← Back to Projects
Active Development

Homelab Network Infrastructure

Where theory becomes reality. This project transforms a basic home network into an enterprise-grade infrastructure with VLAN segmentation, OPNsense firewall, and defense-in-depth security. If you're studying for CompTIA certifications, this is how you turn exam objectives into real-world skills. There's no substitute for getting your hands on actual hardware, breaking things, fixing them, and building something you're proud of.

Started: January 2026 Phase: 2 of 4 Status: OPNsense Deployment

01 Overview

Every IT professional starts somewhere. Most start with a consumer router, a basic setup where everything just... works. But "working" isn't the same as "secure" or "properly designed." This project is my journey from that basic setup to something I'd actually deploy in a professional environment - and I'm documenting every step so you can follow along or build your own.

Why This Project?

It started with a disaster. A power outage took down my virtualized pfSense router, and suddenly I was locked out of my own hypervisor. Cue panic mode - I scrambled to plug in the ISP router before my family noticed the WiFi was down (priorities, right?). But that frustrating moment became an opportunity.

Instead of just fixing the problem, I decided to rebuild everything from scratch - and document the entire process. Why? Because I've taught enough students to know that the best learning happens when you can see someone else work through real problems. This isn't a sanitized tutorial where everything works perfectly. This is real infrastructure, with real mistakes, and real solutions.

Key Objectives

  • 01
    Network Segmentation

    Isolate devices by trust level using VLANs

  • 02
    Defense in Depth

    Multiple security layers with least-privilege access

  • 03
    Visibility

    IDS/IPS monitoring and traffic analysis

  • 04
    Documentation

    Professional-grade documentation and procedures

The plan? Start with security as the foundation, not an afterthought. Once the network is properly segmented and locked down, then we can have fun adding services. Too many homelabs are built the other way around - cool services on an insecure foundation. Let's do it right.

CompTIA Corner - Network Segmentation & Defense in Depth

Network Segmentation is the practice of dividing a network into smaller, isolated sections. Why does this matter? If an attacker compromises one device (say, a smart TV), segmentation prevents them from moving laterally to your important systems (like your file server or workstation).

Defense in Depth is a security strategy that uses multiple layers of protection. Instead of relying on a single firewall, you combine:

  • Perimeter security - Firewall at the network edge
  • Network segmentation - VLANs to isolate traffic
  • Access control - Only allow necessary connections
  • Monitoring - IDS/IPS to detect threats
  • Endpoint security - Antivirus and host firewalls on devices

Least Privilege means giving users and devices only the minimum access they need. Your smart thermostat needs internet access to check weather - it doesn't need to access your file server.

For the exam: These concepts appear on Security+, Network+, and even A+. Understand that defense in depth assumes any single control can fail. Know common segmentation techniques: VLANs, subnets, DMZs (demilitarized zones for public-facing servers), and air gaps (complete physical isolation).

02 Architecture

This is where we go from "I want better security" to "here's exactly how we're going to do it." Architecture isn't just drawing pretty diagrams - it's making deliberate decisions about how traffic flows, what can talk to what, and where we place our security controls. If you're studying for Network+ or Security+, pay attention here: this is the stuff that separates someone who passed an exam from someone who can actually design a network.

Current State vs Target State

Current: Flat Network

Current flat network diagram
  • Single subnet for all devices
  • Consumer router
  • No traffic isolation
  • Limited visibility

Target: Segmented Network

Target VLAN-segmented network diagram
  • 7 VLANs by trust level
  • OPNsense firewall
  • Inter-VLAN routing control
  • IDS/IPS monitoring

VLAN Design

CompTIA Corner - What is a VLAN?

A VLAN (Virtual Local Area Network) is a way to divide one physical network into multiple logical networks. Think of it like an apartment building with separate floors - everyone shares the same building (switch), but people on floor 1 can't just walk into apartments on floor 3 without going through security (the router/firewall).

Without VLANs, every device on your network can "see" every other device - your gaming PC, your smart TV, your security cameras, and your guest's phone are all neighbors. VLANs let you create boundaries so your IoT devices can't snoop on your workstation, and guests can't access your file server.

For the exam: VLANs operate at Layer 2 (Data Link) of the OSI model. Traffic between VLANs requires a Layer 3 device (router or firewall) - this is called inter-VLAN routing. VLAN tagging uses the IEEE 802.1Q standard.

VLAN Name Subnet Purpose Internet Internal Access
1 Management 10.0.1.0/24 Infrastructure devices Yes Full
10 Trusted 10.0.10.0/24 Admin workstations Yes Most services
20 Servers 10.0.20.0/24 VMs and containers Yes Limited inbound
30 IoT 10.0.30.0/24 Smart devices Yes Blocked
40 Cameras 10.0.40.0/24 IP surveillance No Blocked
50 Guest 10.0.50.0/24 Visitor WiFi Yes Blocked
99 Security 10.0.99.0/24 IDS/IPS monitoring Yes Read-only

03 Hardware

Now for the fun part - the actual gear. There's something deeply satisfying about unboxing a managed switch, running Cat6 cables, and watching activity LEDs blink as traffic flows. You can study networking theory forever, but until you've physically configured a VLAN on real hardware or troubleshot a firewall rule that's blocking legitimate traffic, it's all just abstract concepts. This is where learning gets real.

Good news: you don't need a fortune to build a capable homelab. My setup uses a mix of enterprise-grade refurbished equipment and prosumer networking gear. Total investment so far? Under $1,000 - and you could start with much less.

IMG
Hardware Setup
Photo of server, switch, and network gear
hardware-setup.jpg
The homelab hardware stack
SRV

Hypervisor

Proxmox VE on HP Z440

  • Intel Xeon E5-2620 v3 (6C/12T)
  • 64GB DDR4 ECC RAM
  • 1x 1Gbit + 2x 10Gbit NICs
Active
SW

Network Switch

TP-Link TL-SG1428PE

  • 28-port Managed PoE+
  • 250W Power Budget
  • VLAN, SPAN support
Active
AP

Wireless AP

TP-Link BE11000

  • WiFi 7 Tri-band
  • Ceiling Mount
  • Multi-SSID to VLAN
Active
FW

Firewall

OPNsense VM on Proxmox

  • Virtualized on HP Z440
  • Intel X540 10G NICs available
  • Dedicated management NIC preserved
In Progress
CompTIA Corner - What is a Firewall?

A firewall is a network security device that monitors and controls incoming and outgoing traffic based on security rules. Think of it as a security guard at a building entrance - it checks everyone's credentials and only lets authorized traffic through.

OPNsense is a free, open-source firewall operating system based on FreeBSD. It's an alternative to expensive commercial firewalls like Cisco ASA or Palo Alto. OPNsense provides:

  • Stateful packet inspection - Tracks the state of network connections
  • NAT (Network Address Translation) - Allows multiple devices to share one public IP
  • VPN support - OpenVPN, WireGuard, IPsec for secure remote access
  • Traffic shaping - Prioritize important traffic (like video calls over downloads)

For the exam: Know the difference between stateless firewalls (filter packets individually) and stateful firewalls (track connection state). Understand firewall rules work top-to-bottom - the first matching rule wins. Most firewalls use an implicit "deny all" at the end.

CompTIA Corner - Managed vs Unmanaged Switches

An unmanaged switch is plug-and-play - it just forwards traffic between ports with no configuration options. Think of it like a power strip: simple, but no control.

A managed switch gives you control over how traffic flows. You can:

  • Configure VLANs - Segment your network logically
  • Set up port mirroring (SPAN) - Copy traffic to another port for monitoring
  • Enable PoE (Power over Ethernet) - Power devices like cameras and access points through the network cable
  • View traffic statistics - See what's happening on your network

For the exam: Managed switches operate at Layer 2 but can have some Layer 3 features. Know that PoE uses IEEE 802.3af (15.4W) and PoE+ uses IEEE 802.3at (25.5W). Port mirroring is essential for network monitoring and IDS deployment.

04 Services

A homelab isn't just about networking - it's a playground for learning everything in IT. Each service I deploy teaches me something new: container orchestration, DNS resolution, storage management, automation, AI. The beauty of a homelab is that when something breaks (and it will), the only person affected is you. Break things, learn how to fix them, and build confidence that transfers directly to production environments.

Proxmox VE dashboard showing VMs and containers
Current VM and container lineup in Proxmox VE
CompTIA Corner - VMs vs Containers vs Docker

You'll notice the services below are labeled VM, LXC, or Docker. These represent different virtualization approaches:

Virtual Machines (VMs) - A complete computer simulation with its own operating system, virtual hardware (CPU, RAM, disk, network). VMs are fully isolated but resource-heavy. Use when you need: different operating systems, complete isolation, or legacy software.

LXC Containers - Lightweight Linux containers that share the host's kernel but have isolated filesystems and processes. Uses far fewer resources than VMs but can only run Linux. Think of VMs as separate houses, and containers as apartments sharing utilities.

Docker - Application containers designed to package and run a single application with its dependencies. Docker containers are portable - build once, run anywhere. Popular for microservices and DevOps workflows.

For the exam: VMs use a hypervisor and have their own kernel. Containers share the host kernel, making them faster to start but less isolated. Know that Type 1 hypervisors (Proxmox, ESXi) run on bare metal, while Type 2 (VirtualBox) runs on a host OS.

LXC

Pi-hole

Network-wide DNS and ad blocking

VM

TrueNAS SCALE

Network storage and backups

Docker

Twingate

Zero-trust remote access

VM

Claude AI

Local AI assistant

VPS

N8N

Workflow automation

VM

Security Onion

IDS/IPS and SIEM (planned)

CompTIA Corner - Understanding These Services

Pi-hole (DNS Sinkhole) - DNS (Domain Name System) translates human-readable names (google.com) into IP addresses (142.250.80.14). Pi-hole acts as your network's DNS server and blocks requests to known advertising and tracking domains. When an ad tries to load, Pi-hole returns nothing - the ad disappears. This works for your entire network, including devices that can't run ad blockers (smart TVs, IoT devices).

TrueNAS (NAS - Network Attached Storage) - Centralized file storage accessible over the network. Instead of files scattered across different computers, everything lives on one server. TrueNAS uses ZFS, a file system with built-in data protection (checksums to detect corruption, RAID-like redundancy, snapshots for backups).

Twingate (Zero Trust Network Access) - Traditional VPNs give you full network access once connected. Zero Trust assumes the network is already compromised and verifies every access request individually. Users only reach specific resources they're authorized for - not the entire network. This is the modern approach to remote access.

For the exam: Know that DNS uses port 53 (UDP for queries, TCP for zone transfers). Understand NAS vs SAN (SAN presents raw block storage, NAS presents file shares). Zero Trust is a key concept in Security+ - "never trust, always verify."

05 Progress

Real projects have phases, milestones, and setbacks. I'm documenting this journey in real-time - the wins, the failures, and everything in between. Each phase builds on the last, and I'm designing rollback plans for every step. In enterprise IT, you never make changes without a way to undo them. That's not being pessimistic - that's being professional.

Follow along with the detailed blog posts, or use this as a template for planning your own homelab project.

Complete
Phase 1

Documentation & Preparation

Planning the architecture, documenting current state, designing VLAN scheme, and selecting hardware.

100% Complete
Read Blog Post →
Current
Phase 2

OPNsense Deployment

Create OPNsense VM on Proxmox, configure VLANs and initial firewall rules.

0% Complete
Upcoming
Phase 3

Network Migration

Migrate devices VLAN-by-VLAN with rollback capability at each step.

Management VLAN Server VLAN IoT/Camera VLANs
Upcoming
Phase 4

Security Hardening

Deploy Security Onion, enable IDS/IPS, configure monitoring and alerting.

Security Onion IDS/IPS rules Alerting
CompTIA Corner - IDS vs IPS

IDS (Intrusion Detection System) - A passive security system that monitors network traffic and alerts you when it detects suspicious activity. Think of it as a security camera - it watches and records but doesn't physically stop anyone.

IPS (Intrusion Prevention System) - An active security system that not only detects threats but can automatically block them. Think of it as a security guard who can physically stop intruders.

Security Onion is a free Linux distribution that bundles multiple security tools together:

  • Suricata/Snort - IDS/IPS engines that analyze traffic patterns
  • Zeek (formerly Bro) - Network security monitor for deep traffic analysis
  • Elasticsearch/Kibana - Search and visualize security data
  • TheHive - Incident response platform

For the exam: Know that IDS/IPS can be network-based (NIDS/NIPS) or host-based (HIDS/HIPS). Signature-based detection matches known attack patterns. Anomaly-based detection learns normal behavior and flags deviations. Understand false positives (alert when nothing is wrong) vs false negatives (missing real attacks).

06 Skills Demonstrated

Here's the thing about certifications: they prove you studied. A homelab proves you can do. Every skill listed below maps directly to CompTIA exam objectives - but more importantly, they map to real job requirements. When an interviewer asks "Tell me about your experience with VLANs," you want to have stories, not just definitions.

Network Design
VLAN Segmentation
Firewall Configuration
Proxmox VE
OPNsense
Security Architecture
Technical Documentation
Infrastructure Planning
IDS/IPS
Docker

Build Your Own

Inspired to start your own homelab? Good. You don't need much to begin - an old PC, a managed switch from eBay, and free software like Proxmox and OPNsense will get you started. The most important thing is to start. You'll learn more from one weekend of hands-on tinkering than a month of reading documentation.

Have questions or want to share your own homelab journey? Reach out - I'd love to hear what you're building.