The Network


  • Modem: Netgear CM500-100NAS
  • Router: TP-Link TL-R605
  • Switch: TP-Link TL-SG2008P
  • Access Point: TP-Link EAP225
  • Omada Controller for centralized configuration


  1. ISP provides internet to the modem.
  2. Ethernet between the modem and the first port on the router.
  3. Last port on the router passes to the first port on the switch.
  4. Wifi Access Point connects to one of ports 2, 3, or 4
    • Ports 2, 3, and 4 on the switch provide Power over Ethernet


Data Flow

Prerequisite: DNS is set dynamically via Cloudflare API.

  1. Incoming traffic arrives via the modem to the router.
    • If the port is open, data flows to the next step.
    • If the port is closed, the packet is silently dropped like a hole in the internet.
  2. Almost all open ports are passed to the HAProxy VIP (see HAProxy Stack).
    • Exceptions are for some game services. Those are passed directly to the host the game is running on. These are rare exceptions.
  3. The HAProxy instance that receives the traffic directs it based on the request

    • Non-secure traffic is redirected to HTTPS
    • HTTPS traffic passes through a series of ACL's
      • Security ACL's drop traffic like a hole in the internet.
      • Matching allowed traffic is passed to the appropriate backend.
      • Traffic that does not match a rule is given a default backend which returns a 404.