Pete's Log: Home automation and home networking
Entry #1876, (Coding, Hacking, & CS stuff)(posted when I was 42 years old.)
This was originally going to be titled Laundry Room Data Center Part 2, but I've since gone off the deep end.
In part all this is motivated because a couple months ago somebody threw a tire over our back fence. And we wish we could've seen who it was, because seriously, who throws tires over fences? But really, I think I've been doing this as my personal quarantine therapy.
Why does the title Laundry Room Data Center no longer apply? Well, here is how things have extended to the garage:
So here's what I'm going to cover:
- Where we're at now
- How we got here
- Future plans
- More tedious details
Where we're at now
In addition to the NAS and raspberry pi cluster from before, I've added:
- A pfSense-based firewall from Netgate (thanks Brian for the recommendation)
- A 16-port managed switch in the laundry room with 8 PoE ports
- An 8-port managed switch on my desk (no PoE)
- An 8-port managed switch in the garage (all PoE)
- A Wireless Access Point in the laundry room with multi-SSID support
- A Wireless Access Point in the garage (no multi-SSID)
- A Gigabit ethernet link between the laundry room and the garage (thanks Branden and Brian)
- Another raspberry pi (I know)
- An outdoor PoE camera attached to the garage pointing at the tire throwing location
- A bunch of ZWave devices
I've set up four VLANs across my network: management, IoT, datacenter, and clients. IoT is only allowed to talk to datacenter. Not much else in the way of firewall rules between subnets yet.
Our ISP-provided router is still active (see "more tedious details"), so we have:
Incoming fiber -> ONT (optical network terminator) -> ISP router -> pfSense -> laundry room switch -> everything else
The only exception to "everything else" above is that I'm currently using the WIFI on the ISP router as our guest network, so it's completely outside the local network, which is kinda nice.
Everything seems to be working great.
How we got here
So as mentioned in my previous entry, I got two raspberry pis and installed Home Assistant on one of them and Nagios Enterprise Monitoring Server on the other. Well, I batted .500 on how much I liked those things. HA has become my obsession and NEMS got ditched. While our ISP-provided router has for the most part been decent and allowed me to do everything I had wanted until this point (such as forward ports internally), the one thing that it very much refused to do was to allow any configuration of DNS. And I wanted to configure DNS. In particular, I wanted to have a DNS entry for Home Assistant that resolved to my external IP outside my network, but resolved to the rpi running HA from withing my network. And there just didn't seem to be any good way to do so with the ISP-router without manually configuring DNS on every client.
So after a chat with Brian, I decided it was time for my own network equipment. So I bought a pfSense firewall, an 8-port switch, and a wireless access point. And I set those things up, and everything was pretty OK. But just OK.
The first thing to get upgraded was the wireless access point. While I had configured my IoT and Datacenter and Clients VLANs on the switch, the access point had both clients and IoT devices on them, with no easy way to separate them without per-device rules.
So I continued down the rabbit hole of network equipment retail therapy. I bought an Access Point that supports multiple SSIDs and where each SSID can be assigned a different VLAN. So now I have an IoT-SSID which correlates to the IoT VLAN and a regular client SSID which correlates to the client VLAN. And this pleased me.
And yet...
We haven't addressed the tire-throwing yet. Since our garage is detached and about 50 feet from the house, I wasn't really getting great WIFI out to where I'd want to mount a camera to monitor tire-tossers. So my next obsession began.
There are two conduits running from the house to the garage. One carries power to a sub-panel out there. The other has two telephone cables. The one cable had been cut on both sides. The other cable was being used to connect the garage door button in the kitchen to the garage door opener in the garage. Both cables consisted of three twisted pairs. My original idea was to try to use these old cables to pull new cat6 cable through the conduit. I ran the idea past Branden and Brian. Branden suggested I try reusing one of the cables and Brian pointed me to existence of cat6 junction boxes. While reusing just the one unused cable may have worked for 100Mbit speed, my twisted brain decided obviously the answer was to use one of the free pairs on the cable carrying the garage door wire and combine it with the other cable to get to four pairs.
Since the cables had been previously cut quite close to the wall on either side, and since the cables were also old and brittle, it was fiddly business. I'm surprised it worked at all, but it did so on my first try. Here's the house-side junction box without the cover:
The garage side looks similar. With that working, I found myself in need of more networking equipment retail therapy. I decided I wanted a PoE camera for the garage, so I needed a PoE switch for out there.
Also I was already running out of ports on the 8-port switch I bought for the laundry room (firewall + garage + esgerbeastie + Philips Hue + NAS + Access Point + Pis). And the new Access Point in the laundry room supported PoE, plus the Pis could all be outfitted with PoE, so I could save a lot of power cords with PoE. So I convinced myself my desk could use the 8-port switch and went and bought two more switches. I also repurposed the original laundry room access point in the garage, although I'm still debating how exactly I want to configure it.
And if nothing else, it did work, both technically and from a retail therapy point of view. I am pleased and entertained by the setup, and I like to think that 20-something year old Pete would be excited by all this gear.
The NAS has been configured with the following:
- A Wiki I'm using to document all this
- Git for versioning configuration files
- My IP cameras (two so far) save recordings to the NAS when they detect motion (no tire tossers so far though)
I spent a little time trying to get some variant of Kubernetes running on the pi cluster, but in the interest of keeping my Home Assistant up and running, have opted to just use the HA image on one pi. Another pi is running an nginx reverse proxy that currently just redirects incoming Let's Encrypt verification requests to the correct device (the pfSense, the NAS, and HA all support Let's Encrypt certs, which is nice).
Anyway, here's the tire as viewed from the outdoor IP camera attached to our garage:
Future plans
There's always more to do... and this entry is already way longer than I thought it would be... but here are a few things
- More cameras
- More home automation
- More separation of my subnets
- Get IPv6 working (although I think I need to ditch the ISP router for that)
More tedious details
Ideally, I'd love to remove the ISP router from the picture. Bandwidth and latency have all been absolutely fine, so it's nothing urgent, but I don't think I can make IPv6 work as intended with the current configuration. Plus it's the principle of having an extra unnecessary hop that would just be nice to remove.
The problem from everything I've read is that the authentication certificate is baked into the firmware of the router. So the ONT is looking for this router when it comes online. There appear to be two ways people are getting around this:
- Anytime the ONT boots up, connect it to the ISP router for auth, then connect it to your own router once its authenticated. Repeat anytime the link goes down. Not something I feel like doing.
- Connect the ISP-router to your own router and your own router to the ONT. Configure rules on your own router that redirect the ONT's auth traffic to the ISP router, and handle any other traffic normally. I've found potential rules for how to make this work with pfSense, but it sounds tedious and also potentially time-consuming. The current setup works and while I'd like to at least give this a try some day, it'll have to be a day where I have lots of time, nothing I'd rather work on, and no issue with the network being down for a while.