Tag Archives: Network

Wireguard VPN


Our Unifi system can support several different VPN configurations. We used the VPN server built into our Unifi Dream Machine SE and configured it to use Wireguard clients on our iPhones, iPads, macOS laptops, and Windows laptops.

The following video explains the various VPN options and how to configure them.


5 Types of VPNs on Unifi and How To Configure Them

We use DDNS to ensure that our domains point to our router when our ISPs change our IP address. After the clients are installed, they are updated to point at our network’s current IP.

Iperf3

Iperf3 is a common tool for network performance testing. We run an Iperf3 server in a Docker container. You can find information on how to set up and use Iperf3 here.

Pihole with a Cloudflare Tunnel

PiHole in Docker

We are running three PiHole installations, which enable load balancing and high availability for our DNS services. We also use a Cloudflare encrypted tunnel to protect information in external DNS queries via the Internet.

Our PiHole instances are deployed on a combination of Docker host VMs in our Proxmox Cluster and a stand-alone Raspberry Pi Docker host.

Deploy PiHole with a Cloudflare Tunnel

Our software service stack for our dockerPiHole installs Pi includes the following applications:

Our combined stack was created using  information in the following video:


Deploy PiHole with Cloudflare Tunnel in Docker

Ubuntu Port 53 Fix

Unubtu VMs include a DNS caching server on port 53, which prevents Pihole from being deployed. To fix this, run the commands at this link on the host Ubuntu VM before installing the Pihole and Cloudflare Tunnel containers.

Scheduled Block List Updates

We must update our piHole block list by doing a Gravity pull. We do this daily via a cron job. This can be configured on the RPi host using the following commands –

# Edit the user crontab
sudo crontab -u <user-id> -e

# The following to the user crontab
min hr * * * su ubuntu -c /usr/bin/docker exec pihole pihole -g | /usr/bin/mailx -s"RPi Docker - Gravity Pull" [email protected]

Cloudflare DDNS

We use Cloudflare to host our domains and the associated external DNS records. Cloudflare provides excellent security and scaling features and is free for our use cases.

We do not have a static IP address from either of our ISPs. This, coupled with the potential of a failover from our primary to our secondary ISP, requires us to use DDNS to keep the IPs for our domains up to date in Cloudflare’s DNS.

We run a docker container for each domain that periodically checks to see if our external IP address has changed and updates our DNS records in Cloudflare.  The repository for this container can be found here.

Deploying the DDNS update container is done via a simple docker compose yml –

version: '2'
services:
  cloudflare-ddns:
    image: oznu/cloudflare-ddns:latest
    restart: unless-stopped
    container_name: your-container-name
    environment:
        - API_KEY=YOUR-CF-API-KEY
        - ZONE=yourdomain.com
        - PROXIED=true
        # Runs every 5 minutes
        - CRON=*/5 * * * *

You’ll need a separate container for each DNS Zone you host on Cloudflare.

Docker Networking

Docker can create its own internal networks. There are multiple options here, so this aspect of Docker can be confusing.

Docker Networking Types

The following video explains the Docker networking options and provides their creation and use examples.


Docker Networking Explained

Raspberry Pi – Docker and PiHole

PiHole in Docker

We have set up a Raspberry Pi 5 system to run a third PiHole DNS server in our network. This ensures that DNS services are available even if our other servers are down.

To make this PiHole easy to manage, we configured our Raspberry Pi to run Docker. This enables us to manage the PiHole installation on the Pi from the Portainer instance that is used to manage our Docker Swarm Cluster.

We are also running the Traefik reverse proxy. Traefik is used to provide an SSL certificate for our PiHole.

Raspberry Pi Hardware

Raspberry Pi Docker Host
Raspberry Pi Docker Host

Our docker host consists of a PoE-powered Raspberry Pi 5 system. The hardware components used include:

OS Installation

We are running the 64-bit Lite version (no GUI desktop) of Raspberry Pi OS. The configuration steps on the initial boot include:

  • Setting the keyboard layout to English (US)
  • Setting a unique user name
  • Setting a strong password

After the system is booted, we used sudo raspi-config to set the following additional options:

  • Updated raspi-config to the latest version
  • Set the system’s hostname
  • Enable ssh
  • Set the Timezone
  • Configure predictable network names
  • Expand the filesystem to use all of the space on our flash card

Next, we did a sudo apt update && sudo apt dist-upgrade to update our system and rebooted.

Finally, we created and ran a script to install our SSH keys on the system, and we verified that SSH access was working. With this done, we ran our ansible configuration script to install the standard set of tools and utilities that we use on our Linux systems.

Mail Forwarding

We will need to forward emails from containers and scripts on the system. To do this, we set up email forwarding using the procedure here.

Docker/Docker Compose Installation

Installing Docker and the Docker Compose plugin involves a series of command line steps on the RPi. To automate this process, we created a script that runs on our Ubunutu Admin server. The steps required for these installations are covered in the following video:


Steps to install Docker and Docker Compose on a Raspberry Pi

Some important adjustments to the steps in the video included:

The installation can be verified at the end with the following commands:

# docker --version
# docker compose version
# docker run hello-world

Portainer Agent

We installed the Portainer Edge agent using the following command, which is run on the RPi:

# docker run -d \
  -p 9001:9001 \
  --name portainer_agent \
  --restart=always \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v /var/lib/docker/volumes:/var/lib/docker/volumes \
  portainer/agent:2.19.5

The final step is to connect the Edge Agent to our Portainer.

Traefik Reverse Proxy and PiHole with Cloudflare Tunnel

Our software service stack for our Raspberry Pi includes the following applications:

These applications are installed via custom scripts, and Docker Compose using a single stack. Our combined stack was created using a combination of the information in the following videos:


Deploy PiHole with Cloudflare Tunnel in Docker


Deploying Traefik in Docker

Scheduled Block List Updates

We must update our piHole block list by doing a Gravity pull. We do this daily via a cron job. This can be configured on the RPi host using the following commands –

# Edit the user crontab
sudo crontab -u <user-id> -e

# The following to the user crontab
min hr * * * su ubuntu -c /usr/bin/docker exec pihole pihole -g | /usr/bin/mailx -s"RPi Docker - Gravity Pull" [email protected]

Cloudflare DDNS

We host our domains externally on Cloudflare. We use Docker containers to keep our external IP address up to date in Cloudflare’s DNS system. You can learn about how to set this up here.

Watchtower

We are running the Watchtower container to keep our containers on our RPi Docker host up to date. You can learn more about Watchtower and how to install it here.

Backups

We back up our Raspberry Pi Docker host using Synology ActiveBackup for business running on one of our Synology NAS drives.

Home Network

Gen 2 Home Network Rack
Gen 2 Home Network Rack – Switches

We use UniFi equipment throughout. We chose the UniFi platform for our second-generation home network primarily for its single-plane glass management and configuration capabilities.

Network Structure

Network Architectur
Network Structure

The image above shows our network’s structure. Our Network is a two-tiered structure with a core based upon high-speed 25 GbE capable aggregation switches and optically connected edge switches. We have installed multiple OM4 fiber multi-mode fiber links from the core to each room in our house. The speed of these links ranges from 1 Gbps to 25 Gbps, with most connections running as dual-fiber LACP LAG links.

Access Layer

At the top layer, redundant Internet connections provide Internet Access and ensure that we remain connected to the outside world.

Firewall, Routing, and Management Layer

Unifi Dream Machine Pro SE
UniFi Dream Machine Pro SE

Our network’s firewall and routing layer implement security and routing functions using a UniFi UDM Pro router and firewall.

Home Network Dashboard
Home Network Dashboard

The UDM also provides a single-pane-of-glass management interface. All configuration functions are performed via the GUI provided by the UDM.

Core Aggregation Layer

UniFi High-Capacity Aggregation Switch

The core layer uses a pair of high-capacity Aggregation Switches to provide optical access links to all of the switches in our network’s edge layer. We also include a high-speed 10 GbE wired ethernet switch at this layer. All of our storage devices and servers are connected directly to the core layer of our network to maximize performance and minimize latency.

Edge Connectivity Layer

Example UniFi High-Speed Edge Switch

The edge layer uses various switches connected to the core layer, combining 25 GbE, 10 GbE, and 1 GbE optical links. Many of these links are built using pairs of optical links in an LACP/LAG configuration.

Unifi Firewall:Router, Core, and Edge Switch In Our Network
UniFi Firewall/Router, Core, and Edge Switches In Our Network

Our edge switches are deployed throughout our home. We use a variety of edge switches in our network, depending on each room’s connectivity needs.

Wi-Fi Access and Telephony

Unifi WiFi APs and Telephones
UniFi WiFi APs and Telephones

This layer connects all our devices, including WiFi Access Points and our Telephones.

Synology NAS

We cover some details of configuring our Synology NAS devices running DSM7.2 here.

Multiple VLANs and Bonds

All of our Synology NAS devices use pairs of ethernet connections configured as 802.3ad LACP bonded interfaces. This approach improves reliability and enhances interface capacity when multiple sessions are active on the same device. DSM supports LACP-bonded interfaces on a single VLAN. This can be easily configured with the DSM GUI.

A Few of our NAS dives benefit from multiple interfaces on separate VLANs. This avoids situations where high-volume IP traffic needs to be routed between VLANs for applications such as playing media and surveillance camera recording. Setting this up requires one to access and configure DSM’s underpinning Linux environment via SSH. The procedure for setting this up is explained here and here.

Welcome To Our Home Lab

Home Network Dashboard
Home Network Dashboard

This site is dedicated to documenting the setup, features, and operation of our Home Lab. Our Home Lab consists of several different components and systems, including:

  • A high-performance home network
  • A storage system that utilizes multiple NAS devices
  • An enterprise-grade server
  • Applications, services, and websites

Home Network

Gen 2 Home Network Rack
Gen 2 Home Network Core Rack

Our Home Network is a two-tiered structure with a core based upon high-speed 25 GbE capable aggregation switches and optically connected edge switches. We use UniFi equipment throughout. We have installed multiple OM4 fiber multi-mode fiber links from the core to each room in our house. The speed of these links ranges from 1 Gbps to 25 Gbps, with most connections running as dual-fiber LACP LAG links.

Telephone System

To be added

Surveillance System

To be added

Storage System

To be added

Enterprise Server

To be added

Backups

Daily backups for all VMs and LXC containers are configured as follows.

Applications, Services, and Websites

We are hosting several websites, including:

Set-up information for our self-hosted sites may be found here.