It’s 2022-02-08T21:45:17+11:00 here. Already, approximately 10% of the year has rushed passed. I’ve spent the last 6 weeks travelling over-sea’s, keeping a close eye on my servers from over 10,000 KM away.
What are my plans this year?
One thing for sure is that you’re never going to get it right, not even after multiple attempts. After operating this iteration of the network for about a year now, there are things I want to change. I’m quite happy with the organisation and security rules I have in place, but I think it’s the implementation that I want to fiddle with.
I want to more strongly implement the use of VLANs on my network, not just for testing and properly isolating sandboxes. I want to strictly control where my traffic actually has access to. My current method is just not good enough and I think I can do better.
Link Aggregation Groups
Each server in the rack has roughly 4 gigabit Ethernet interfaces. Currently, each interface is configured independent of each other in Proxmox. I want to make use IEEE 802.3ad and combine these interfaces into one logical interface between the server and the top of rack switch.
By doing this, I can improve the links resilience to failure, as well as increase maximum traffic throughput.
I also would like to combine the LAGs with VLANs. I’ve got this funky idea (I’m sure it’s implemented elsewhere). One server has 4 physical interfaces, I’m going to tie them together into 1 logical interface and send that to a switch with 24 physical interfaces. Four physical switch interfaces are taken out by the link, I’m now left with 20 other physical switch interfaces. I have just turned a 4 port server, into a 20 port server, with high-availability and high-throughput!
VPN Tunnelled Networks
This has been on the books for quite some time. I haven’t gotten around to it but I think with the developments of using VLANs, this might just be super feasible.
At times, I want to get to U.S Netflix, but I can’t do this on my Apple TV because there isn’t any great way of implementing VPN clients on it. So I had a thought – what if I create an additional WiFi network that sits on a different VLAN, where all traffic is tunnelled through a VPN service to the U.S?
Why should I stop at U.S? Why not do the U.K too?
Let’s say my WiFi SSID is “RNET”, I’ll create other networks “RNET – VPN-US” and “RNET – VPN-UK” too. When devices connect to this network, no additional configuration is required, internet traffic will be routed through the VPN tunnel.
I realise this entire project is to sustain just one requirement, to watch U.S Netflix, but I think it’s the project that makes it worth it.
Operating my own mail server is something that I’ve been interested in looking into, and just for use within the network. One of the applications I’ve been interested in using is iRedMail – some handy-dandy open source mail server. It uses RoundCube as a web-mail service to present your emails, looks modern and tidy. Both receive frequent updates and quite a bit of community attention.
I’m not exactly sure on the specifics on how it’s going to be setup quite yet.
One of the biggest motives for getting this setup for myself is better personal privacy online. Services that sell your data tend to include your email address to uniquely identify you. If enough data is collect, a service can join a link between two difference stores and associate the data with you by inference. To counter this I could create multiple email accounts for the different services I subscribe to. Doing this could also help identify which email addresses have been compromised to spammers.
Internet Facing Name Server
Not that I really need it, other than it being pretty cool, I would like to take my reliance off using GoDaddy’s domaincontrol.com name servers and instead point the domains NS records to my own servers and manage my records more locally.
I think the only issue I could run into is DynamicDNS support, I’m not sure if PfSense’s DynDNS package can manage modifying the IP address of NS records. Perhaps the whole thing is a bad idea, but I think it’s worthy of an investigation.
Site-to-Site VPN – RNET Expansion
One project that I am particularly excited about is expanding RNET between two sites. I’m looking at using OpenVPN tunnels to achieve this, it’s well supported in PfSense.
Already got the networks and domains organised, just need to install the hardware. Keen to get it done and write up about it.
Each site will have it’s own local DNS, DHCP, and other high speed servers organised, but other applications can be shared across locations. Off-site backups are also a big bonus!
Server Startup and Shutdown Procedures
Too many times have I suffered a tripped circuit breaker. I don’t yet have a UPS (these things, they cost money). I’ve found that trying to restart everything in the right order is a bit tedious, and if some VM starts too early it freaks because some other server it depends on isn’t responding.
I plan on putting together detailed documentation on how to shutdown/restart, and how to start the servers back up without having to waste too much time.
I think I might print this one off and leave it in the rack for future me…