Introduction
Recently I attended a presentation at work where my colleagues told their journey of creating your own home lab. I had my own lab as well, but life happened and now its starting to itch again.
So here we are! I don’t have a fully worked out plan yet, but as I have the tedency to miss the forest because of the trees its more important to me to just start and figure the rest out along the way.
Hardware
So what are we working with? Below is the hardware I currently have.
- ISP Router
- Mikrotik RB5009 router
- Raspberry Pi 4b (with Pihole installed)
- Philips Hue Brigde
- Intel NUC
- Unifi AP
- Workstation
Networking
Before I can start up a wonderful lab I need to segment my network. Why? Because we will be able to run experiments without affecting “production network”. Another reason for segmentation is to make it more difficult for attackers to laterally move. Unfortunately, ISP routers are quite limited in functionality. The internet provider gives you an admin account, but don’t be fooled as this so called “admin” account is far from what it portrays to be.
In the old times it was not possible to have your own router at the edge between your network and the ISP. Well, technically it was possible it you bridged the ISP router, but I digress. As of January 28 2022, an EU law went into effect which allows consumers to pick and choose their own router. It does come with the caveat that its now YOUR responsibility to fix problems. No more calling the support line if you have Wi-Fi problems. As if they were ever helpfull.. :p
For my home network I picked the Mikrotik RB5009 as my partner in crime. Its a little older compared to other routers. The Ubiquiti Cloud Gateway fiber was also on my shortlist, but it was more expensive and did not have the amount of switch ports I’d need.
Threat exposure
A few year ago I purchased a Shodan lifetime account for 4 dollars, but I haven’t been doing a lot with it. There are a lot of cool projects we could do with API access to Shodan. For now I will use it for threat exposure. Shodan has a feature where as soon as a vulnerability or a new open port is seen it will send me an email. Quite useful in case I mess up my firewall rules. My ISP formally assigns my public IP dynamically, but in practice reserves the same IP to me. In the future we could make it more reliable with Dynamic DNS, but thats a topic for another time.