Skip to content

Networking & Security

The homelab network is designed with enterprise principles: segmentation for security, redundancy for reliability, and automation for management. The architecture combines VLAN isolation, advanced DNS filtering, and comprehensive IPAM/discovery tools.

Network Architecture

VLAN Segmentation

Network traffic is isolated into dedicated VLANs for security and performance:

VLAN Purpose Key Services
VLAN 10 Management Proxmox, TrueNAS, switch management
VLAN 20 Servers Application VMs, Docker hosts
VLAN 30 IoT Devices Home Assistant, sensors, smart devices
VLAN 40 Media Jellyfin, *arr stack, Plex
VLAN 50 Storage iSCSI, NFS traffic (isolated)
VLAN 99 Guest Isolated guest Wi-Fi

Routing & Firewall

  • Layer 3 Routing – Inter-VLAN routing with firewall rules
  • Firewall Policies – Default deny with explicit allow rules
  • Port Isolation – Guest VLAN cannot access internal services
  • VPN Access – Secure remote access to management VLAN

DNS Architecture

Advanced DNS setup combining privacy, performance, and security. See DNS Architecture for full details.

Components

🛡️ AdGuard Home

Network-wide DNS sinkhole for ad blocking and tracker prevention: - Per-device filtering profiles - Custom blocklists and allowlists - Query logs and analytics dashboard - Parental controls and SafeSearch enforcement

🔁 Unbound

Recursive DNS resolver with DNSSEC validation: - Direct queries to root/TLD/authoritative servers (no third-party forwarders) - DNSSEC signature validation for authenticity - Local caching for performance - Full control over DNS resolution

🔒 DNSCrypt-Proxy

Encrypted DNS with Oblivious DoH (oDoH): - All queries encrypted (DoH, DoT, DNSCrypt protocols) - Anonymized relays prevent resolver correlation - Protects against ISP snooping and tampering - Fallback resolvers for redundancy

Flow: Client → AdGuard Home → Unbound → DNSCrypt-Proxy → Encrypted Upstream

IPAM & Network Discovery

NetBox

  • IP Address Management – Centralized IPAM for all subnets
  • DCIM – Data center infrastructure management
  • Network Documentation – Cables, devices, racks
  • API Integration – Automation with Ansible/Terraform

Diode + Orb

  • Network Discovery – Automatic device detection and mapping
  • Topology Visualization – Real-time network diagrams
  • Integration with NetBox – Syncs discovered devices to IPAM
  • Automation Backbone – Triggers workflows based on network changes

Security Features

Network-Level Protection

  • VLAN Isolation – Devices can only communicate within allowed VLANs
  • Firewall Rules – Stateful inspection with explicit deny-all default
  • DNS Filtering – Blocks malicious domains before they resolve
  • Encrypted DNS – Prevents ISP/upstream visibility into queries

Access Control

  • Reverse Proxy (Traefik) – On VPS for public services
  • SSO/2FA (Authelia) – Single sign-on with two-factor authentication
  • VPN Gateway – WireGuard for secure remote access
  • Bastion Host – Jump box for SSH access to management VLAN

Monitoring & Alerting

  • Checkmk – Network device monitoring (switches, routers, APs)
  • Graylog – Network traffic logs and firewall events
  • Netdata – Real-time bandwidth and connection tracking
  • WUD – Container update notifications

IP Addressing Scheme

Static Assignments

All critical services use static IPs managed in NetBox:

10.0.10.0/24  – Management (Proxmox nodes, switches)
10.0.20.0/24  – Servers (VMs, containers)
10.0.30.0/24  – IoT (Home Assistant, sensors)
10.0.40.0/24  – Media (Jellyfin, Plex)
10.0.50.0/24  – Storage (iSCSI, NFS)
10.0.99.0/24  – Guest (DHCP pool)

DHCP Reservations

  • Managed via NetBox – DHCP reservations synced from IPAM
  • MAC-based Assignment – Devices get consistent IPs
  • Lease Logging – DHCP activity logged to Graylog

Network Hardware

Core Switches

  • Managed Switches – VLANs, link aggregation, port mirroring
  • 10GbE Uplinks – High-bandwidth connectivity for storage traffic
  • PoE Support – Powers IoT devices and access points

Wireless

  • Separate SSIDs per VLAN – Dedicated networks for different device types
  • WPA3 Encryption – Modern wireless security
  • Guest Portal – Captive portal for visitor access

Automation & Configuration

Infrastructure as Code

# Ansible example: Configure VLAN on switch
- name: Configure VLAN 30 for IoT
  cisco.ios.ios_vlans:
    config:
      - vlan_id: 30
        name: IoT_Devices

Dynamic Inventory

  • NetBox as Source of Truth – Ansible pulls inventory from NetBox API
  • Automatic Device Discovery – Diode updates NetBox with new devices
  • Configuration Sync – Terraform manages network device configs

Best Practices

  1. Segmentation – Isolate untrusted devices (IoT, guest) from critical infrastructure
  2. Static IPs – Assign static IPs to all servers and infrastructure
  3. DNS Privacy – Use encrypted DNS to prevent upstream snooping
  4. Centralized Management – Single source of truth (NetBox) for all network data
  5. Monitoring – Log and alert on all network changes and anomalies
  6. Documentation – Keep NetBox updated with all network changes

Resources