Homelab Overview

Current Network Topology

homelab_topology secnicholas's Current Homelab Network Topology Physical and Logical Infrastructure - (21/03/2026) cluster_proxmox Hypervisor cluster_secserver Hypervisor isp ISP WAN Connection opnsense OPNsense Gateway ━━━━━━━━━━━━━━━━━━━ Dell Optiplex 9010 SFF i5-3570 | 16GB RAM | i350 Quad NIC Libreboot + SeaBIOS ━━━━━━━━━━━━━━━━━━━ Suricata | CrowdSec DNS over TLS → Quad9 Unbound DNS Blocklists ━━━━━━━━━━━━━━━━━━━ WAN: ISP DHCP LAN: 10.0.10.1/29 isp->opnsense    WAN flint OpenWrt ━━━━━━━━━━━━━━━━━━━ GL.iNet Flint 2 ━━━━━━━━━━━━━━━━━━━ Open-source U-Boot Managed Switch + Access Point VLAN Trunk Bridge (br-lan) native sinkhole VLAN (999) opnsense->flint    LAN Trunk topology_info Default deny firewall Inter-VLAN traffic blocked by default and with floating rule addressing_info Note: VLAN IDs soon to be renumbered to more accurately reflect trust wifi_meadow SSID-1 ━━━━━━━━━━━━━━━━━━━ WPA2/WPA3 Mixed → VLAN 60 (PERSONAL) wifi_forest SSID-2 ━━━━━━━━━━━━━━━━━━━ WPA2/WPA3 Mixed → VLAN 50 (PROPRIETARY) wifi_river SSID-3 ━━━━━━━━━━━━━━━━━━━ WPA2/WPA3 Mixed → VLAN 70 (FAMILY) wifi_marsh SSID-4 ━━━━━━━━━━━━━━━━━━━ WPA2/WPA3 Mixed → VLAN 80 (IOT) wifi_orchard SSID-5 ━━━━━━━━━━━━━━━━━━━ WPA2/WPA3 Mixed → VLAN 100 (PHYSSEC) wifi_desert SSID-6 ━━━━━━━━━━━━━━━━━━━ WPA2/WPA3 Mixed → VLAN 90 (GUEST) vlan40 VLAN 40: ADMIN ━━━━━━━━━━━━━━━━━━━ 10.0.40.1/29 ━━━━━━━━━━━━━━━━━━━ Administrative access flint->vlan40 vlan10 VLAN 10: MANAGEMENT ━━━━━━━━━━━━━━━━━━━ 10.0.10.1/29 ━━━━━━━━━━━━━━━━━━━ Infrastructure Web UIs OPNsense | OpenWrt Physical access only flint->vlan10 vlan11 VLAN 11: SECSERVER ━━━━━━━━━━━━━━━━━━━ 10.0.11.1/29 ━━━━━━━━━━━━━━━━━━━ Security VM Host flint->vlan11 vlan13 VLAN 13: SECSERVICE ━━━━━━━━━━━━━━━━━━━ 10.0.13.1/27 ━━━━━━━━━━━━━━━━━━━ Security VM Services flint->vlan13 vlan14 VLAN 14: HUNT ━━━━━━━━━━━━━━━━━━━ 10.0.14.1/29 ━━━━━━━━━━━━━━━━━━━ Main pentest lan flint->vlan14 vlan20 VLAN 20: SERVER ━━━━━━━━━━━━━━━━━━━ 10.0.20.1/29 ━━━━━━━━━━━━━━━━━━━ Proxmox Cluster Hosts flint->vlan20 vlan30 VLAN 30: SERVICE ━━━━━━━━━━━━━━━━━━━ 10.0.30.1/27 ━━━━━━━━━━━━━━━━━━━ Proxmox VM Network NAS | Media | Docker | Apps flint->vlan30 vlan31 VLAN 31: VAMPIRE ━━━━━━━━━━━━━━━━━━━ 10.0.31.1/27 ━━━━━━━━━━━━━━━━━━━ AI services flint->vlan31 vlan32 VLAN 32: STALK ━━━━━━━━━━━━━━━━━━━ 10.0.32.1/29 ━━━━━━━━━━━━━━━━━━━ Reserve pentest lan flint->vlan32 vlan60 VLAN 60: PERSONAL ━━━━━━━━━━━━━━━━━━━ 10.0.60.1/29 ━━━━━━━━━━━━━━━━━━━ open source personal devices flint->vlan60 vlan50 VLAN 50: PROPRIETARY ━━━━━━━━━━━━━━━━━━━ 10.0.50.1/28 ━━━━━━━━━━━━━━━━━━━ proprietary personal devices flint->vlan50 vlan70 VLAN 70: FAMILY ━━━━━━━━━━━━━━━━━━━ 10.0.70.1/26 ━━━━━━━━━━━━━━━━━━━ User devices Laptops | Phones flint->vlan70 vlan80 VLAN 80: IOT ━━━━━━━━━━━━━━━━━━━ 10.0.80.1/27 ━━━━━━━━━━━━━━━━━━━ Smart home devices flint->vlan80 vlan100 VLAN 100: PHYSSEC ━━━━━━━━━━━━━━━━━━━ 10.0.100.1/27 ━━━━━━━━━━━━━━━━━━━ Security cameras flint->vlan100 vlan90 VLAN 90: GUEST ━━━━━━━━━━━━━━━━━━━ 10.0.90.1/27 ━━━━━━━━━━━━━━━━━━━ Guest WiFi flint->vlan90 wifi_meadow->vlan60 grapheneos Hardened Android ━━━━━━━━━━━━━━━━━━━ (GrapheneOS) Syncthing-Fork/KeepassDX wifi_meadow->grapheneos WiFi mediapc Media Server/Moonlight Client ━━━━━━━━━━━━━━━━━━━ Syncthing/KeepassXC wifi_meadow->mediapc WiFi wifi_forest->vlan50 wifi_river->vlan70 wifi_marsh->vlan80 wifi_orchard->vlan100 wifi_desert->vlan90 t440p ThinkPad T440p ━━━━━━━━━━━━━━━━━━━ Admin/Dev Workstation Libreboot + SeaBIOS Linux (secureblue) Syncthing/KeepassXC vlan40->t440p Wired vm_grafana Grafana VM ━━━━━━━━━━━━━━━━━━━ Debian Dashboards + Alerting vlan10->vm_grafana secserver_host Security VM Host ━━━━━━━━━━━━━━━━━━━ Dell 9020 SFF Libreboot + SeaBIOS Debian Qemu/libvirt/Apparmor ━━━━━━━━━━━━━━━━━━━ VLAN-Aware Bridge (vmbr0) vlan11->secserver_host Wired vm_opensearch OpenSearch VM ━━━━━━━━━━━━━━━━━━━ Debian Log Ingestion/Aggregation vlan13->vm_opensearch vm_wazuh Wazuh VM ━━━━━━━━━━━━━━━━━━━ Ubuntu Agent HIDS vlan13->vm_wazuh vm_kali Kali VM ━━━━━━━━━━━━━━━━━━━ Pentesting VM vlan14->vm_kali proxmox_host Proxmox VE Host ━━━━━━━━━━━━━━━━━━━ VLAN-Aware Bridge (vmbr0) vlan20->proxmox_host Wired proxmox_host2 Proxmox VE Host ━━━━━━━━━━━━━━━━━━━ VLAN-Aware Bridge (vmbr0) vlan20->proxmox_host2 Wired vm_nas NAS VM ━━━━━━━━━━━━━━━━━━━ Debian NFS + SSHFS Server 2x 2TB HDD passthrough vlan30->vm_nas vm_media Media Services VM ━━━━━━━━━━━━━━━━━━━ Streaming Services Media Management vlan30->vm_media vm_claude AI VM ━━━━━━━━━━━━━━━━━━━ Claude Code + OpenCode rsync + git vlan31->vm_claude vm_kali_alt Reserve Kali VM ━━━━━━━━━━━━━━━━━━━ Reserve Pentesting VM vlan32->vm_kali_alt gamingpc Gaming/High Performance PC ━━━━━━━━━━━━━━━━━━━ Windows/CachyOS Sunshine (Game Streaming) Syncthing/KeepassXC vlan50->gamingpc Wired

# work-in-progress. (technical details & plans are likely to change soon as I continue working on this)

Note: Currently working on a post that details the history of this homelab project and a lot of my thinking/decision making during it

OPNsense

my opnsense dashboard

OpenWrt

my openwrt dashboard my openwrt bridge vlan filtering

# Note: lab photos coming soon!

Currently working on

  • practicing SIEM analysis with my own tooling/events/alerts

  • improving Grafana dashboards and lua parsers

    • vibecoded some initial ones to help me test logflow/parsing

  • configuring Grafana alerting

  • working on adding health monitoring dashboards (starting with fluent-bit to help diagnose logflow issues)

  • thoroughly going through SIEM service configurations to ensure full coverage

  • thoroughly going through fluent-bit log flow/parsing configuration

  • thoroughly going through/testing log rotation/ISM templates over time to ensure I’m getting the ~60-90 day collection window I want (with a smaller window for heavier stuff Suricata flow logs at ~7-14 days)

  • implementing second 9020 sff on ‘secserver’ VLAN to allow OpenVAS to run on schedules without fighting my opnesearch/wazuh vm’s for resources during scan, and provide room for further VMs

    • might need to wait til I can afford an SSD/more RAM for this one
    • will create another Grafana dashboard for this an integrate into existing agent/health monitoring setup

  • documenting “secserver” host configuration

  • documenting SIEM VM configurations

Future plans

  • Implement second 9010 SFF I purchased to use as a Zeek traffic analyzer (currently planning to do this with a mirrored port on my Opnsense 9010’s OPT interface)

    • Waiting until I can afford a Gigabit NIC for this
    • Will create another Grafana dashboard for this an integrate into existing agent/health monitoring setup

  • local CA/forced https for management web interfaces

  • Implement more MFA

  • Do more host hardening across all of my hosts

  • Confirm current 9020 SFF ‘secserver’ configurations VM isolations are definitely working correctly

  • Pentest everything I can and simulate as many attacks as possible until I feel more comfortable mentally modelling most attacks in the context of my lab/lan

  • Audit/test SIEM logging and create a routine process for auditing all services to ensure tehy’re truly represenatative of reality and there are no gaps in my coverage

  • Further enrich IP/DNS info with other forms of CTI

  • Write more documentation and recovery procedures

  • Add more redundancy where possible (when I can afford it) (A UPS will save me going through all the effort I just went to restore fluent-bit connections/opensearch indexes after a mains outage lol.)

  • Replace proxmox cluster with more modern hardware and lower power draw (when I can afford it).

  • Continue researching heads/coreboot and hardware keys to setup boot verification/auditing and hardware attestation for the t430p and 9010 SFF (I ideally want something that mirrors what my GrapheneOS phone does on my linux hosts as best I can and so far it’s looking relatively possible with my hardware)

  • After that I also want to have a go at redoing my current OPNsense configuration on OpenBSD with the goal being to reduce overall attack surface by removing the components I don’t need

  • Redo anything and everything that introduces os-level age verification with whatever alternative solutions I can find that are maintained by people who aren’t actively underminining the open ecosystem they owe their existence to, and the well-constructed ideals of their predecessors