Automations and Network Updates

My infrastructure has slightly scaled up. I added another Lenovo M720q as well as a Dell 7090 MFF. I found the Dell so I’d have something with enough CPU cores to handle Palo Alto’s Panorama. While I only have a single firewall, forcing myself to use Panorama is a good way to practice. Proxmox has been great. I feel it has been a lot more flexible than VMWare’s ESXi. I am not sure if it is as good at the high level Enterprise tier, but at the home lab level I think it is phenomenal.

I decided to put the Cisco 9300-48UXM into production. It’s very overpowered for my network. It was a steal as some of the PoE rails are broken on some of the ports - but they otherwise pass traffic. With it in place, my 2.5Gb/s capable devices are able to run at their full speed. My Internet is still a bit handicapped by the PA-450’s 1Gb/s links, but multiple devices can make use of my full Internet speed. 2025-Lab

The little TV tuner antenna is gone now. I put a new antenna in the attic so we now get ~50 channels from across the valley. I am surprised it took me this long to do this… Attic-Antenna

Cloudflare Pages is working out very nicely for the blog. It’s exceptionally easy to maintain, a simple update to a GitHub repository and the page rebuilds with the new content. I’ve also deployed a second Cloudflare Pages instance to act as my CDN for other services.

Cloudflare’s Zero Trust is still working out well for remote VPN access. However, it doesn’t work terribly great as a site-to-site VPN mechanism. It can, but it isn’t very dynamic with regard to other routers. Cloudflare has higher level offerings to allow normal IPSEC tunnels, but that costs more than “Free”.

For site to site VPN, I fully swung everything to use VyOS with Wireguard tunnels. They peer with each-other via eBGP and I assigned a unique ASN to each site. The main reason for this is that wireguard is very good at co-existing with NAT, provides a VTI, is lightweight, and can readily utilize FQDN peers. On top of that, I was able to build a VyOS instance within Google Compute Platform using their “Always Free” configuration. So I essentially have a free cloud router to bounce connections off of. Everything is fully meshed, but this provides a fall-back link should one of the other point to point tunnels fail.

I’ve also begun to invest in Devops more within the lab and took a deep-dive into Ansible. I have a whole other repository for that and I have rebuilt much of my services to use Ansible tasks and roles. Deploying changes is just a tweak in the repository then a git pull & ansible playbook.

I was able to to deploy a spiffy MOTD to all of my hosts, you know, important things first. Shell-ASCII

DavisSystem

Consolidated Notes From the Desk of Sean Davis.

Automations for management and network upgrades

By Sean, 2025-04-19