Home Network Upgrade: Part 1

🔍 Important

This post is part of a series. Also see part 2.

Background & Goals

I’ve been wanting to upgrade my home network for a long time. I’m severely limited in the types of cyber projects that I can engage with until I address this, so I thought that a home network upgrade had better be the first thing I complete after graduating. The existing setup is lacking in several areas:

Old Network Devices - The physical devices that make the network function are old, staring to become unreliable, and simply do not support many of the features that I need.
Basic Deployment - The network is configured such that everything shares the same network segment. Noisy and untrusted IoT devices mix with my personal devices.
Poor Visibility - Beyond the very basic logging that the router does, I have nearly no awareness of what happens on the network and no viable way to set up network security monitoring (NSM) in the future.
Inadequate Controls - As mentioned before, many of the controls that I need to harden the network are either poorly supported or completely unavailable for my current equipment.

All of this boils down to one thing. Basically, I don’t trust my current home network. This applies to both reliability and security, so I need a network that I can have more confidence in. Here are my major goals:

Implement Segmentation - I want personal and/or trusted devices to be kept apart from other devices.
Improve Wi-Fi Configuration - Ties into implementing segmentation. I want multiple access points (for better coverage) that can all broadcast different SSIDs (e.g., for trusted, IoT, and guest devices).
Better Logging - I want more advanced logging to get a better idea of what’s happening on the network. NSM solutions will be explored separately, as deploying one constitutes another project.
Utilize Open Source and DIY Solutions - When it’s possible and makes sense, I want to be able to turn to myself and the larger open source community to solve problems. This can also help save some costs, since most commercial solutions are outside of my budget at the moment. Open source firmware for devices like switches and access points is currently out of scope, but I am considering this for the future.
Support Future Projects - I want the network to be able to properly handle future projects without requiring major changes or experiencing any critical disruptions.

Groundwork

To start, I moved the existing modem and router from the living room to the basement and installed a new wall access point in their place. This required me to modify a Cat5e cable that I ran years ago to connect my computer lab in the basement to the (then-upstairs) router.

Instead of a single ~100ft cable run, we now have two ~50ft cable runs. One of the runs is for my lab, and the other is for the new access point. See the diagram below for a better idea of what I’m talking about.

A simplified diagram of the new physical network structure.

I won’t lie, this was primarily done because my mom wanted most of the networking equipment to be moved somewhere other than the living room corner. However, this is also good for the rest of the project (not to mention future projects). I would have had to do this eventually, so it’s best to get it out of the way now before I have much equipment to set up or manage.

Everything currently lives on a shelf with some other old computer stuff. I’m planning to get a rack/enclosure at some point in the future after the project is done.

A picture of the “networking shelf” after moving the old equipment to the basement.

Apart from another wireless access point or two that I’ll be deploying in the future, this is about as far as my changes to the physical network go. Those access points haven’t arrived yet and will not require new cable runs, so it isn’t worth covering them more right now.

DIY Router

With the groundwork done, I started working on a DIY router to replace the old one. Unfortunately, I ran into a lot of issues attempting to repurpose a mini PC for this task. I switched to a fully custom build, but I’ll still be working on figuring out the mini PC in my spare time.

Lenovo ThinkCentre M715q

The M715q only comes with one built-in wired network port, but we need at least two ports for LAN and WAN. This seemed easy at first because I just needed to add another port, and there’s even a punch out on the back for this exact purpose!

A picture of the M715q’s I/O ports. Image credits to Lenovo.

Unfortunately, I was wrong. Installing the port itself was easy, but that’s about where it ends.

I removed the preinstalled Wi-Fi card to replace it with a 2.5G NIC and powered the computer on. No matter what I did, the new interface would never get recognized. After spending weeks on fruitless troubleshooting, I figured that the card must be defective and ordered a replacement. The replacement had the same issue.

This was when I discovered that Lenovo actually controls which cards can be used in the M.2 Wi-Fi card slot. If your card isn’t in the whitelist, it doesn’t work. And guess what, none of my NICs are in the whitelist. Then I had a thought:

No problem. I have a cyber degree, I’ll just hack it!

I did some research and found out that the whitelist check isn’t performed at all if you just set the serial number and model number both to the string INVALID. According to online instructions from Lenovo, the BIOS update flasher tool can be used to set these values. I attempted to do exactly that, but found out my device is write-protected when all methods failed.

Another option involves locating and reading the BIOS chip(s), finding and modifying the whitelist, and then flashing a new BIOS. This sounds easy enough, but the method is time-consuming and will have to wait until I get myself a chip reader. I considered buying one specifically for this project, but I honestly just wanted to be done fighting against Lenovo for a while and decided to save it until I find a better reason. I also tried a USB NIC that I had laying around and found that this did actually work, but it could only handle our Internet connection at about 1/4th the expected performance.

Without another appealing alternative, I decided to repurpose some old parts to create a custom build. I have a feeling that there’s a different way around the write protection and/or the M.2 whitelist on the mini PC, so I’ll be doing more research later.

Custom Build Planning

I decided to reuse the Fractal Design Node 202 case that I had laying around from an old compact gaming PC build to make the new router. I needed a lot of new parts, though:

Power supply unit (PSU)
Motherboard
Heatsink
Dual 2.5G NIC
3D-printed hard drive sled

The Node 202 is definitely a small case by most people’s standards. It’s primarily targeted at small form factor (SFF) PC enthusiasts like myself or people looking to build something like a home theater PC for the living room.

When it comes to home routers, however, the Node 202 is massive. There’s a lot of spare room in this case (no GPU for this build) and my hardware specs are overkill for just a router, so I’m planning to install Proxmox. This way I can virtualize the router and dedicate the remaining resources to other VMs/containers, which avoids leaving most of the host machine’s computing power on the table.

I also want to move some NAS drives from my PC to this new machine to free up space for a second GPU as part of a long-term PC revamp project.

Layout plan for the assembled machine. Ollie is very interested in the Noctua fan.

I’m not 100% sold on the idea of virtualizing the router (I would prefer a dedicated machine to start), but I think that this is currently my best option to maximize hardware utilization and get the most bang for my buck.

The next part of this project will cover installing another access point, assembling the machine, installing Proxmox, and getting a VM/container ready for the virtualized router.