nunogrl.com - monitoringhttps://nunogrl.com/2024-08-01T00:00:00+01:00Homelab Network Overview2024-08-01T00:00:00+01:002024-08-01T00:00:00+01:00Nuno Leitaotag:nunogrl.com,2024-08-01:/articles/homelab-network-overview/<p class="first last">A comprehensive guide to building a secure homelab network with VLANs, DNS, monitoring, and automation</p>
<p>My homelab network is designed to provide a <strong>secure, efficient, and self-hosted environment</strong>
for various automation, development, and personal infrastructure needs.
This setup prioritizes <strong>network segmentation, security, and performance optimization</strong>,
while being flexible enough to scale or adapt for experimentation.</p>
<div class="section" id="problem-solution">
<h2>Problem & Solution</h2>
<p><strong>Problem:</strong> I needed a reliable and secure environment for automation, CI/CD testing, Git hosting, and local infrastructure—
<strong>without relying on cloud platforms or exposing services to the internet</strong>.</p>
<p>Additionally, the solution had to run on <strong>low-powered, repurposed hardware</strong> with minimal overhead
and support <strong>remote access</strong>, <strong>internal DNS resolution</strong>, and <strong>segmented security domains</strong>.</p>
<p><strong>Solution:</strong> I architected a network centered around an OpenWRT-based router with VLAN segmentation,
isolated zones for each function, and layered services:</p>
<ul class="simple">
<li><strong>Tailscale</strong> provides secure access to internal services, even when offsite.</li>
<li><strong>Cloudflare Tunnel</strong> allows for secure access to internal services from the internet.</li>
<li><strong>AdGuard Home</strong> filters DNS-based ads and trackers at the router level.</li>
<li><strong>TinyDNS + BIND</strong> handle authoritative DNS within the homelab.</li>
<li><strong>Traefik</strong> serves as the reverse proxy using a wildcard cert via DNS verification.</li>
<li><strong>Prometheus + Grafana</strong> provide observability for all infrastructure nodes.</li>
<li>A <strong>D-Link 3782 router</strong> is used as a wireless bridge to isolate the IoT network.</li>
</ul>
<p>The OpenWRT router also provides wireless access to mobile and personal devices,
which are segmented into their own VLAN. These include laptops, phones, and tablets
used for managing or testing infrastructure services.</p>
<p>For mobile devices, <strong>Syncthing</strong> is used to selectively back up content to the NAS.
While backups are not fully automated, this gives more control over what is stored.
I am considering adding a backup option to <strong>Dropbox</strong> for external redundancy.</p>
<p>The entire infrastructure is <strong>provisioned via Ansible playbooks</strong>, which manage deployment
and configuration across the environment. These playbooks live on an internal Git server
and may be shared publicly in the future.</p>
<p>The system emphasizes <strong>modularity</strong>, <strong>resilience</strong>, and <strong>observability</strong>, ensuring that
each component is isolated but observable.</p>
</div>
<div class="section" id="full-network-topology-combined">
<h2>Full Network Topology (Combined)</h2>
<div class="mermaid" id="mermaid-diagram-9078242182121851762">
flowchart TD
%% ingress egress
Internet --> Router
Router -->|VPN: Site2Site| VPNCloudflare
Router -->|VPN: host| VPNTailscale
%% DNS
Router -.-> AdGuard
AdGuard -.-> BIND
BIND -.-> TinyDNS
%% Traefik --> Router
%% Traefik --> IoT_Bridge
%% Prometheus --> NAS
%% Prometheus --> Server1
%% Prometheus --> CIService
%% Prometheus --> Router
%% Grafana --> Prometheus
Router ==>|VLAN: NAS| NAS
Router ==>|VLAN: Dev| Server1
Router ==>|VLAN: CI| Zeus
Router ==>|VLAN: IoT| IoT_Bridge
Router ==>|VLAN: WiFi| Wireless_Clients
IoT_Bridge -->|Wireless| IoT_Devices
%%subgraph rproxy [reverse proxy]
%% Traefik --> GitServer
%% Traefik --> CIService
%% Traefik --> Grafana
%% Traefik --> Syncthing
%% Traefik --> Portainer
%% Traefik --> Prometheus
%% Traefik --> NASUI
%% Traefik --> binrepo
%% end
%% description
VPNCloudflare((VPN fa:fa-lock
cloudflared
tunnel))
VPNTailscale((VPN fa:fa-lock
tailscale
server
))
Router{{Router}}
IoT_Bridge{{IoT Bridge}}
Internet(((Internet
fa:fa-cloud)))
%% NASUI([homepage fab:fa-docker])
%% GitServer([git fab:fa-docker])
%% CIService([CIService fab:fa-docker])
%% Grafana([grafana fab:fa-docker])
%% Portainer([Portainer fab:fa-docker])
%% Traefik([traefik fab:fa-docker])
%% Syncthing([Syncthing fab:fa-docker])
%% Prometheus([Prometheus fab:fa-docker])
%% binrepo([Binary Repo fab:fa-docker])
Server1[Raspberry Pi]
%% styles
classDef default fill:#f9f,stroke:#333,stroke-width:1px;
classDef net fill:#fff;
classDef hardware fill:#f96;
classDef dns fill:#AFF;
classDef container fill:#EF0;
classDef vpn fill:#EF0;
classDef network fill:#CCCCCC;
Internet:::net
VPNCloudflare:::vpn
VPNTailscale:::vpn
AdGuard:::dns
BIND:::dns
TinyDNS:::dns
Router:::network
IoT_Bridge:::network
NAS:::hardware
Server1:::hardware
Zeus:::hardware
Wireless_Clients:::hardware
IoT_Devices:::hardware
%% NASUI:::container
%% GitServer:::container
%% CIService:::container
%% binrepo:::container
%% Grafana:::container
%% Portainer:::container
%% Traefik:::container
%% Syncthing:::container
%% Prometheus:::container</div><p>This shows how DNS resolution, secure access, proxy routing, and monitoring interconnect.</p>
</div>
<div class="section" id="layered-views-progressive-breakdown">
<h2>Layered Views (Progressive Breakdown)</h2>
<div class="section" id="vpn">
<h3>VPN</h3>
<div class="mermaid" id="mermaid-diagram-7797067824243999538">
%% styles
classDef default fill:#f9f,stroke:#333,stroke-width:1px;
classDef net fill:#fff;
classDef vpn fill:#EF0;
classDef network fill:#CCCCCC;
flowchart TD
Internet -->|VPN: Cloudflare| VPNCloudflare
Internet -->|VPN: Tailscale| VPNTailscale
subgraph cf [cloudflare VPN tunnels]
InternetCF -.-> |https
ingress|cloudflare
cloudflare -.-> |http|vaultvpn
cloudflare{{cloudflare
pulsingminds}}
cloudflare --- Londonvpn
cloudflare --- hetznervpn
cloudflare --- vaultvpn
end
Londonvpn((VPN fa:fa-lock
London Tunnel))
hetznervpn((VPN fa:fa-lock
Hetzner Tunnel))
vaultvpn((VPN fa:fa-lock
vault Tunnell))
InternetCF(((Internet
fa:fa-cloud)))
InternetCF:::net
cloudflare:::network
Londonvpn:::vpn
hetznervpn:::vpn
vaultvpn:::vpn
InternetTS --- tailscale
tailscale{{Tailscale}}
tailscale --- Londonts
tailscale --- magits
tailscale --- capricets
tailscale --- mobilets
end
Londonts((VPN fa:fa-lock
London Tunnel
_route propagation_))
magits((VPN fa:fa-lock
Hetzner Tunnel))
capricets((VPN fa:fa-lock
laptop Tunnell))
mobilets(((VPN fa:fa-lock
mobile Tunnel)))
InternetTS(((Internet
fa:fa-cloud)))
tailscale:::network
Londonts:::vpn
magits:::vpn
capricets:::vpn
mobilets:::vpn</div></div>
<div class="section" id="dns-resolution-flow">
<h3>DNS Resolution Flow</h3>
<div class="mermaid" id="mermaid-diagram--5116182746477425768">
flowchart TD
Client --> AdGuard
AdGuard --> BIND
BIND -.-> I
BIND -.-> L
BIND --> TinyDNS
BIND -.-> LXC
L((Local network))
I((Internet))
LXC((LXC_Containers))</div></div>
<div class="section" id="traefik-reverse-proxy-flow">
<h3>Traefik Reverse Proxy Flow</h3>
<div class="mermaid" id="mermaid-diagram--2508032663135504021">
flowchart TD
Internet -->|DNS Challenge| Traefik
Traefik --> GitServer
Traefik --> Grafana
Traefik --> CIService
Traefik --> binRepo
Traefik --> Syncthing
Traefik --> Portainer
Traefik --> RouterUI
Traefik --> NASUI
Traefik --> IoT_Bridge</div></div>
<div class="section" id="prometheus-monitoring-flow">
<h3>Prometheus Monitoring Flow</h3>
<div class="mermaid" id="mermaid-diagram--3288697517812673026">
flowchart TD
Prometheus --> NAS
Prometheus --> Server1
Prometheus --> CIService
Prometheus --> Router
Prometheus --> IoT_Bridge
Grafana --> Prometheus</div><p>Each layer can be inspected individually or in combination via Grafana dashboards and log collectors.
This <strong>layered view mirrors how the infrastructure is designed, monitored, and interacted with.</strong></p>
</div>
</div>