Self-Hosted Home Lab · Live

Home Lab Network & Server Architecture

A segmented, security-first home lab built on an OPNsense firewall, VLAN isolation, and a fleet of Linux servers running 30+ self-hosted services — all protected by a layered, automated 3-2-1 backup pipeline to on-site NAS and off-site cloud storage.

6Servers maintained
3 + VPNVLAN segments
30+Self-hosted services
3-2-1Backup strategy
4Custom domains
Topology

Network Architecture

Traffic enters through a single hardened edge — the OPNsense firewall — which routes between isolated VLANs. A reverse proxy terminates SSL and fronts every service. Trusted servers live on their own segment, while IoT and guest devices are walled off.

🌐 Internet / WAN
Public ingress & egress
🛡️ OPNsense Firewall & Router
192.168.50.1
VLAN routing 🔐 WireGuard VPN · 51820/UDP 🧭 DHCP · static leases 🚫 Inter-VLAN rules ☁️ ProtonVPN egress
🔀 Switch 1 — Downstairs
192.168.50.4
Core server switch (VLAN 1)
📶 Upstairs Router + AP
192.168.50.3 · .5
LAGG uplink · dual-band SSIDs
🔀 Switch 2 — Garage
Isolated segment & Lutron hub
🟢 VLAN 1 — Trusted LAN
192.168.50.0/24
  • Full internet + full LAN access
  • All servers & admin devices
🟡 VLAN 30 — Untrusted Guest/IoT
192.168.30.0/24
  • Internet allowed · LAN blocked
  • Consoles, guests, air sensor
🟣 VLAN 40 — Isolated IoT/Cams
192.168.40.0/24
  • No internet · LAN reachable
  • Cameras, printers, Lutron
🔁 Nginx Proxy Manager — Reverse Proxy
192.168.50.55:81
🔒 Let's Encrypt SSL Public vs Local-Only routing 🧱 PiHole DNS · 192.168.50.205
🟢 VLAN 1 — Server Fleet
🏠 Core Services
192.168.50.55
Home Assistant · Vaultwarden · NPM
🗄️ App & DNS Server
192.168.50.205
Pi-hole · NextCloud · Immich
📹 Frigate NVR
192.168.50.220
Security cameras · Coral TPU
🔑 Auth & Comms
192.168.50.221
Authentik SSO · Matrix
💾 TrueNAS
192.168.50.235
ZFS · backup hub · SMB/NFS
🦊 GitLab
192.168.50.131
Self-hosted Git & CI/CD
Security Posture

VLAN Segmentation & Firewall Rules

Every device is placed on a VLAN according to how much trust it earns. Inter-VLAN traffic is denied by default and only opened where required — the core principle keeping an untrusted webcam or game console away from personal data.

🟢 Trusted — VLAN 1

192.168.50.0/24 · SSID: GoodLuck
Internet accessFull
LAN accessFull
HostsServers, admin devices
RoleInfrastructure

🟡 Untrusted — VLAN 30

192.168.30.0/24 · SSID: Unlucky
Internet accessAllowed
LAN accessBlocked
DNS exception→ PiHole only
HostsConsoles, guests, sensors

🟣 Isolated — VLAN 40

192.168.40.0/24 · Noluck / Badluck
Internet accessBlocked
LAN accessReachable inbound
HostsCameras, printers, IoT
RoleAir-gapped IoT
Edge & Access

Firewall, VPN & Secure Access

A defense-in-depth edge: one firewall to rule routing, an encrypted tunnel for remote access, SSO for identity, and DNS-level filtering for every device on the network.

🛡️

OPNsense Firewall

Network edge handling WAN gateway, NAT, VLAN routing, and default-deny inter-VLAN policy. All config is auto-backed up to NextCloud.

192.168.50.1 · admin :449
🔐

WireGuard VPN — "HomeVPN"

Encrypted remote access to the lab on 10.10.50.0/24. Outbound traffic exits via ProtonVPN by default, with a direct-WAN client profile available.

vpn.dahltzer.com:51820/UDP
🔑

Authentik — Single Sign-On

Central identity provider issuing SSO across self-hosted apps, consolidating authentication behind one hardened gateway.

192.168.50.221:9333
🧱

Pi-hole DNS & Filtering

Network-wide DNS with ad/tracker blocking, distributed to every VLAN via DHCP — including the firewall's own upstream resolution.

192.168.50.205
🔁

Nginx Proxy Manager

Single reverse-proxy ingress terminating Let's Encrypt SSL for all services and enforcing the Public vs Local-Only access boundary.

192.168.50.55:81
📈

Uptime Kuma — Monitoring

Live availability monitoring across every service, giving a single status dashboard and the first stop in any troubleshooting runbook.

uptime.dahltzer.com
Compute

Server Fleet

Six purpose-built Linux hosts, each owning a slice of the platform — from automation and identity to storage and source control. Containerized with Docker and routed through the reverse proxy.

🏠 Core Services

192.168.50.55

Home automation, security & finance hub

Home Assistant Vaultwarden — passwords Actual Budget Nginx Proxy Manager
⚙️ Home Assistant OS (HAOS)

🗄️ Application & DNS Server

192.168.50.205

Primary Docker host · network DNS · backup origin

Pi-hole DNS NextCloud — files Immich — photos BookStack Wiki / Docs Garage — S3 storage Uptime Kuma IT Tools · GoPhish
⚙️ Debian · hostname pihole

📹 Frigate NVR

192.168.50.220

Network video recorder & physical security

Frigate NVR Coral USB Edge TPU 6× isolated cameras (VLAN 40) MQTT → Home Assistant
⚙️ Local-only · 15-day retention

🔑 Authentication & Communication

192.168.50.221

Identity provider & self-hosted messaging

Authentik — SSO/IdP Matrix (Synapse) Element client
⚙️ Debian · hostname mistborn

💾 TrueNAS — Storage & Backup Hub

192.168.50.235

ZFS network-attached storage & central backup target

ZFS pool — Coppermind SMB + NFS shares Backup destination datasets Snapshots & data integrity
⚙️ TrueNAS · hostname truenas

🦊 GitLab

192.168.50.131

Self-hosted source control & CI/CD

Git repositories CI/CD pipelines Nightly backup → TrueNAS
⚙️ Ubuntu · runs backup as root
Resilience

Backup Architecture — 3-2-1 Strategy

Data flows through three tiers: live application servers replicate nightly to an on-site ZFS NAS, which in turn pushes an off-site copy to the cloud. Three copies, two media, one off-site — fully automated with cron + rclone.

STAGE 1 · SOURCE

🖥️ Application Servers

Live production data
  • App Server .205 — NextCloud, Immich, Paperless
  • Media/Auth host .221 — Docker volumes
  • GitLab .131 — repos & config
  • rclone sync via nightly cron
rclone
nightly
STAGE 2 · ON-SITE

💾 TrueNAS · ZFS

Central on-site copy
  • Pool Coppermind — SMB/NFS targets
  • Per-source datasets (Docker, Gitlab, Home)
  • ZFS snapshots & checksums
  • Redundant disk media
off-site
replication
STAGE 3 · OFF-SITE

☁️ Backblaze B2

Disaster-recovery copy
  • Encrypted off-site cloud tier
  • Survives total site loss
  • Critical app & document data
  • Completes the 3-2-1 rule
3Copies of data — live, NAS, cloud
2Distinct media — server disks & ZFS array
1Off-site copy in Backblaze B2
⏱️ Automated & observable: cron triggers /backup.sh at 3:00 AM daily · output logged to /var/log/backup.log · rotated weekly by logrotate (4 archives) · status surfaced in Uptime Kuma.