Check out Twingate and supercharge your security: https://bit.ly/3Y1OaZi
In this video, I guide you through structuring your HomeLab network for better security, scalability, and ease of management. Whether you’re just starting or looking to optimize an existing setup, you’ll find practical examples and tips on network topology, segmentation, VLANs, and IP range management to build a robust and well-organized network.
References#
- Excalidraw Tutorial: https://youtu.be/Gv9MezPAchI?si=2T1f9uC9gnN7adAe
- OPNSense Tutorial: https://youtu.be/BsNmzHcK2r4?si=knBhBIAPL69_EuRT
- Twingate Tutorial: https://youtu.be/iKq15WXdN88?si=2Lt90UvRYASkyjVP
- BIND9 DNS Tutorial: https://www.youtube.com/watch?v=syzwLwE3Xq4
Notes#
Network Diagram Best Practices#
Documenting your network structure is crucial for understanding your setup, identifying security gaps, and planning future expansions. Tools like Excalidraw are highly recommended for this. Start simple and incrementally improve your diagram as your HomeLab grows.
Network Zones and Segmentation#
Network Zones are logical groupings of network interfaces or devices. They are fundamental for applying specific security policies, configurations, and access controls within your HomeLab.
Here’s my HomeLab Zone Configuration:
| Zone Name | Purpose / Description | Subnet |
|---|---|---|
| WAN | Wide Area Network; represents the connection to the public internet through my home router. | 192.168.81.0/24 |
| LAN | Local Area Network; my primary private network for general devices. | 10.10.0.0/16 |
| PROD | Production Zone; dedicated to my critical HomeLab servers and services. | 10.20.0.0/16 |
| DMZ | Demilitarized Zone; for publicly accessible servers, isolated from my internal network for enhanced security. | 10.30.0.0/16 |
Tip: You can use the ipcalc command-line utility to understand subnet ranges and available host addresses:
ipcalc 192.168.81.0/24
# The /24 (CIDR notation) means the first 24 bits of the IP address
# are used for the network portion, leaving 8 bits for host addresses.
# This results in 254 usable host addresses (from 192.168.0.1 to 192.168.0.254).
ipcalc 10.20.0.0/16
# The /16 (CIDR notation) means the first 16 bits are for the network.
VLANs (Virtual Local Area Networks)#
VLANs enable you to segment a single physical switch into multiple virtual switches, saving hardware costs and enhancing network security by isolating traffic. Devices on Untagged Ports in different VLANs cannot directly communicate with each other; traffic must pass through a router or firewall.
- Untagged Ports: These ports are assigned to a single VLAN. Network packets are sent normally, and devices connected to these ports can only communicate with other devices in the same VLAN.
- Tagged Ports: These ports are used to transport traffic for multiple VLANs (often called “trunk ports”). A small 12-bit VLAN Identifier (tag) is added to each network packet, allowing the receiving device (e.g., a firewall or another switch) to identify which VLAN the packet belongs to.
DHCP and IP Range Management#
The Dynamic Host Configuration Protocol (DHCP) automatically assigns IP addresses and other network configuration parameters to devices.
Common Problem: IP address conflicts can occur if a DHCP server assigns an address that is already statically assigned to another device, especially if the static IP device was offline during the DHCP assignment. Best Practice: To avoid conflicts and improve organization, always create separate IP ranges within your subnets for DHCP-assigned addresses and static IP addresses.
Example for a /24 subnet (e.g., 192.168.0.0/24):
- Static IP Range: 192.168.0.1-20 (for servers, network devices, etc.)
- DHCP Pool: 192.168.0.21-199 (for client devices, temporary connections)
Static DHCP Mappings: For devices that need a consistent IP but you prefer to manage through DHCP (e.g., a specific desktop), you can create a static DHCP mapping. This assigns a specific IP address to a device’s unique MAC address, ensuring it always receives the same IP from the DHCP server, outside the regular dynamic pool.
