[{"content":"There\u0026rsquo;s a point every IT professional reaches where the home network becomes an embarrassment. You spend your days designing resilient, segmented, secure infrastructure for clients or employers, then you come home to a single flat network where your smart bulbs live alongside your workstation, your NAS, and your Hi-Fi system. Everything on the same broadcast domain. No segmentation. No visibility. Just trust and hope.\nThat was my situation. This is the story of how I fixed it.\nThe Problem With \u0026ldquo;Good Enough\u0026rdquo; My previous setup was functional. Internet came in, devices connected, things worked. But as a cybersecurity professional, I knew exactly how much was wrong with it. IoT devices with unknown firmware sharing a network with production machines. No guest isolation. No traffic visibility. A consumer router doing its best but fundamentally unable to provide the kind of control I wanted.\nThe specific triggers that pushed me to rebuild:\nIoT proliferation — smart cameras, smart bulbs, and IR controllers had accumulated over the years. These devices have notoriously poor security hygiene. They didn\u0026rsquo;t belong anywhere near my workstations. Hi-Fi audio — I run a dedicated audio setup with a Roon music server and a high-end network streamer. I wanted that traffic isolated from general network noise, with controlled access from specific devices only. Guest access — having visitors connect to the same network as everything else was not acceptable. No management plane — I had no dedicated out-of-band management network, meaning any compromise of a user device could potentially reach network infrastructure. The Architecture Decision I decided on a VLAN-based segmentation model with five distinct network zones:\nManagement — a completely isolated segment for network infrastructure devices only. No user devices, no automation, no guests. Access strictly from designated workstations.\nWorkspace — the primary trusted network for computers, phones, and personal devices. Full internet access, cross-zone access to the audio network for music control.\nHi-Fi Audio — an isolated segment for the music server and DAC/streamer. No internet access initiated from within this zone. Receives music control connections from the workspace zone only.\nSmart Home / IoT — completely isolated from everything else. Internet access only, no cross-zone visibility. All cameras, bulbs, and automation devices live here.\nGuest — isolated internet access for visitors. More on the authentication model below.\nThe Hardware For the core router and firewall I chose a MikroTik L009, a compact but capable device running RouterOS. MikroTik\u0026rsquo;s reputation in the prosumer and enterprise space is well earned — the firewall capabilities, routing flexibility, and VLAN support are genuinely enterprise-grade at a fraction of the cost of comparable Cisco or Juniper hardware. The learning curve is steep, but the control it gives you is unmatched.\nFor wireless, I deployed a UniFi U6 LR access point managed by a self-hosted UniFi controller running on a Raspberry Pi 3B. The UniFi ecosystem provides excellent visibility into wireless clients, clean SSID-to-VLAN mapping, and a polished management interface. Running the controller locally rather than in the cloud keeps everything under my control.\nThe Pi3 runs the controller and its database in Docker containers — a deliberate choice to keep the stack portable and easy to back up.\nEliminating Cloud Dependencies One of my core requirements for this rebuild was minimising cloud dependencies for critical infrastructure. A network controller that requires internet connectivity to function is a liability — if your WAN goes down, you lose the ability to manage your own network.\nThe UniFi controller was initially configured to use a cloud-hosted database. I migrated this to a local MongoDB instance running on the same Pi3. The difference was immediately noticeable — the controller interface became significantly faster, and more importantly, it now operates completely independently of any external service.\nThe same philosophy applies to DNS. Internal name resolution runs on the MikroTik itself, with a full set of local hostnames for every infrastructure device. No dependency on external resolvers for internal traffic.\nGuest Network Authentication Rather than a simple pre-shared key for guests, I implemented WPA2/WPA3 Enterprise authentication using PEAP/MSCHAPv2. The RADIUS server runs natively on the MikroTik using its built-in User Manager package.\nWhat this gives me:\nPer-user credentials — each guest gets their own username and password rather than sharing a network key Full session logging — I can see exactly who connected, when, for how long, and how much data they used Instant revocation — disabling a user account immediately prevents reconnection Cross-platform compatibility — PEAP/MSCHAPv2 works natively on iOS, Android, macOS, and Windows without any additional configuration The certificates are self-signed and managed locally. Guests encounter a one-time certificate trust prompt on first connection — a minor friction point that I consider an acceptable trade-off for proper authentication.\nThe Audio Network The Hi-Fi segment required some careful thought. Roon — the music management and playback software I use — relies on mDNS for device discovery across the network. By design, mDNS doesn\u0026rsquo;t cross VLAN boundaries.\nThe solution was to use MikroTik\u0026rsquo;s native mDNS repeater to selectively bridge discovery traffic between the workspace and audio VLANs, while maintaining full traffic isolation between them. The result: music control from any device on the workspace network, with no other cross-zone visibility.\nRoon\u0026rsquo;s remote access feature (Roon ARC) is configured for both IPv4 and IPv6, giving me full-quality playback anywhere in the world without any third-party relay service.\nIPv6 The network runs full dual-stack IPv6 using a delegated prefix from my ISP. Each VLAN gets its own /64 subnet with SLAAC addressing. The IPv6 firewall mirrors the IPv4 policy — stateful inspection, default deny on unsolicited inbound, inter-VLAN isolation enforced at both protocol layers.\nThis matters more than people realise. A network with solid IPv4 security but no IPv6 firewall is not a secure network — it\u0026rsquo;s a network with a large unguarded door.\nWhat I Learned A few things worth noting for anyone considering a similar project:\nMikroTik\u0026rsquo;s VLAN implementation rewards patience. The bridge-based VLAN filtering model is powerful but counterintuitive if you\u0026rsquo;re coming from a Cisco or consumer router background. Getting the port-to-VLAN mapping right, especially for trunk ports carrying multiple tagged VLANs, requires careful planning before touching anything.\nDocker on a Pi3 is viable but needs tuning. Running a Java application and a database on 1GB of RAM requires careful heap and cache size configuration. Out of the box defaults will consume all available memory and spill into swap. With proper tuning, the system runs comfortably with headroom to spare.\nmDNS across VLANs is a solved problem, but the solution isn\u0026rsquo;t obvious. There are multiple approaches — proxy ARP, dedicated mDNS reflectors, and native router support. The cleanest solution depends entirely on what your router supports. Test before assuming anything works.\nEnterprise authentication on a home guest network is not overkill. The complexity of setting up RADIUS and issuing per-user credentials is genuinely low once the infrastructure is in place. The visibility and control it provides is worth it, especially if you work in security and should know better.\nWhat\u0026rsquo;s Next The network is stable and production-ready, but a home lab is never truly finished. On the roadmap:\nA Proxmox-based home lab node to run virtual machines for testing — a proper environment for safely testing firewall changes, new services, and security research without touching production infrastructure.\nA NAS replacement with proper Docker support and 10GbE connectivity, to finally retire a decade-old unit that has served its time.\nEventually, a WiFi 7 access point upgrade. The current hardware is WiFi 6 only, and while it performs well, the newer generation\u0026rsquo;s multi-link operation and 6 GHz support would be a meaningful improvement.\nThe rebuild took considerably longer than a weekend. It required planning, patience, more than a few late nights, and a genuine willingness to read documentation. But the result is a network I can be genuinely proud of — one that I\u0026rsquo;d be comfortable deploying in a professional context, running at home.\nFor anyone in IT considering the same: the tools to build a proper home network are more accessible and affordable than ever. You really don\u0026rsquo;t have an excuse.\nHardware Used If you want to replicate this setup, here\u0026rsquo;s everything used in this build with links to purchase:\nDevice Role Buy MikroTik L009UiGS-2HaxD-IN Core router \u0026amp; firewall Amazon Ubiquiti UniFi U6 LR WiFi 6 access point Amazon Raspberry Pi 3 Model B+ UniFi controller \u0026amp; Docker host Amazon Netgear ProSafe Plus GS105E 5-port managed switch Amazon Note: The MikroTik L009 is the indoor version with built-in WiFi. If you don\u0026rsquo;t need the wireless radio, the L009UiGS-RM rack-mount version is slightly cheaper. For the UniFi controller, any Raspberry Pi 3B or newer will work — or you can run it as a Docker container on any Linux machine.\nOsvaldo de Sousa is a cybersecurity analyst based in Maputo, Mozambique. This post is part of an ongoing series on home infrastructure and security.\n","permalink":"https://osousa.com/posts/home-network-rebuild/","summary":"\u003cp\u003eThere\u0026rsquo;s a point every IT professional reaches where the home network becomes an embarrassment. You spend your days designing resilient, segmented, secure infrastructure for clients or employers, then you come home to a single flat network where your smart bulbs live alongside your workstation, your NAS, and your Hi-Fi system. Everything on the same broadcast domain. No segmentation. No visibility. Just trust and hope.\u003c/p\u003e\n\u003cp\u003eThat was my situation. This is the story of how I fixed it.\u003c/p\u003e","title":"From Consumer Router to Enterprise-Grade Home Network — A Complete Rebuild"},{"content":"This is the beginning of osousa.com — my personal space to write about cybersecurity, networking, and whatever I happen to be learning or working on.\nI\u0026rsquo;m a Cybersecurity Analyst based in Mozambique, currently working at Hidroeléctrica de Cahora Bassa. After 20 years in IT across systems analysis, networking, and service desk management, I\u0026rsquo;ve recently moved fully into security — and there\u0026rsquo;s always something new to learn, document, and share.\nWhat to expect here Writeups on security topics, tools, and techniques Notes from training and certifications Observations from working in security within critical infrastructure The occasional post on networking, Linux, or systems No ads, no tracking, no fluff. Just notes from the field.\n","permalink":"https://osousa.com/posts/hello-world/","summary":"\u003cp\u003eThis is the beginning of osousa.com — my personal space to write about cybersecurity,\nnetworking, and whatever I happen to be learning or working on.\u003c/p\u003e\n\u003cp\u003eI\u0026rsquo;m a Cybersecurity Analyst based in Mozambique, currently working at Hidroeléctrica\nde Cahora Bassa. After 20 years in IT across systems analysis, networking, and service\ndesk management, I\u0026rsquo;ve recently moved fully into security — and there\u0026rsquo;s always something\nnew to learn, document, and share.\u003c/p\u003e\n\u003ch2 id=\"what-to-expect-here\"\u003eWhat to expect here\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eWriteups on security topics, tools, and techniques\u003c/li\u003e\n\u003cli\u003eNotes from training and certifications\u003c/li\u003e\n\u003cli\u003eObservations from working in security within critical infrastructure\u003c/li\u003e\n\u003cli\u003eThe occasional post on networking, Linux, or systems\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eNo ads, no tracking, no fluff. Just notes from the field.\u003c/p\u003e","title":"Hello World"},{"content":" Hi, I\u0026rsquo;m Osvaldo I\u0026rsquo;m a Mozambican IT professional with over 20 years of experience, currently working as a Cybersecurity Analyst at Hidroeléctrica de Cahora Bassa (HCB) — one of Africa\u0026rsquo;s largest hydroelectric power plants. My career has taken me through systems analysis, networking, service desk management, and now security operations in critical infrastructure.\nI\u0026rsquo;m based between Songo, Tete and Maputo, Mozambique, and I write here about infosec, networking, homelabs, and whatever I happen to be learning or breaking at any given moment.\nPersonal Professional Setup Who I Am Outside Work Photography I shoot with an Olympus OM-D E-M10 Mark II and a 12-40mm f/2.8 Pro lens. I\u0026rsquo;m drawn to portraits and available light situations. Photography and security share more than people think — both reward patience and attention to detail.\nHi-Fi Audio \u0026amp; Acoustics I run a serious dedicated audio system — Naim amplification, Dynaudio Heritage Specials, REL subs, and a Holo Audio R2R DAC fed by a Roon ROCK server. All on its own isolated VLAN. Full details on the Hi-Fi page.\nHome Lab My home network is a project that never ends. MikroTik, UniFi, Raspberry Pi, Docker. Currently planning a Proxmox node for security research and testing.\nFootball Manchester United supporter. Results not always matching expectations, but loyalty is unconditional.\nFamily Proud father to Nowa.\nLanguages Portuguese — Native English — Fluent Career Timeline 2024 — Present · Cyber Security Analyst Hidroeléctrica de Cahora Bassa · Songo, Tete Security operations, incident handling, threat monitoring and response in a critical infrastructure environment.\n2014 — 2024 · Systems Analyst Hidroeléctrica de Cahora Bassa · Songo, Tete Over a decade supporting the operational and business technology needs of HCB across systems, infrastructure, and integrations.\n2012 — 2013 · Analyst Programmer Hidroeléctrica de Cahora Bassa · Songo, Tete\n2006 — 2012 · IT Area Responsible MZ \u0026amp; SA Grupo Pestana · Mozambique \u0026amp; South Africa Managed IT operations across Mozambique and South Africa for one of Portugal\u0026rsquo;s largest hospitality groups.\n2011 — 2012 · Administrator Netop Lda. · Maputo\n2005 — 2006 · Director IT\u0026amp;Dreams, Lda\nCertifications Certification Issuer GIAC Security Essentials (GSEC) GIAC / SANS GIAC Security Operations Certified (GSOC) GIAC / SANS Cisco CCNA ISCTEM Cisco CCNA Academy D-Link Certified Engineer D-Link Academy South Africa Training Course Code Hacker Tools, Techniques \u0026amp; Incident Handling (GCIH) SEC504 Security Essentials: Network, Endpoint and Cloud SEC401 SOC Analyst Training — Applied Skills for Cyber Defense SEC450 Red Hat System Administration I — RHEL 8 RH124 Red Hat System Administration II — RHEL 8 RH134 Red Hat System Administration III: Linux Automation — HP Data Protector — HPE 3Par Storage Administration — HPE Blade System Administration — VMware vSphere — Microsoft Windows Server 2012 R2 — ITIL — Technical Skills Security Cybersecurity · SOC · Incident Response · Malware Analysis · Web Application Security · Vulnerability Management · Network Security · Linux Security · Windows Security · Cyber Defense · Access Control · Security Policy\nNetworking TCP/IP · CCNA · Cisco Technologies · Routing · OSPF · Switches · LAN · VPN · DNS · Network Administration\nSystems \u0026amp; Infrastructure Linux · RHEL · Windows Server · Active Directory · VMware · Virtualization · Mac OS · HPE Systems · System Administration\nDevelopment \u0026amp; Databases Web Development · PHP · Microsoft SQL Server\nManagement IT Management · Service Desk Management · ITIL · Troubleshooting · IT Operations\nRecognition 🏆 Ambassador of Innovation — Hidroeléctrica de Cahora Bassa\nLanguages Portuguese — Native English — Fluent Computer Setup Component Spec Link Computer Apple Mac Studio M1 Ultra · 20-core CPU · 48-core GPU · 64GB RAM · 1TB SSD Apple OS macOS Tahoe 26.5.1 — Monitor LG 32UN880-B 32\u0026quot; UltraFine 4K Ergo Amazon Mouse Logitech MX Master 4 Amazon Keyboard HHKB Pro Hybrid Type-S Amazon DAC Holo Audio Cyan 2 · R2R · DSD1024 Kitsune HiFi External SSD 1 Samsung 970 EVO Plus 1TB · Fledging Thunderbolt enclosure Amazon External SSD 2 Samsung PSSD T7 Touch 1TB — NAS Synology DiskStation DS213+ · 1TB Samsung 860 EVO — Feel free to connect with me on LinkedIn — or if you prefer, use the contact form to send me a message directly.\n","permalink":"https://osousa.com/about/","summary":"About Osvaldo de Sousa","title":"About"},{"content":"","permalink":"https://osousa.com/contact/","summary":"Contact Osvaldo de Sousa","title":"Contact"},{"content":"Music is serious business here. This page documents the system I\u0026rsquo;ve built over the years — sources, amplification, speakers, cables, and the network infrastructure that ties it all together.\nSignal Chain Roon ROCK (Intel NUC)\n↓\nMac Studio M1 Ultra (Roon endpoint or direct playback)\nor Holo Audio RED (DDC/Streamer as Roon endpoint)\n↓\nHolo Audio Cyan 2 (DAC)\n↓\nNaim NAC 282 powered by TeddyCap SE + NAPSC\n↓\nNaim NAP 250DR\n↓\nDynaudio Heritage Special + Pair of REL S/510 Speakers Component Details Link Loudspeakers Dynaudio Heritage Special · Limited edition · Pair 0521 of 2500 · IsoAcoustics Gaia 3 Dynaudio Subwoofers Component Details Link Subwoofers REL S/510 × 2 · High-level Neutrik Speakon input REL DAC \u0026amp; Streamer Component Details Link DAC Holo Audio Cyan 2 · R2R discrete ladder · DSD1024 · NOS Kitsune HiFi DDC \u0026amp; Streamer Holo Audio RED · Roon Ready · DSD512 · I2S/SPDIF/AES/BNC output Kitsune HiFi Amplification Component Details Link Preamplifier Naim NAC 282 Naim Audio Preamp PSU TeddyCap SE + NAPSC Teddy Pardo Power Amplifier Naim NAP 250DR Naim Audio Source \u0026amp; Digital Component Details Link Roon Core Intel NUC running Roon ROCK · 4TB Samsung SSD on OWC Express 1M2 USB4 enclosure OWC Enclosure DDC \u0026amp; Streamer Holo Audio RED · Roon Ready · DSD512 · I2S/SPDIF/AES output Kitsune HiFi Roon Endpoint Mac Studio M1 Ultra via USB Apple Cables Connection Cable Mac Studio → DAC Wireworld Ultraviolet 8 USB A to B Streamer → DAC Mogami 2964 Digital Coaxial 75Ω BNC DAC → Preamp CHC Blue RCA to DIN Preamp → Amp CHC Blue DIN to 250 XLR Amp → Speakers Witch Hat Phantom 6m · Bananas/Bananas (company closed) Speakers → Subs Van Damme · Neutrik to Spades Network The Hi-Fi system runs on a dedicated isolated VLAN with no internet access initiated from within the zone. The Roon core communicates with endpoints across VLANs via selective mDNS forwarding on the MikroTik router. Roon ARC is configured for remote access over both IPv4 and IPv6.\nRead more about the network setup in this post.\nSoftware Roon — music management, DSP, and endpoint control Roon ARC — remote playback anywhere in the world ","permalink":"https://osousa.com/hifi/","summary":"Osvaldo de Sousa\u0026rsquo;s Hi-Fi system","title":"Hi-Fi"}]