Home network

My home network hardware is more than trivial: just a single TRENDnet 1Gbps 5-port dumb switch. I have got so few devices, that still has spare ports.

Once or twice per year I turn on WiFi (802.11g) bridge for friends with their mobile devices filled up with proprietary insecure backdoored software. That bridge is connected directly to the 1Gbps switch.

Additionally sometimes I turn on and connect Powerlan adapter, that gives 60Mbps of throughput over the electrical circuit to another room, where I can be with one of the laptops.

Because the whole switch’es broadcast domain can contain connected potentially malicious devices, I wish to separate them from the traffic passing between my servers and my working computer. That is why I create IP-in-IP tunnel between my secured systems. Unfortunately there are still many resources in the Internet available only on legacy IP protocol, so it is also used in those tunnels. But solely to access those legacy resources.

Each IP-in-IP tunnel contains both IPv6 and IPv4 traffic. I wish to use those tunnel over the link-local addresses, but strongSwan does not allow me to do that. That is why each tunnel uses site-local fc00::/7 subnet.

Each tunnel is secured with ESP (IPsec) in transport mode. strongSwan is used for IKEv2. It uses Curve25519, AES-GCM and native kernel capabilities for ESP (AES-GCM). Why AES-GCM? Because my current FreeBSD’s kernel does not support ChaCha20-Poly1305.

Sometimes I wish to connect to my home network from somewhere outside my home network. IPsec hardly works behind the NAT, that is inevitable when using legacy IP protocol networks. That is why I use WireGuard for remote access. When I access my internal home network, I am interested only in IPv6 access.

All secured tunnels are in dedicated subnet. My desktop and servers actively use native NFSv4.1, that is accessible only from that subnet. Firewall prohibits other kind of access to them. So if someone has IP address from secured subnect, then it is automatically trusted without any additional authorization layers, because you can connect to secured subnet only by passing IPsec or WireGuard authentication.

As my portable desktop can be connected to the home network either by IPsec, or by WireGuard tunnel, I wish it be available on the same IP address regardless to used connection. That is why I use dynamic routing. OSPF can not be used over the WireGuard link, because it lacks multicast traffic passing ability. BIRD and BGP is used to propagate the route over those links using link-local addresses.