I am running 6 virtual machines on Intel NUC i3 8th generation system – basically a personal computer – customized with 24GB RAM, one NVME drive and one SSD sata Drive. Amazingly, when all 6 virtual machines are powered up, I don’t experience lagginess, ie when you hover your mouse (and click/double click around) on any running virtual machine, it is very responsive – and very stable. Well, it is not a production server and no concurrent or external connections/users to strain it but for homelab purposes it is sufficent enough.
I live in an apartment and glad that I found this tiny machine. If you have a house with basement or some extra space, you have an option to build a low cost rackmout used xeon server (or some server PCs). However, if you’re concerned with space, Intel NUC is a wonder – fast, no moving parts or spinning drives and very quiet but of course it has a fan that cools the processor’s heatsink but still very quiet. It has PCIe NVMe slot and of course I want to harness its power by runnning 3 Windows Servers 2019 off my 250GB drive. NVMe is super fast, it makes the serving of DNS, DHCP, Group Policy, WDS, WSUS, software deployment and other testings really very fast for all my client computers (virtual and not virtual) in my network – well just my segregated homelab network. Also, ‘Azure AD Connect’ (a Microsoft tool) is running on my main domain controller and surely syncing with my online Azure Active Directory is a breeze.
As of to date my Intel NUC is running the following 6 virtual machines hosted on VMware ESXi server:
1. On-premise domain controller (my Active Directory, Group Policy, DNS and DHCP),
2. A standalone server (where I run Windows Deployment Services, imaging, pxe boot install etc),
3. Another standalone server (where I run my WSUS, Windows Server Update Services),
4. Windows 10 Pro/Enterprise as a domain member,
5. Windows 10 Pro/Enterprise for my INTUNE Autopilot test purposes, and
6. Windows 10 Pro/Enterprise for my INTUNE Apps, various policies (App protection, Group Policies, etc.).
To augment my storage requirement, I added a Network Attached Storage (NAS). I opted for Synology and it was pretty straightforward adding a datastore to my ESXi server – just have to enable NFS file system and allow/add permissions to shared folder(s) where virtual machine files will reside – – plus the Raid 1 feature adds a level of confidence that I have a backup/mirror of some important stuffs.
For my routing, I opted to use Ubiquiti EdgeRouter 4. I would say it is an industrial grade type of router and a rack-mount kit is available when purchasing this. To start with, you will have to enable ‘Bridging’ on your ISP provided device – a feature that turns off the router functionality from the gateway. ISP provided device is normally a bundled device – modem, router, wifi and switch. I don’t want to use these. I want to obtain my Network settings from my ISP through my EdgeRouter setup where I’ll get plethora of controls – setup my own subinterfaces for my VLANs, my own wifi access point, NAT, Firewall, Dhcp, DNS, CLI, SSH, load balancing from 2 providers, etc. Also, you have a Traffic Analysis tab to check who/what a user/subnet/app/iot is streaming or where in the outside world it is connecting and you can control/restrict any machine/subnet through its QoS built-in service tab.. really an awesome machine!
I didn’t bother to install a hardware firewall – kind of overkill on my home network. I am contented with the built-in one. I recommend to leave the default Firewall ON when you initially do the setup. This will create 2 firewall policies with names: WAN_IN and WAN_LOCAL. This is a ‘Stateful Firewall’ – essentially, it examines the data packets that come in and compare them against those that came out or comes out (or to an already existing connection) and if they are associated, the flow of traffic is allowed. You can go around and check the rulesets how they are created but I suggest not to modify/edit them.
I am a bit restrictive on my computers and devices and I created additional firewall policies: Guest, Home (my private one) and iot. To summarize, these mean that my ‘IOT’ network cannot read/access both Home and Guest networks; ‘Guest’ cannot access my Home network (I don’t want my visitors poking around my 192.168.60.0 network) but can access my IOT devices (ie they may might want to use my printer or show some pics on my Alexa device); lastly ‘Home’ has read/access on both Guest and IOT.
VPN connection from my router to Azure VNET. Further on to my EdgeRouter, it is a vendor hardware-validated VPN device or a trusted device by Microsoft. This means there is already a configuration script from Azure that is generated (while setting up) that you can download and run onto your EdgeRouter to establish an IPsec VPN – you do this by going to your router’s CLI interface or SSH through command prompt or powershell. Make sure to check the parameters of the downloaded script file before running it. To configure the Site-to-Site VPN connection just follow Microsoft’s link here. For other VPN hardwares or if you prefer a different one, you can check by going to this link.
After you run the script on your router, don’t forget to verify a successful connection. You should see a status ‘Connected’ on your Azure Settings/Connections. I prefer to do a ping and tracert (or PathPing) to verify the connection. When you go check further on your router’s UX Dashboard tab, you should see a connection interface ‘vti0’, and connection type ‘vti’ created or filled up when you executed the script file. Check also the VPN tab, you should see IPsec Site-to-Site subtab with fields filled up with IPs and pre-shared key.
Note that if you leave the above Azure site-to-site resources running, it will cost you. Mine I left on for about few hours and it incurred extra charges of about $1.80. I am guessing it would be the resource of creating IP address for the Azure VPN gateway facing the Internet. I won’t be using these resources and I deleted them.
Azure VNET – a network instance or address space on Microsoft cloud. My address space or network address in CIDR notation is 10.1.0.0/16. The screenshot below shows 5 subnets I created. The GatewaySubnet 10.1.96.0/27 was part of the Site-to-Site connection I did and am not removing this or any extra subnets as they are not actually costing extra on my Azure bill. I want to leave them handy, in case of any future tests I will be doing. Also, creating VNETs doesn’t really cost, it is only when you create VMs as this would require resources like storage, memory or public IP address. If you noticed, the Azure host I pinged and tracert above which is 10.1.0.4 is a part of my first subnet mysubnet01. That’s the private IP address of my WordPress site I created where I am hosting this article.
For my switching, I am using a managed D-Link DGS 1100-08. A used Cisco 2960 would have been nice while I refresh my CCNA but I think would hold off to document it for another article. At this point, I would just need an 802.1Q trunking and VLANs. Below, on my D-Link interface screenshot, you’ll see Untagged Ports and Tagged Ports which Cisco has proprietary namings which they call Access Ports and Trunk Ports, respectively, in case you get confused.
Mac OS Big Sur running on VMware Workstation 16 Pro. Later I will be needing a Mac computer, well just a virtual one too to test as one of my devices enrolled on Intune (Endpoint Manager). It is cool to know how Mac computers are managed remotely, like how apps are deployed or uninstalled. First, I’ll need a PC to start with – an HP EliteDesk 800 – a bit backward PC model to bring my cost down. I want to take advantage of this multiple core processor machine, throwing in 16GB of ram and of course an SSD storage then install Workstation 16 Pro, run MacOS Big Sur on top of it and voila! I have a Mac computer. It is also on this base PC where I sit and run a browser to access and manage my Intel NUC and all my Virtual Machines, as well as my switch, router, wifi access point, Synology NAS and Raspberry Pi 4.
Once your MacOS is enrolled on your Intune, managing the device is pretty straightforward. You will have full control if the enrollment method is Corporate (not personal), ie the company owns the device. Infos, documentations and howtos are available on Microsoft Docs. One of the many tasks you will be carrying out for sure is fulfill a delivery of applications to user devices, ie Mac computer, Iphone, PC, tablet or android. Well if you are still on Active Directory this is done thru Software Deployment under Group Policy. On Microsoft Intune, it is all in the cloud.
It is not fun if you don’t have different devices to play with. Aside from my virtual machines, I enrolled couple of pc users at my home, and of course need to test a full Windows Autopilot enrollment by using another spare computer I had. Typical autopilot scenario is you ship a prepped computer, or even brand new OEM one (with hardware ID already imported to Intune) to your new user/employee then create email and assign profile. Then later you let this user power on the PC, follow prompts and everything’s done on the fly based on the profile you created. It is a super cool, fast and seamless way to get your user(s) up and running. I also had a couple of android cellphones and enrolled them too.
For Helpdesks, it’s a plus if ‘TeamViewer connector’ is configured/enabled. It is a feature baked within Intune – you can find it under Tenant administration->Connectors and tokens. TeamViewer is very useful when there is a user problem you can’t figure out, user isn’t that savvy and you need to hop on to his/her desktop or Mac.
For my Wireless Access Point, I installed a TP-Link EAP225 AC1350 – main features I like: PoE, Captive Portal, VLAN support and it is fast on both 2.4 and 5GHz bands. It looks good on my ceilling and didn’t have to worry about power outlet.
I’m also running an Apache2 on Debian OS on a Raspberry Pi with a hosted clone of my WordPress site – of course on it’s own separate network, and you could be be viewing this site off my home webserver. It is fun modifying my DNS zone pointing to my homeserver host – and is fun testing around port forwarding on my router. Well, that is breaking, fixing and experimenting things on a Home Lab… and learning of course.