My Home Network¶
Cable Modem¶
I receive Internet service from a local ISP, with connectivity established via a coaxial cable. The cable modem is directly connected to an Untangle firewall. To ensure that the firewall manages all IP address assignments within my home network, rather than the cable modem, I have configured the modem in bridge mode. This setup allows the firewall to function as the primary DHCP server and handle all internal network traffic. The modem simply facilitates the Internet connection by passing traffic through to the firewall without performing NAT or routing.
Untangle Firewall¶
All network traffic in my home is routed through the Untangle Firewall, which serves as the primary security and traffic management solution. It provides an intuitive and feature-rich dashboard that allows for real-time monitoring, traffic analysis, and policy enforcement. Additionally, the firewall offers advanced security features such as intrusion prevention, web filtering, VPN support, and bandwidth management.
Why I chose Untangle back in 2021?
- https://www.youtube.com/watch?app=desktop&v=G8Kw7E1tuc8&t
- https://www.youtube.com/watch?v=WYhOgQ8JyYI
Update: Arista Networks acquired Untangle in February 2022. Unfortunately, Arista decided to end NG firewall home subscription.
Internal Ethernet Network¶
The Untangle firewall is connected to a TP-Link 16-port Gigabit Ethernet switch via an Ethernet cable, forming the backbone of the wired network. This switch facilitates high-speed, reliable connectivity for multiple wired devices, including:
- HP LaserJet Printer (M479fdw)
- Synology NAS (4-bay DS918+)
- Personal Laptop
- Personal Desktop PC
- UM890 Pro mini-PC
By centralizing wired connections through the switch, the network ensures efficient data transfer, reduced latency, and improved network stability for all connected devices. All devices connected to the Ethernet switch obtain their IP addresses and network configurations from the DHCP server running on the Untangle Firewall.
All devices within the internal network are behind a NAT gateway and are assigned private IP addresses. These private IP addresses are not routable on the public internet and require NAT to communicate with external networks.
Internal Wireless Network¶
The Untangle Firewall is also connected to a wireless mesh network, ensuring seamless Wi-Fi coverage throughout the home. This setup provides consistent, high-speed connectivity for all wireless devices, including mobile phones, tablets, the living room TV, and the robot vacuum cleaner. Additionally, I have installed a Raspberry Pi in my older son’s room, configured as a mini-computer for activities such as watching YouTube videos and browsing the web.
HP Printer¶
All household members have access to the HP printer and can send documents for printing from any device within the home network. Additionally, the printer is configured for remote access, allowing family members to print documents even when they are outside the home. This remote accessibility is achieved through secure cloud printing services, ensuring secure and reliable document transmission.
The embedded web server (EWS) on the printer is up and running. By entering the IP address of the printer in a web browser, I can access its configuration interface, allowing me to:
- manage printer settings
- monitor cartridge levels
- view network status
- perform maintenance tasks
This web-based management interface provides a convenient way to configure and troubleshoot the printer remotely.
Synology NAS¶
I use a Synology NAS (DS918+) as my primary storage solution for files and documents. It features four drive bays with a total storage capacity of 16TB, configured in Synology Hybrid RAID (SHR) for improved redundancy and flexibility. To enhance performance, particularly for running virtual machines, I have upgraded the NAS's RAM to 16GB.
For data protection, I utilize Snapshot Replication, which captures a snapshot of all data every 30 minutes, ensuring rapid recovery in case of accidental deletion or corruption. Additionally, I have setup automatic daily backup to an external USB drive at 4 AM, providing an extra layer of redundancy.
The NAS folders are mounted via SMB on Windows devices, allowing seamless access to stored files. While read/write speeds are not as fast as an SSD directly connected to a PC, having a robust, redundant, and backed-up storage solution is a priority for me. I have experienced data loss in the past, and I cannot afford to go through that again.
One of my favorite applications on the NAS is Plex Media Server, which centralizes all my purchased movies and TV shows in one location. This setup allows me to stream content within the home to our family TV, smartphones, tablets, projector, and other devices, ensuring convenient access to our media library.
I also enjoy using the "Universal Search" capability on my Synology NAS, as it allows me to quickly and efficiently search across all my files. This powerful tool can index and retrieve results almost instantly, even from within document contents, including PDFs, Word files, and other text-based formats. This feature significantly enhances productivity by enabling fast access to important files without the need to manually browse through folders.
Pi-Hole¶
I have installed Pi-hole on a Raspberry Pi 4 to serve as a network-wide ad blocker and tracker blocker. Pi-hole functions as a DNS sinkhole, intercepting and filtering unwanted ads and trackers for all devices on my private network.
To integrate Pi-hole into my network, I have configured the DHCP server on the Untangle Firewall to distribute the IP address of the Pi-hole as the primary DNS server. As a result, all DNS queries from connected devices pass through Pi-hole, where they are either resolved or blocked based on the defined filtering policies. With this setup, all network traffic originating from TVs, smartphones, laptops, desktops, and other connected devices benefits from an ad-free experience.
Personal Desktop PC¶
I have built my personal desktop PC specifically for CPU-intensive tasks, ensuring high performance and efficiency. It is powered by an Intel Core i9 processor with 18 cores and 36 threads, paired with 128GB of DDR4 RAM, providing good multitasking capabilities.
For GPU-intensive workloads, the system is equipped with an NVIDIA GeForce RTX 3080. This makes the PC ideal for high-performance gaming, cryptocurrency mining, ML/AI training, and running 7B-8B LLM models. The powerful GPU, combined with the robust CPU and memory configuration, ensures seamless performance across demanding applications.
I can play a variety of games directly on my desktop PC or stream them to the large OLED TV in the living room using "Steam Link" or "NVIDIA GeForce Experience" (GameStream). The high-speed, low-latency internal wireless network ensures smooth, lag-free gameplay and seamless video streaming, providing an immersive gaming experience across multiple devices.
VPN Client¶
Using a VPN service is an essential part of our network security and privacy strategy. All our mobile phones, tablets, laptops, and desktop PC are equipped with a VPN client to ensure secure, encrypted internet access. My preferred VPN client is ExpressVPN, known for its high-speed performance, strong encryption, and reliable global server network. Additionally, I have the flexibility to change the VPN server location, enabling access to region-specific services as needed.
For network-wide VPN coverage, I can configure the VPN connection directly on the Untangle Firewall. This setup allows internal network traffic to be tunneled through a VPN server. Untangled firewall supports the following VPN technologies:
| VPN Type | Speed | Security | Ease of Setup | NAT-Friendly | Best For |
|---|---|---|---|---|---|
| WireGuard | Very fast | Strong (modern) | Easy | Excellent | Remote access, mobile, performance |
| OpenVPN | Moderate | Strong (flexible) | Moderate | Excellent | Mixed-client environments |
| IPsec | Moderate | Strong (complex) | Complex | Not great | Site-to-site, enterprise networks |
| Tunnel VPN | Varies | Varies | Varies | Varies | Site-to-site (depends on protocol) |
Tunnel VPN in Untangle supports multiple third-party VPN service provides such as:
- ExpressVPN
- NordVPN
- PrivateInternetAccess
- NGFirewall
The Rules tab within Tunnel VPN is where I can define granular traffic policies. It allows me to selectively route traffic based on criteria like source/destination IPs, ports, interfaces, protocols, or tags. This enables precise control over which devices or services use the VPN tunnel, making it ideal for scenarios like policy-based routing, split tunneling, or multi-site connectivity.
UM890 Pro Mini-PC¶
One of the most capable nodes in my home network is the UM890 Pro, a high-performance mini PC that punches far above its size class. It is equipped with a 64 GB DDR5 RAM setup and a fast 1 TB PCIe 4.0 NVMe SSD, all powered by the AMD Ryzen 9 8945HS processor — an 8-core, 16-thread chip based on the Zen 4 architecture with integrated Radeon 780M graphics.
I've installed Proxmox VE (Virtual Environment) on this mini PC, transforming it into a powerful virtualization host for all my VM workloads. Whether it's Linux servers, Docker-based apps, or GNS3 labs, this mini PC handles everything with ease. The high memory capacity and PCIe Gen4 storage ensure fast VM provisioning and responsive I/O performance, even under load.
Proxmox VE is an open-source Type 1 hypervisor that combines KVM (Kernel-based Virtual Machine) for full virtualization and LXC (Linux Containers) for lightweight container workloads. As a bare-metal hypervisor, it installs directly on hardware without needing a host operating system, delivering near-native performance and low overhead.
Proxmox VE features an intuitive web-based UI, integrated backup/restore, software-defined networking, and native clustering support. Its seamless management of VMs, containers, storage, and networking makes it ideal for both home labs and enterprise deployments. With its flexibility, strong community support, and enterprise-grade features, Proxmox VE stands out as one of the best virtualization platforms available today.
Raspberry Pi Cluster¶
Raspberry Pi cluster is the most interesting part of my home lab. It is a compact, computing setup where multiple Raspberry Pi boards work together as a single system. It provides a low-cost, energy-efficient alternative to traditional servers. It is ideal for:
- running a personal website, blog, or web services such as REST APIs
- turning the cluster into a high-availability Network-Attached Storage (NAS) system
- gaining hands-on experience with distributed computing, automation, and system administration
- running parallel computing experiments with MPI (Message Passing Interface)
- running Kubernetes or Docker Swarm
- hosting self-contained cloud services
- managing IoT devices
- experiment with AI (including very small LLMs)
- experiment with blockchain technology
My cluster consists of five Raspberry Pi 5 nodes, each equipped with 16 GB of RAM and 512 GB of storage. A PoE+ switch is used to efficiently provide both power and network connectivity to all nodes via a single Ethernet cable per device. This eliminates the need for separate power adapters. Each node runs Ubuntu 24.04 LTS Server. One of the Raspberry Pi 5 node is responsible for cluster management.
Local Raspberry Pi Storage
The Raspberry Pi 5 offers several local storage options, each with distinct characteristics:
| Storage Option | Interface | Max Speed (Theoretical) | Boot Support | Additional Hardware Required |
|---|---|---|---|---|
| MicroSD Card | SD Card Slot | Up to 104 MB/s | Yes | No |
| USB SSD | USB 3.0 Port | Up to 625 MB/s | Yes | No |
| NVMe SSD | PCIe 2.0 Interface | Up to 500 MB/s | Yes | Yes (M.2 HAT+ or adapter) |
MicroSD cards serve as the primary storage medium for Raspberry Pi devices, housing the operating system and user data. The theoretical speed of 104 MB/s refers to the maximum data transfer rate achievable under the SDR104 mode of the UHS-I (Ultra High Speed) standard for SD cards. The Raspberry Pi 5 supports the SDR104 mode. However, real-world data transfer speed is lower. For instance, I am using "SanDisk Extreme PRO" MicroSD card.
Write speed is around 69 MB/s:
$ dd if=/dev/zero of=~/testfile bs=1M count=1024 conv=fdatasync
1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB, 1.0 GiB) copied, 15.5667 s, 69.0 MB/sRead speed is around 90 MB/s:
$ dd if=~/testfile of=/dev/null bs=1M count=1024 iflag=direct
1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB, 1.0 GiB) copied, 12.0358 s, 89.2 MB/sNote that the oflag=direct option enables direct I/O operations, avoiding cached data.
While MicroSD cards are cost-effective and readily available, their longevity can be limited under intensive read/write operations. For projects involving substantial data logging or database management, alternative storage solutions like USB or NVMe SSDs may offer improved durability and performance.
USB SSDs provide a significant performance boost over MicroSD cards and are straightforward to implement via the USB 3.0 ports. However, they may not reach the full potential speed due to USB overhead.
NVMe SSDs offer the highest performance but require additional hardware, such as an "M.2 HAT+" or adapter, to connect to the Raspberry Pi 5's PCIe interface. This setup is ideal for applications demanding high-speed storage and reliability.
UPS¶
Many of the critical components of my home network are connected to an APC Network UPS (3000VA). This uninterruptible power supply (UPS) provides protection against power surges, voltage fluctuations, and outages, ensuring continued operation and preventing potential data loss or hardware damage.
With its high-capacity 3000VA rating, the UPS is capable of sustaining power for essential devices—including the Untangle Firewall, network switches, NAS, and other key infrastructure—for several hours during an outage. This setup ensures network stability and uptime, allowing for a controlled shutdown if necessary, rather than abrupt power loss.
I deployed the Network UPS Tools (NUT) server on one of my Raspberry Pi nodes to interface with the UPS and retrieve real-time status and monitoring data.
