSID name only supports dot "." and any other characters are not supported. I tried to save the name with dath "-" and it failed silently, which is confusing for a newbie like me.
  • By default, at least one 5Ghz and one 2.4Ghz SSID have to stay up. If I want to disable the last 2.4G SSID, I will have to turn off the 2.4G radio completely
  • A bit of rant: when I try to save a mis-configured configuration, it won't save but it also won't give me any error message. I have to RTFM to figure out why. Ouch.

ACL

Writing ACL is something new for me. This is the key of VLAN segregation, by default there is no ACL (no segregation at all). I watched CCNA courses and read a lot from Cisco forum to come up with my own ACLs. This post describes a great way to write ACLs:

  • Permit (allow) whatever you need to other internal subnets
  • Deny everything else to other internal subnets
  • Permit everything else (i.e., Internet)

For my Guest VLAN (most locked-down VLAN, strictly Internet access only), here is the ACE:

permit udp 10.1.9.0 0.0.0.255 host 10.1.9.254 range 67 68 # DHCP service
permit tcp 10.1.9.0 0.0.0.255 host 10.1.1.1 eq 53 # DNS service
permit udp 10.1.9.0 0.0.0.255 host 10.1.1.1 eq 53 # DNS service

deny   ip  10.1.9.0 0.0.0.255 10.1.0.0 0.0.255.255 # summarizing subnets

permit ip  any any

If I wanted to permit Guest devices to access a service on the LAN, I would add an Permit entry to specify target IP(s) and port(s). However, modifying ACL on Cisco SG300 is not without caveats, as described previously.

Things in the feature

The next step for me to explore pfSense or OPNsense to harness the power of x86 hardware as the firewall. I will have to decide where I want to manage the ACLs (either on the switch or centralized on the firewall, albeit losing inter-VLAN routing). Big rabbit holes lying ahead, feeling excited!