Skip to main content

Background: Novice to Network Admin

From when I first started using computers as a kid I treated all things related to networking as a black box. I had a rudimentary understanding of IP addresses but had no real idea how data got from my computer to a server other than "my computer is sending data to that address". It is similar to how most of us don't really know how the US Post Office works. We have a vague notion that we drop a letter in a mailbox to be picked up and then "my letter gets delivered to the address on the envelope." In reality how mail gets picked up, sorted, tracked, bundled, routed, and delivered is much more involved than we ever think about. Up until about three years ago my knowledge hadn't progressed very much past knowing network packets existed for a computer to get on the Internet it had to have an IP address, a subnet mask (not that I knew what that was other than 255.255.255.0 would likely work), and have a router address.

As primarily a macOS user I never delved into networking. I'd plug my router (always an Apple AirPort into the modem and go with mostly the defaults. I used Linux for years but strictly as a server for web apps I programmed and never ventured very far off that path.

That all started to change in 2018 when I decided to build a server (really just a fast PC at the time) to play around with. It also coincided with me starting a new job that put me adjacent to some networking topics that started to peak my interest. Pretty soon I was self hosting a several applications accessible from the Internet and wanted to take the plunge into seeing up a DMZ to try and keep my local network safe. Looking into how best to quarden off my applications I saw that putting public applications on a different subnet and often a VLAN is the best practice. But my AirPort didn't support that so I went searching for a router/firewall that would work better. The general consensus at the time seemed to be to use a Unifi Security Gateway or run pfSense on an old PC. Not having a PC I first tried virtualizing my router and running it as a virtual machine. For a newbie this was more complicated than necessary and had the risk if not done correctly to expose my internal network to the Internet. I liked pfSense but I quickly found out the downside of running your gateway to the Internet on your server is that when your server has a problem you likely won't have the Internet to fix it.

So I bought a mini PC (Protecli Vault) and started running pfSense on there and was happy for a year. I continued to self-host more applications and eventually got to self-hosting DNS with Pi-hole. Pretty soon I ran into my old problem of when the server is down there is no DNS and so the Internet pretty much stops working. I briefly considered buying buyin a Raspberry Pi which would have been a great solution but I decided to treat the mini PC as my "network infrastructure server" and instead of just running pfSense on there I'd use Proxmox VE and virtualize both pfSense and Pi-hole the same way I had been virtualizing Pi-hole on my main server.

This worked great except I eventually noticed that my maximum download speed was lower than it had been when only pfSense was running on the min PC. After a bunch of testing and attempted workarounds I realized I needed wanted a new plan. So once again I bought a mini PC that was pretty much just a more powerful version of the one I already had. I was disappointed to see that my upgrade helped but wasn't enough to overcome the overhead that came along with pfSense being virtuailzed. Plus I was starting to push into things that pfSense didn't support yet like using Wireguard.

The next step was to investigate if a Linux based firewall would perform better while virutalized. The answer turns out to be no since both pfSense and Linux both implement virtio network drivers and the real problem seems to just be the result of the additional layers a packet has to travel up through from NIC to hypervisor to guest and then back down those same layers to exit.

Then it dawned on me that I could get around those layers of virtualization by using the same containerization I had been using for my virtualized servers. I prefer to run my guest machines as LXC (Linux Container) guests instead of virtual machines. A LXC guest uses the same Linux Kernel as the host Operating System so there are no additional layers of virtualization to deal with.

When I was looking at Linux based firewalls I came across VyOS which is based on Debian Linux and allowed me to peek behind the curtain of the types of tools you use for a Linux firewall. The seed of an idea had been planted that would use all the knowledge I gained over the last 3 years tinkering with my home network, Linux, Proxmox, Wireguard, and virtualization.

I could run a LXC guest with Debian that would have zero virtualization overhead and provide all the functionality I needed. Best of all I'd be able to customize the firewall/router because it is just a Linux machine.

So I made a list of features I had been using on pfSense and VyOS to see what I'd have to implement.

  • Firewall protection of my local network from the Internet
  • VLAN separation for added isolation from outward facing services I am hosting
  • DHCP to provide each subnet with IPv4 address assignment and local DNS resolution
  • Recursive DNS for added security, privacy and removing reliance on external entities
  • IPv6 stack support (DHCPv6, Router Advertisements (NDP), Prefix Delegation)
  • Wireguard support