BMC Primary

Putting together a home work environment has been an evolving item as the pandemic continues and work from home has shifted to a potential long term situation.

As the pandemic stretches on, ground rules are starting to shift. Most IT departments are now pushing away from VPN/RDP solutions and toward a more secure and isolated work environment. Our company chose a secure VPN NetGate peripheral box, and moved most employees to laptop. Only work-related systems should be connected to the NetGate, with no bridging allowed.

At work, a USBc dock is provided. The one connection supplies power, RJ45 network, multiple displays (2xDPort), audio, USB devices, and memory card readers. The RJ45 also does seamless MAC emulation with the laptop, which is a nice touch.

For home, the dock requirements will differ per person. While IT had some docs available, none were a good fit based on my display requirements. I wound up purchasing my own dock (on sale at the time), with all of the noted capabilities of the work dock, substituting HDMI for DPort connections. The low-ish cost and compatibility with several other devices I already have made it a reasonable home purchase.

I already had a somewhat complex home network. Work simply added a third isolated LAN.

1. The primary LAN uses an OpenWRT router, which allows devices to see each other and the internet, behaving as what most would consider a typical home router. Common use systems like laptops, cell phones, printers, and the like live here.
2. The IoT LAN is for home automation devices and less trusted devices that I prefer have no internet (or even LAN) access. An isolated OpenWRT router runs this network, with device to device isolation enabled for all but a few devices (Alexa). Here you will find the Zigbee gateway, light switches, cameras, and more.
3. The Gatekeeper is a Linux based system that isolates the IoT LAN and primary LAN, allowing only specific devices to access very specific internet sites/ports. This device is also home to software services like home automation, alarm & power monitoring, media streaming, file serving, cloud backup tools, and the like. Gatekeeper, the cameras, and other devices have a long-run battery backup system.
4. The work LAN is created by the NetGate, which attaches off the primary LAN. A dumb network switch connects all work devices to this LAN, including the work laptop, work phone(s), and misc other work related devices.

Image made in DrawIO

The desire from IT is to keep these networks/systems isolated, specifically to not have home systems accessing work networks. Until the push to separate, my home system was using OVPN/RDP to connect (on 2 monitors), providing some level of separation and a unified display/input system. I wanted something close to that for long term usage, while working within IT's guidelines. To accomplish this, I have two sets of tools that create a relatively seamless KVM style system.

Video Setup

My home system has an NVS-510 with four DPort outputs, one for each monitor. (Yes, I have four monitors.) Via the port extender (mentioned above), the laptop now has two HDMI connections, which are hooked to the two monitors I used to use for RDP. When I want to toggle video from home to work or back, I use a tool called Control My Monitor via a batch script (see below). The script/tool instructs the monitors to toggle inputs between DPort and HDMI. The laptop display is also open, providing a third/side monitor for work. I have a similar script for the upper display for accessing Junker, but that's rarely used, since it's primary interface is via web.

WorkSwitch.bat

REM Toggle monitors 3/4 between DPORT (15) and HDMI (17) input.
SET /A a = 15
ControlMyMonitor.exe /GetValue "\\.\DISPLAY3\Monitor0" 60
if %errorlevel%==15 ( SET /A a = 17 )
 
ControlMyMonitor.exe /SetValue "\\.\DISPLAY4\Monitor0" 60 %a%
ControlMyMonitor.exe /SetValue "\\.\DISPLAY3\Monitor0" 60 %a%

Keyboard and Mouse

With video switching handled, the other half of the battle is mouse and keyboard input. For this I wound up getting a M720 and a MK850. Both use wireless bluetooth technology, and handle up to three “profiles” or machines. Together with Logitech Flow, these allow seamless transition from one system to another, similar to the RDP environment. Even without Flow, each device has a way to pair with and switch between systems independently as needed.