I used to have a simple home network: A cable modem in transparent mode, a Asus router that had UPnP turned off, and everything on a nice class C IPv4 flat address space, everything but the printers got their address via DHCP, where were statically config on the printer itself. This was mainly due to my job which kept me away from home; if something broke and I was out of the road, there’d be hell to pay from my spouse who needs net access to do his job.

Now that I’m a NEET (Not in Employment, Education, or Training) and home all the time, I’ve started to do some improvements: network segration (so I have someplace to play without endangering the main network), better firewalling, PiHole, local CA (to get rid of the annoying, but important TLS self-signed messages), and a DNS/DHCP server.

The CA, DNS/DHCP, PiHole, and a small internal webserver (poor neglected thing) all run in containers on a single first gen Ryzen box. I followed the processes laid out in the very handy Ars Technica articles that Lee Hutchinson wrote:
DNS: Doing DNS and DHCP for your LAN the old way
DHCP: Finally upgrading from isc-dchp-server to isc-kea
CA: Banish OEM self-signed certs

The hardest thing about doing these were doing them in containers. Getting the containers networking setup was a major pain, especially getting the bridging to work the way I needed it (so much fun was had, there’s so many ways of doing things and finding an example that worked for my situation was a joy).

I’ve recently added a webserver (that you’re using now to see this). It’s on its own network, that’s firewalled from everything but the outside interface. Allowing only what’s needed for the web, WordPress, and box maintenance come in. And, of course, any usernames and passwords are completely different from the main network. I security pro I ain’t, but have had to deal with enough stuff in my former job that I’ve learned not to be completely braindead in the common dos and don’ts of cybersecurity.

<More to come>