Got a growing Home Lab and haven't isolated it from your Home Network? Sounds like you you could benefit from segmenting it onto it's own stub network. A stub network is a network with only one path out who's gateway uses a default route traffic to the outside network.
Run of the mill example of a stub network |
Unsegmented Home Network.
One, if you install a second daisy chained to the ISP's provided router and place the second router on the DMZ. But who really wants to run a Second Router for their home network?
Two, place your second network segment behind a NAT (Network Address Translation) Gateway, which results in NAT behind NAT or double NAT. This presents a greater problem.
The Problem with NAT
NAT as most people know it today is takes a private IP address and the gateway strips the source IP and Port number and replaces it with a shared public source address and a random and unique TCP or UDP port number. The gateway keeps track of and reverses the process when traffic returns, using the port number to match it back up with the original IP and original port number. This implementation is what saved IPv4 at the dawn of the public Internet when host counts were exploding. This allows one (public addresses) to many (private addresses). It even adds an additional security feature in that it but makes it all but impossible to initiate traffic flow to a host inside of the NAT gateway without assistance.
This will effect a home lab when placed behind a NAT gateway. Hosts on the home network will not be able to initiation communications with hosts in the lab network. Want to RDP or VNC into a server from your a laptop while you sit in a recliner or on patio? Kodi box access a file? SSH into a terminal/console server? It's not gonna happen from you are connected to the home gateway's WiFi with this type of NAT.
History to the rescue.
NAT's original purpose was to allow a hosts on dissimilar networks the ability to communicate. Private IPv4 address can't communicate across the the public network by design. So NAT was first developed to only stripped off and replaced the source IP (Private) address and replace it with another IP address (public) . The is called called "1 to 1", reservations, or Static. Today this is mostly used for public facing servers. If you exchange private with "home lab" and public with "Home network", the protocol will still work AND still prevent the dreaded broadcast traffic from using up valuable network bandwidth and time.
Who really wants to have a third router? Or even second router their network, using electricity and taking up space. Routers are just purpose built computers. I'm not passing massive amounts of traffic between the networks, most of the the lab stays turned off when not in use. The only system that runs 24/7 in my lab is a low power Windows Server System. Windows Server (unlike Windows Desktop) is jam packed with features and abilities.
While network people would say "ew" to the very thought of using a Windows Box as a router, But I like a good challenge and the idea of not paying to power one or two extra routers.
One becomes Two. |
Here is how I did it:
Step 1 Get everything other than the server ready.
Build the networks physically. Each person's home and lab networks will be unique when it comes to the topology and type of connection mediums, just make sure your two segments aren't directly connected and both have Layer 2 connections to the server.
During this step you should start some documentation, write down a list of Lab Network Hosts with a IP from the list of excluded addresses.
The picture above is the logical topology to be built. It needs two complete IPv4 networks each with it's own gateway address. Here is a example of then network addressing:
"Home Network" - 192.168.1.0 255.255.255.0 (/24) gateway 192.168.1.1
"Lab Network" - 172.16.0.0 255.255.255.0 (/24) gateway 172.16.0.1
Your home network probably is already in working order, and "if it ain't broke, don't fix it". All you need to do is exclude a block of addresses from your Home Network's DHCP server' pool, to be used for translation. For example a /24 network cut the Home Network Router's DHCP pool down to .2 through .191 so that.192 through .254 will not be assigned to hosts. This will likely provide more than enough host addresses for your home and lab.
Next, Address your Lab Network's hosts.
The interface on your server/gateway connected to the Lab Network the first usable address, to be used as the "Default Gateway" of all the hosts. Again, not all hosts are the same.
Configure address the rests of the hosts. With either:
1) Manually configure hosts with static IP address. Can be long and tedious if you have many hosts or change them often.
2) Set up a DHCP server. Windows Server has a DHCP service that can be installed, although beyond the scope of this guide. A little extra work to setup but, it can make life easier to manage your network's address centrally.
Document which hosts have been assigned which address, you will need this when creating the NAT reservations later.
Step 2 Configure the Server's Interfaces.
Addressing the Server's interface connecting to the Home Network is the more complicated, you will need to assign multiple Home Network addresses to the Windows Server's interface connecting to the Home Network, The Gateway needs to hold those IP addresses that will be Translated.1) Assign an IP address to the interface manually, give it a gateway and DNS server.
2) Click the advanced button.
3) Click the Add button and add each of the IP address you determined you needed.
4) Enter the IP address and Subnet mask one at a time.
Step 3 - Routing and Remote Access Server
Install the Remote Access (routing) Role on your Windows Server with Server Manager. There are plenty of good guides and videos on how to install features if you are unfamiliar with this process. Make sure that Routing and NAT are installed.
Once installed open the "Routing and Remote Access" Console (found in the start menu), right click on your local server and click "Configure and Enable Routing and Remote Access".
Select "Custom Configuration" and click next.
Select NAT and LAN Routing. click next and finish the wizard.
Step 4 Configuring NAT
First adding the "Private Interface"
In the Routing and Remote Access Server (RRAS) management console right click on your server's IPv4_> NAT. Right click and select New Interface.
Choose the Network Interface connected to the Lab Network.
Leave it as "Private" and click ok.
Add another New Interface for the interface connected to your Home Network and set it to "Public" and check the box to enable NAT.
Click on "Address Pool" TAB and then the "Add" button . A window should pop up to enter ll need to provide the Start Address, Mask, and End Address. Note you can add all you want here, but unless the Interface has the IP address configured for the IP it will not be routed to it.
With the menu still open, click on "Reservations" and in the new window click "Add".
Another window should pup up and to manually enter the Public and Private addresses for one reservation, Make sure the "allow incoming sessions" option is checked. Repeat for all Hosts on the Lab Network, the documentation suggested earlier will be real handy for this.
After everything is added, click ok to close the menus, NAT should be set up.
Step 5 Static Routing
The Gateway is now effectively a router, but still needs a route. A static "default" route will be needed to for the Lab Network Gateway to know the way out.
In the RRAS management console click on your server name, IPv4, and Static Routes. Right click and select "New Static Route"
A new window will open up, select the interface on your Home Network, and enter the Destination of 0.0.0.0 , Network Mask of 0.0.0.0 , and for the Gateway the Address of your Home Network's. Leave the Metric at it's default value. Click OK to add the Route.
Step 6 - Test your new gateway.
Ping from a "Lab Network" host to IP's on your "Home Network" and remote into one of your Lab Network's hosts from the Home Network. If something doesn't work, double check your addressing and NAT reservations in case there was an error.
Final note
Hosts on the Home Network should not be able to connect to IP addresses held by hosts on the Lab Network, instead use the corresponding NAT reservation's "public" address.
Have fun - Steadman
No comments:
Post a Comment