My Homelab

Home Network Setup

The network infrastructure is built using Ubiquiti equipment, leveraging its firewall features to ensure high-speed internet access and robust security. Security configurations, including firewall settings, are managed through Ubiquiti's system and router capabilities.

Devices are organized into designated VLANs—such as trusted wired devices, trusted wireless devices, IoT devices, and the homelab—each governed by strict firewall rules for specific communication protocols. For instance, while trusted devices are allowed to communicate with IoT devices, the IoT devices are restricted from initiating communication with trusted devices. The IoT network is fully isolated, preventing it from accessing any other devices in the house.

Additionally, I utilize Ubiquiti's IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) at the highest level, along with an OSI Layer 7 Next-Generation Firewall. Firewall rules are implemented using Zone-Based Firewall features to enhance security and manage network traffic effectively. Homelab servers are also isolated from the rest of the network, with one wired Linux PC granted full access and another wired PC limited to proxy-only access.

Lastly, no VLANs are configured with port forwarding. Instead, the homelab and Synology VLANs use Cloudflare Tunnel for traffic tunneling as needed. For internal homelab and Synology management, I rely on NGINX Proxy Manager with Let's Encrypt and Cloudflare DNS Challenge, ensuring all traffic is securely encrypted with TLS.

network

Homelab Server Setup

~~The~~My homelab ~~consists~~is ofset ~~two~~on three mini PCs: one running Home Assistant for homelab and smart device monitoring, one running a Proxmox virtualization environment and the ~~other~~another ~~serving~~dedicated ~~as a~~to Proxmox Backup Server. Both ~~servers’~~systems have their management interfaces ~~are~~ isolated inwithin ~~their~~a ~~own~~dedicated VLAN, ~~while~~ensuring ~~the~~secure ~~rest~~administrative ofaccess. ~~the~~The broader homelab is ~~divided~~segmented into three ~~VLANs:~~functional VLANs—Overseer, External, and ~~Internal.~~Internal—each ~~Each~~hosting ~~VLAN~~a ~~hosts~~mix anof Ubuntu ~~Server or~~and Fedora Server VMVMs for ~~main~~core ~~components,~~services, ~~along~~alongside ~~with~~matching adesktop ~~corresponding Ubuntu or Fedora Desktop VM~~VMs for testing ~~purposes.~~and experimentation. Security and access is achieved with zone-based firewall trough Unifi network. While all local devices can communicate with homelab servers via https, only one jumpbox machine running Fedora image can access non proxied traffic. Also, any non-critical outgoing traffic is being blocked or redirected through https.

~~The~~

Overseer VLAN,VLAN inspired(Control & Monitoring)

Inspired by Fallout, isthe ~~home~~Overseer toVLAN ~~management~~serves ~~tools~~as ~~like~~the central command layer. It hosts key infrastructure services including:

Komodo for Docker container orchestration

UpTime Kuma for uptime and service health monitoring

Dockeep for Docker monitoring

Authentik as the identity provider with role-based access control

Pi-Hole for DNS filtering

NGINX Proxy ~~Manager, the Kuma monitoring system, Portainer~~Manager for ~~managing~~reverse ~~Docker~~proxying
~~containers,~~

Forgejo Git server for version control and ~~the~~infrastructure-as-code
~~Pi-Hole~~

~~DNS~~

~~server.~~

These services have tightly controlled access to both ~~the~~ External and Internal VLANs, with ~~strictly defined~~ return traffic ~~allowed~~restricted ~~via~~to specific ports. ~~Additionally, the~~ Overseer ~~VLAN~~also ~~has~~maintains ICMP-only access to the ~~homelab~~ management VLAN, ~~enabling the~~allowing Kuma ~~monitoring~~to ~~system~~monitor Proxmox nodes without exposing sensitive interfaces. Komodo and Dockeep are connected to ~~check~~other ~~server~~VMs ~~statuses.~~via dedicated agents.

External VLAN (Public-Facing & DMZ)

The External ~~VLAN's~~VLAN ~~Ubuntu~~is ~~Server~~designed ~~runs~~for ~~Portainer~~secure, ~~Agent,~~isolated ~~hosting~~access to public-facing services. It includes:

SearxNG, a ~~SearxNG~~privacy-focused meta search engine
~~container~~

Kasm Workspace, providing ephemeral browser containers for secure link handling

IT-Tools, a utility suite for diagnostics and encoding

Stirling PDF, a ~~separate~~utility VMsuite for ~~Kasm~~editing ~~Workspace.~~pdfs
~~This~~

Remote access is ~~located~~proxied trough VPS-connected Pangolin gateway using Traefik and CrowdSec for dynamic routing and behavioral firewalling for full self-hosted zero-trust perimeter

Kasm and SearxNG resides in a DMZ zone with ~~highly restricted traffic and~~ no port ~~forwarding.~~forwarding, ~~All~~and all traffic ~~for~~to SearxNG and Kasm is routed ~~securely~~ through ~~a Cloudflare Tunnel,~~Pangolin, ensuring strict ~~security~~ingress control and ~~controlled~~enhanced ~~access.~~privacy.

In this VLAN, there is a standalone VM running Rust Desk for remote support. In the future, with the addition of NetBird or Tailscale, this VM will replace one currently hosted on a Linode VPS.

Internal VLAN (Personal Services & Testing)

The Internal VLAN ~~includes~~is ~~an Ubuntu Server intended~~tailored for ~~providing~~personal ~~services~~device support and local services. It includes:

Bookstack a documentation service

Karakeep, a lightweight bookmark and note taking app

Two desktop VMs—one Fedora, one Kaiser—for testing and sandboxing

This VLAN remains isolated from external exposure, with future plans to ~~personal~~expand ~~devices.~~its ~~While~~role ~~no services are currently active, it will host Pi-Hole for~~in home ~~DNS~~automation and ~~Home Assistant in the future. The Internal VLAN also contains two desktop VMs, one running Fedora and the other using a Kaiser image, both designated for testing.~~

Homelab Projects

RustDesk

RustDesk is an open-source remote desktop solution that I host locally on Akamai and Linode cloud platforms. This setup ensures secure, private, and encrypted communication channels, making it ideal for assisting family and friends with technical issues. By hosting RustDesk locally, I retain full control over the server, minimizing reliance on third-party services while offering a highly reliable and secure alternative to commercial remote desktop solutions.

Kasm Workspace

Kasm provides "Browser as a Service," allowing me to spin up isolated containers for securely running a browser of my choice. This is especially useful for safely opening suspicious or malicious links. Kasm functions as a hypervisor, capable of creating containers with preconfigured images for various use cases. These include browsers, lightweight Linux desktop environments, or specific standalone applications. It's perfect for one-time, quick sessions with software I don't need installed permanently on my PC. The isolation provided by Kasm ensures that any risky or experimental activity is contained, safeguarding the rest of my system.

Searxng

Searx is a self-hosted, open-source search engine designed for privacy and customizability. It runs on my server, giving me complete control over my search data and ensuring a safe browsing experience. Searx uses unique, non-identifiable profiles to query multiple search engines simultaneously, consolidating results into a single page. This setup provides diverse results while removing trackers and ensuring that all links returned are free of invasive tracking mechanisms. Searx empowers me with private ~~and~~service ~~efficient searches without compromising on security or functionality.~~ delivery.

Future Ideas

~~Homelab Assistant Dashboard- In process of creating Dashboard for Homelab and home network management of overview.~~

~~Expanding server pool- Potentially adding additional mini pc to my server pool as another Proxmox environment creating cluster for redundancy and high availability.~~