I created my own home ‘office’ LAB network for $50
This is not a clickbait. I’ve literally got my second-hand network equipment from this article through Yahoo! Auction for around $50 (7,500 YEN) in total. Yes, this cheap! I’ve always wanted to set up my own devices at my own expense, and try to break the equipment without worrying of my company costs.
I live an hour away from Tokyo (Chiba prefecture) so I was able to get myself these devices for a reasonable cheap prices through Yahoo! Auction. For those who are wondering, this is like Ebay. Unfortunately, this is exclusively from Japan only. Now enough chitchats, and I’ll go over how I manage to factory reset, and configure my basic office LAB network.
For this project, I used Cisco Catalyst 3560 Series 24-Port, Fortigate 200D firewall, and 2 Fortinet AP822i V2. Unfortunately, these APs that I purchased was defective, so I was not able to completely test and configure them until the end.
Network Switch setup
1. Connect to the switch console
I used my Kali Linux-based OS laptop on this project since this is the only spare laptop I have at the moment. I connected the USB console cable from the switch console port to my laptop USB port. Since I connected from a Linux machine, there is a different way to find the console connection. Normally, when you putty into a machine from a Windows machine, you can easily find the port connection from the Device Manager. But from this Linux machine, I would have to go /dev and find the USB port connection. Note from this picture that the port is ttyUSB0. So I opened up a Putty session, click on Serial and type the absolute path of this because as you may have already know, everything on Linux is file.
Now that I’ve got my connection to the switch, time to reset the configuration.
2. Reset and delete old VLAN configuration
I’ve got my Catalyst 3560 switch already reset but just to be sure, I reset it myself anyway. You will need to power down the switch, power it back on with the mode button pressed. You will eventually arrive at the switch: prompt. Note that I am deleting the VLAN configuration as well, since this is not automatically deleted when you do a normal factory reset on a used network switch.
flash_init
delete flash:config.text
delete flash:vlan.dat
bootI got this screen from below from my switch after the hard reset, so it should be done.
3. Basic switch configuration
I created some passwords for login first as a general security measure. Enabled the line vty for few connections as well as a baseline. Passwords I created I created below are just temporary(maybe).
enable
conf t
enable password cisco
enable secret cisco-secret
line vty 0 4
login
password ciscoNow I enabled the VTP or VLAN Trunking Protocol to transpare. I wouldn’t go into details of every things so I would just have to let your curiosity roll. I have created the VLANs that I am planning to use. I only planned on creating 2 VLANs. VLAN 10 for management/dev VLAN and VLAN 100 for the USERNET/DHCP server.
vtp mode transparent
vtp domain homelab
vlan 10
vlan 100
Next, I have created the DHCP server for the supposed network for the ‘users. I excluded the network’s broadcast address as well as to not automatically lease the broadcast address, resulting into issues with the network.
Ip dhcp pool NAME
network 192.168.100.1 255.255.255.0
Default-gateway 192.168.100.254
Dns-server 192.168.100.254
Lease 1
Domain-name google.com
Exit
Ip dhcp excluded-address 192.168.100.254
EndAt this point, I have assigned the switchports into their respective VLANs. I enabled the STP and bpduguard on this switch to avoid the loop if you introduce another switch on the network. Note that this may only apply on older switches.
int range fa0/1-12
switchport mode access
switchport access vlan 100
switchport nonegotiate
shut
no shut
exit
int range fa0/13-24
switchport trunk encapsulation dot1q
switchport mode trunk
switchport access vlan 10
switchport nonegotiate
switchport protected
spanning-tree bpduguard enable
spanning-tree portfast trunkNow, I have assigned management IP addresses on these VLAN. And that is it for now, for my basic switch configuration until running point. I saved the configuration using ‘wr’ as a shortcut to save all the configurations made. You can also do ‘copy running-config startup-config’ and it will do the same result.
conf t
int vlan 10
ip address 10.10.10.1 255.255.255.0
exit
int vlan 100
ip address 192.168.100.1 255.255.255.0
exit
wr4. Basic firewall configuration
Now that I have the switch config in place, I will need to power up my firewall and console into it. This firewall has been reset already so I do not have to reset it again. To be able to connect to the Fortigate firewall, I had to change my IP address to ‘192.168.1.X’ subnet since the default web interface IP of Fortigate machine after factory reset is ‘192.168.1.99’. I changed it ‘nmtui’ utility since this is much easier for me.
After changing the IP address to 192.168.1.2, I was able to access the Fortigate firewall web IP through 192.168.1.99.
Navigated to System -> Settings to change the hostname first, and to easily identify the device from the network. I changed it to HOMEFGFW01. If you are doing this, make sure to check your Timezone and NTP server settings as this is extremely important. For other settings like HTTP/S port numbers, I left it as default.
After this, I went ahead to do the config for the interfaces. As you see below, there is the default IP address for the MGMT interface and there is also an automatic IP assigned to the the WAN1 interface. The reason is because I plugged in my ISP device to the WAN1 port of this firewall, which makes it have a internet connection. Note that not all ISP devices are able to connect to any devices right away so be sure to check with your local provider.
I changed the MGMT IP to the MGMT VLAN network mask that I just created from the Cisco switch earlier. You can also add some Trusted Host IP/mask to this interface if you prefer having it so. I changed the administrative access settings to only HTTPS for web access, PING for testing purposes, and SSH for testing and remote connection.
At this point, I added all the remaining physical ports to the role LAN of this interface.
Next is I have opened the outbound static network connection from the gateway of this firewall, which is 192.168.1.254 at this point. This will ensure that you can access the internet from your network. I created a policy from the System -> Policy&Objects -> IPv4 Policy and named it ALL-ALL.
Now, from here, I was able to create, edit, clone, and rename this or any new policies into whatever policies I have to create. From my current ALL-ALL policy, right click into it, click Copy, and Paste it Above or Below. This means that you decide which policy should overrule one another. As you may have know already. Policies and ACL follows the top to bottom rule.
I created the HTTP/HTTPS policy next, assigned the Incoming Interface, which is the LAN network, Outgoing Interface, and Source/Destination to ALL and ALL. I then created one for the DNS.
After I created my policies, I enabled them to apply the changes.
And voila! I now have my simple and basic production HOMELAB network, imitating a small office network that can cater about 10–15 people. This may not be perfect at all but at least it is working. If you notice something to improve from this or any suggestion from improvements, I am open to anything. Please do leave a clap or comment, and share with someone if you think this is interesting. Follow me for more networking, system administration, and IoT related articles. Until next time!
