Welcome to a closer look at my home network architecture. This post will walk you through my current setup, explaining the “why” behind my choices and diving into the configurations that make it all tick.
My Network Architecture
+-------------------------+
| INTERNET |
+-------------------------+
|
| (FTTH Fiber)
|
+-------------------------+
| FREEBOX (Bridge Mode) |
| (IPv4 DHCP, IPv6 Rtr) |
+-------------------------+
| eth1 (WAN - 2.5G)
|
(VRRP Priority 200) |
+-------------------------------------------------+
| ROUTER 1 (R1 - VyOS) - Primary |
|-------------------------------------------------|
| Interfaces: |
| - eth0: 192.168.10.99/24 (Management) |
| - eth1: DHCP (WAN - 2.5G, to Freebox) |
| - eth4: 192.168.10.253/24, IPv6 (LAN - 10G) |
| - eth4.4: 10.50.255.253/16, IPv6 (APP VLAN) |
| - eth4.8: 10.25.0.253/16, IPv6 (DMZ VLAN) |
| VRRP Track: eth1 (WAN) |
| VRRP Health Check: Ping 1.1.1.1 (via eth1) |
| Static Route: 192.168.5.0/24 via R2 |
| Netbird Client |
+-------------------------------------------------+
| eth4 (LAN - 10G Trunk)
|
| (VRRP Virtual IPs: .254 for each VLAN)
|
+-------------------------------------------------------------+
| MAIN SWITCH |
| (VLAN Trunk) |
+-------------------------------------------------------------+
| | | (Clients/Servers in respective VLANs)
| | |
+----------V----------+ +----V-----+ +-----V-----+
| VLAN 10 (Management)| | VLAN 4 | | VLAN 8 |
| 192.168.10.0/24 | | (APP) | | (DMZ) |
| | | 10.50.0.0/16| | 10.25.0.0/16|
+---------------------+ +----------+ +-----------+
^ ^ ^
| eth0 (LAN) | eth0.4 | eth0.8
| | |
+-------------------------------------------------+
| ROUTER 2 (R2 - VyOS) - Secondary / 4G Backup |
|-------------------------------------------------|
| Interfaces: |
| - eth0: 192.168.10.252/24 (LAN/Management) |
| - eth0.4: 10.50.255.252/16 (APP VLAN) |
| - eth0.8: 10.25.0.252/16 (DMZ VLAN) |
| - eth1: 192.168.5.253/24 (WAN - to 4G Router) |
| VRRP Priority 90 (Lower than R1) |
| VRRP Track: eth1 (4G WAN) |
| Netbird Client (for OOB) |
+-------------------------------------------------+
^ eth1 (WAN)
|
+-------------------------+
| 4G ROUTER (Backup) | ~.~.~.~.~. (4G Mobile Network)
| 192.168.5.1/24 |
+-------------------------+
-------------------------------------------------------------------
Key:
FTTH: Fiber To The Home
Rtr: Router
VRRP Virtual IPs (Gateways for each VLAN):
- VLAN 10: 192.168.10.254
- VLAN 4: 10.50.255.254
- VLAN 8: 10.25.0.254
Netbird: Mesh VPN for Out-of-Band (OOB) remote access
-------------------------------------------------------------------
My internet journey begins with a Fiber-to-the-Home (FTTH) connection provided by my ISP Free. My Freebox (the ISP’s router) is configured in bridge mode. This means it hands off my public IPv4 address directly to my primary router while still handling standard IPv6 routing.
Next in line is my primary router (R1). It connects to the Freebox via a 2.5 Gigabit Ethernet (2.5GbE) interface. For my internal network, it boasts a 10GbE interface for the LAN. I’ve also included a second 10GbE interface, anticipating a future where my ISP might upgrade to a 10 Gbps fiber connection.
For added resilience, I have a 4G backup router which is connected to my secondary router (R2). The main purpose of this dual-router setup is to ensure Out-of-Band (OOB) access to my infrastructure. This way, even if my primary fiber connection becomes unavailable, I can still remotely access and manage my network.
VYOS
All my routers run on VyOS. In my opinion, it’s one of the best distributions for embracing GitOps and robust version control for router configurations. While it’s an extremely powerful and feature-rich distribution – perhaps even overkill for a typical homelab – I deeply appreciate its capabilities and the flexibility it offers.
Router Configuration Deep Dive
It’s worth noting that the configurations for R1 and R2 are largely identical, with only minor differences such as IP addresses specific to their roles.
Installing VyOS
Installing VyOS is quite straightforward. I’ve covered it previously in my 3rd-year project. If you’re interested, you can find more details here: 3rd year project documentation (in French).
It’s important to mention that my VyOS configurations are saved via exports to Git, rather than through traditional command-line scripts. This approach significantly enhances declarativity and allows for much better version control and automation.
Network Interface Configuration
On Router 1 (R1), eth1 is my 2.5GbE WAN interface connected to the Freebox. eth4 is my 10GbE LAN interface, connected to my switch’s trunk port. eth0 serves as my management interface, providing an emergency access point if eth4 configuration goes awry.
Here’s how my VyOS interface configuration looks. Public IPs and MAC addresses have been obviously masked for privacy:
interfaces {
ethernet eth0 {
address 192.168.10.99/24
hw-id xx:xx:xx:xx:xx:xx
}
ethernet eth1 {
address dhcp
description WAN
hw-id xx:xx:xx:xx:xx:xx
}
ipv6 {
address {
autoconf
}
}
}
ethernet eth4 {
address 2a01:xxx:xxx:xxxx::2/64
address 192.168.10.253/24
description LAN
hw-id xx:xx:xx:xx:xx:xx
offload {
gro
gso
sg
tso
}
vif 4 {
address 2a01:xxx:xxx:xxxx::2/64
address 10.50.255.253/16
description APP
}
vif 8 {
address 2a01:xxx:xxx:xxxx::2/64
address 10.25.0.253/16
description DMZ
}
}
loopback lo {
}
}
NAT
For those unfamiliar with networking, NAT (Network Address Translation) is a technology designed to translate IP addresses between different network zones. It’s a widely used mechanism on the internet, distinguishing between private local networks and public IP addresses.
Honestly, in my opinion, NAT is a major workaround. We should ideally be prioritizing IPv6 today. Unfortunately, many applications still don’t fully support IPv6 or handle it poorly. However, a full transition to IPv6 would vastly simplify network administration.
Here’s how it’s configured in VyOS:
nat {
# The portforwarding part
destination {
rule 200 {
description "Port forward HTTPS"
destination {
address XX.XX.XX.XX
port 80
}
inbound-interface {
group WAN
}
protocol tcp
translation {
address 10.25.0.50
port 80
}
}
rule 201 {
description "Port forward HTTPS"
destination {
port 443
}
inbound-interface {
group WAN
}
protocol tcp
translation {
address 10.25.0.50
port 443
}
}
rule 202 {
description "Forward video game"
destination {
address XX.XX.XX.XX
port 27100-27199
}
inbound-interface {
group WAN
}
protocol tcp
translation {
address 10.50.0.15
port 27100-27199
}
}
}
# And this is the NAT section to provide internet access to my networks
source {
rule 100 {
source {
address 192.168.10.0/24
}
translation {
address masquerade
}
}
rule 101 {
source {
address 10.50.0.0/16
}
translation {
address masquerade
}
}
rule 102 {
source {
address 10.25.0.0/16
}
translation {
address masquerade
}
}
}
}
IPV6 Route
For IPv6, I configured my default route to point to my Freebox.
VyOS Configuration:
protocols {
route6 ::/0 {
next-hop 2a01:e0a:13c:17f0::1
}
}
Router Advertisement (RA)
For IPv6 clients on my network, I also need to configure Router Advertisement (RA). This provides essential network information, such as the default route, router address, and DNS servers.
Vyos configuration:
router-advert {
interface eth4 {
default-preference high
name-server 2a01:xxx:xxx:xxxx:xxxx:xxxx:xxxx:xxxx
other-config-flag
prefix 2a01:xxx:xxx:xxxx::/64 {
}
}
interface eth4.4 {
default-preference high
name-server 2a01:xxx:xxx:xxxx:xxxx:xxxx:xxxx:xxxx
other-config-flag
prefix 2a01:xxx:xxx:xxxx::/64 {
}
}
interface eth4.8 {
default-preference high
name-server 2a01:xxx:xxx:xxxx:xxxx:xxxx:xxxx:xxxx
other-config-flag
prefix 2a01:xxx:xxx:xxxx::/64 {
}
}
}
IPV4 Routes
Here are my IPv4 routes.I have a default route based on the information provided by my Freebox. Additionally, I have a static route to access the local network of my 4G router. This route is primarily for administering the 4G router from R1.
protocols {
static {
route 0.0.0.0/0 {
dhcp-interface eth1
}
route 192.168.5.0/24 {
description "4G ROUTER"
next-hop 192.168.10.252 #R2 {
}
}
}
}
System Updates
While it’s possible to create custom VyOS builds and specify custom update files, for my setup, I’m using the official repositories.
update-check {
url https://raw.githubusercontent.com/vyos/vyos-nightly-build/refs/heads/current/version.json
}
To perform an update, you’d use this command:
add system image image latest
This command will reinstall VyOS with the latest update, while also creating a GRUB entry that allows you to roll back to the previous installation if needed. This provides a safe way to manage updates.
Securing access
By default, console access is protected by a password. For remote access, I only allow SSH, and for enhanced security, I’ve disabled password authentication in favor of SSH keys.
login {
operator-group default {
command-policy {
allow "*"
}
}
user matthieu {
authentication {
encrypted-password ****************
plaintext-password ****************
public-keys rider128 {
key ****************
type ssh-ed25519
}
}
}
}
ssh {
disable-password-authentication
port 22
}
Netbird Configuration
Netbird is crucial for my remote access needs. It’s the tool that allows me to securely access my network from anywhere, including via the backup 4G connection if my primary router is offline.
VyOS offers the capability to run containers using Podman. This is how I’ve set up the Netbird client:
container {
name netbird {
# Permissions for masquerading and container routes
allow-host-networks
capability net-admin
capability net-raw
environment NB_MANAGEMENT_URL {
value https://matthieudaniel-thomas.fr
}
# Key to be generated on Netbird
environment NB_SETUP_KEY {
value xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxx
}
# Netbird Docker image
image ghcr.io/netbirdio/netbird:0.60.3
volume NB_PATH {
destination /etc/netbird
source /config/containers/netbird
}
}
}
VRRP
Now, let’s configure VRRP for high availability and failover between my 4G and Fiber connections.
To manage the failover, I’m relying on a health check: if the router can successfully ping Cloudflare (1.1.1.1), then everything is working correctly, and no failover is triggered. However, if Cloudflare doesn’t respond, a failover is initiated. I might consider adding a rule to ping both Google and Cloudflare to account for a single point of failure in the future.
Here’s the configuration for Router 1 (R1):
vrrp {
group VLAN1 {
address 192.168.10.254/24 {
interface eth4
}
interface eth4
preempt-delay 60
priority 200
track {
interface eth1
}
vrid 1
}
group VLAN4 {
address 10.50.255.254 {
interface eth4.4
}
interface eth4.4
preempt-delay 60
priority 200
track {
interface eth4.4
}
vrid 4
}
group VLAN8 {
address 10.25.0.254/16 {
}
interface eth4.8
preempt-delay 60
priority 200
track {
interface eth4.8
}
vrid 8
}
sync-group MAIN {
health-check {
interval 3
ping 1.1.1.1
}
member VLAN1
member VLAN4
member VLAN8
}
}
And here’s the configuration for Router 2 (R2):
vrrp {
group VLAN1 {
address 192.168.10.254/24 {
interface eth0
}
interface eth0
preempt-delay 60
priority 90
track {
interface eth1
}
vrid 1
}
group VLAN4 {
address 10.50.255.254 {
interface eth0.4
}
interface eth0.4
preempt-delay 60
priority 90
track {
interface eth0.4
}
vrid 4
}
group VLAN8 {
address 10.25.0.254/16 {
}
interface eth0.8
preempt-delay 60
priority 90
track {
interface eth0.8
}
vrid 8
}
}
In both configurations, you can see a VRRP group for each VLAN, facilitating failover at a granular level. On the primary router (R1), there’s a sync-group with a health check configured to verify internet connectivity. This current setup ensures there’s no downtime for users on my local network, and crucially, maintains access for those attempting to reach my network remotely.
Conclusion
This infrastructure was built for my homelab. By learning powerful tools like VyOS, VRRP, IPv6, Netbird, and more, I believe I have constructed a robust and resilient core infrastructure.
But this rig is more than just a functional setup. It’s designed with the ambition to be continuously updated (e.g., adding monitoring to it) and to allow for deeper dives into advanced networking protocols. I’m particularly excited to use this rig to experiment with many technologies like BGP, or for testing out the dn42 environment.