Home Lab Overview

Infrastructure Components

Network Services

Hostname IP Address Role

pfsense-01

10.50.1.1

Firewall/Router, DNS (DNS Resolver), DHCP, Inter-VLAN Routing

3560cx-01

10.50.1.10

Wired Access Switch (C3PL IBNS2.0, 802.1X Authenticator)

9800-wlc-01

10.50.1.40

Wireless Controller (C9800-CL, FlexConnect, CWA)

Identity Services

Hostname IP Address Role

ise-01

10.50.1.20

ISE Primary (Admin, MnT, PSN, pxGrid, ERS/OpenAPI)

ise-02

10.50.1.21

ISE Secondary (Admin, MnT, PSN) - Testing/Backup

ipsk-mgr-01

10.50.1.30

iPSK Manager Primary (MySQL, Web UI, ERS API)

Supporting Services

Hostname IP Address Role

dc-01 (home-dc01)

10.50.1.50

Domain Controller, AD CS (HOME-ROOT-CA)

keycloak-01

10.50.1.80

Identity Provider (SAML SSO)

Compute Infrastructure

Hostname IP Address Role

kvm-01

10.50.1.99

KVM Hypervisor (Supermicro E300-9D, hosts ISE VMs)

modestus-p50

10.50.40.100

Linux Test Workstation (ThinkPad P50, Arch Linux, enp0s31f6)

Network VLANs

VLAN Name Subnet Purpose

10

DATA_VLAN

10.50.10.0/24

Authenticated wired/wireless clients

20

VOICE_VLAN

10.50.20.0/24

IP Phones (DHCP Option 66)

30

GUEST_VLAN

10.50.30.0/24

Guest/unauthenticated (isolated)

40

RESEARCH_VLAN

10.50.40.0/24

Research/development workstations

100

MANAGEMENT_VLAN

10.50.1.0/24

ISE, Switch, WLC, pfSense, DC

999

CRITICAL_AUTH_VLAN

 — 

Fallback for authentication failures

Linux 802.1X testing: Linux workstations authenticating via 802.1X EAP-TLS are assigned to VLAN 40 (RESEARCH_VLAN) using the Linux_EAPTLS_Permit authorization profile.

DNS Records

DNS Authority: All DNS is managed by pfSense DNS Resolver (pfsense-01, 10.50.1.1), NOT by the Windows Domain Controller.

Required DNS A records in inside.domusdigitalis.dev zone:

Hostname IP Address Purpose

pfsense-01

10.50.1.1

Firewall/Router/DNS

3560cx-01

10.50.1.10

Access Switch

ise-01

10.50.1.20

ISE Primary

ise-02

10.50.1.21

ISE Secondary/Testing

ipsk-mgr-01

10.50.1.30

iPSK Manager

9800-wlc-01

10.50.1.40

Wireless Controller

dc-01 / home-dc01

10.50.1.50

Domain Controller / AD CS

keycloak-01

10.50.1.80

SAML IdP

kvm-01

10.50.1.99

KVM Hypervisor

modestus-p50

10.50.40.100

Linux Workstation (RESEARCH_VLAN)

Managing DNS (pfSense)

DNS Host Overrides are managed via pfSense:

Web UI Method:

  1. Navigate to Services > DNS Resolver > Host Overrides

  2. Add entries for each host

  3. Click Save then Apply Changes

CLI Method (netapi):

# List all DNS entries
DSEC_SECURITY_MODE=permissive netapi pfsense dns list

# Add a DNS entry
DSEC_SECURITY_MODE=permissive netapi pfsense dns add \
  --hostname "new-host" \
  --domain "inside.domusdigitalis.dev" \
  --ip "10.50.1.xxx"

Verify DNS Resolution

# Test resolution from Linux workstation
dig +short ise-01.inside.domusdigitalis.dev
dig +short ise-02.inside.domusdigitalis.dev
dig +short dc-01.inside.domusdigitalis.dev
dig +short 3560cx-01.inside.domusdigitalis.dev

# Expected output:
# 10.50.1.20
# 10.50.1.21
# 10.50.1.50
# 10.50.1.10
Use netapi pfsense dns list to query all DNS entries from the pfSense API.