My Homelab

Home Network Setup

The network infrastructure is built using Ubiquiti equipment, leveraging its firewall features to ensure high-speed internet access and robust security. Security configurations, including firewall settings, are managed through Ubiquiti's system and router capabilities. 

Devices are organized into designated VLANs—such as trusted wired devices, trusted wireless devices, IoT devices, and the homelab—each governed by strict firewall rules for specific communication protocols. For instance, while trusted devices are allowed to communicate with IoT devices, the IoT devices are restricted from initiating communication with trusted devices. The IoT network is fully isolated, preventing it from accessing any other devices in the house. 

Additionally, I utilize Ubiquiti's IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) at the highest level, along with an OSI Layer 7 Next-Generation Firewall. Firewall rules are implemented using Zone-Based Firewall features to enhance security and manage network traffic effectively. Homelab servers are also isolated from the rest of the network, with one wired Linux PC granted full access and another wired PC limited to proxy-only access. 

Lastly, no VLANs are configured with port forwarding. Instead, the homelab and Synology VLANs use Cloudflare Tunnel for traffic tunneling as needed. For internal homelab and Synology management, I rely on NGINX Proxy Manager with Let's Encrypt and Cloudflare DNS Challenge, ensuring all traffic is securely encrypted with TLS.

Homelab Setup

The homelab consists of two mini PCs: one running a Proxmox environment and the other serving as a Proxmox Backup Server. Both servers’ management interfaces are isolated in their own VLAN, while the rest of the homelab is divided into three VLANs: Overseer, External, and Internal. Each VLAN hosts an Ubuntu Server or Fedora Server VM for main components, along with a corresponding Ubuntu or Fedora Desktop VM for testing purposes. 

The Overseer VLAN, inspired by Fallout, is home to management tools like NGINX Proxy Manager, the Kuma monitoring system, Portainer for managing Docker containers, and the Pi-Hole DNS server. These services have controlled access to both the External and Internal VLANs, with strictly defined return traffic allowed via specific ports. Additionally, the Overseer VLAN has ICMP-only access to the homelab management VLAN, enabling the Kuma monitoring system to check server statuses. 

The External VLAN's Ubuntu Server runs Portainer Agent, hosting a SearxNG search engine container and a separate VM for Kasm Workspace. This VM is located in a DMZ zone with highly restricted traffic and no port forwarding. All traffic for SearxNG and Kasm is routed securely through a Cloudflare Tunnel, ensuring strict security and controlled access. 

The Internal VLAN includes an Ubuntu Server intended for providing services to personal devices. While no services are currently active, it will host Pi-Hole for home DNS and Home Assistant in the future. The Internal VLAN also contains two desktop VMs, one running Fedora and the other using a Kaiser image, both designated for testing.

Homelab Projects

RustDesk 

RustDesk is an open-source remote desktop solution that I host locally on Akamai and Linode cloud platforms. This setup ensures secure, private, and encrypted communication channels, making it ideal for assisting family and friends with technical issues. By hosting RustDesk locally, I retain full control over the server, minimizing reliance on third-party services while offering a highly reliable and secure alternative to commercial remote desktop solutions. 

Kasm  Workspace

Kasm provides "Browser as a Service," allowing me to spin up isolated containers for securely running a browser of my choice. This is especially useful for safely opening suspicious or malicious links. Kasm functions as a hypervisor, capable of creating containers with preconfigured images for various use cases. These include browsers, lightweight Linux desktop environments, or specific standalone applications. It's perfect for one-time, quick sessions with software I don't need installed permanently on my PC. The isolation provided by Kasm ensures that any risky or experimental activity is contained, safeguarding the rest of my system. 

Searxng

Searx is a self-hosted, open-source search engine designed for privacy and customizability. It runs on my server, giving me complete control over my search data and ensuring a safe browsing experience. Searx uses unique, non-identifiable profiles to query multiple search engines simultaneously, consolidating results into a single page. This setup provides diverse results while removing trackers and ensuring that all links returned are free of invasive tracking mechanisms. Searx empowers me with private and efficient searches without compromising on security or functionality. 

Future Ideas

Homelab Assistant Dashboard- In process of creating Dashboard for Homelab and home network management of overview. 

Expanding server pool- Potentially adding additional mini pc to my server pool as another Proxmox environment creating cluster for redundancy and high availability.