Network Architecture


A proper homelab needs proper networking. Here's my setup:


VLANs


  • VLAN 10: Management (switches, APs, IPMI)
  • VLAN 20: Kubernetes cluster
  • VLAN 30: Services (databases, storage)
  • VLAN 40: IoT and untrusted devices
  • VLAN 50: User devices

Firewall Rules


  • Default deny all inter-VLAN traffic
  • Allow specific services (DNS, NTP)
  • Kubernetes VLAN can reach Services VLAN
  • IoT devices completely isolated

External Access


Instead of port forwarding, I use:


  1. Cloudflare Tunnels: Secure inbound connections
  2. Zero Trust Access: Authentication layer
  3. NGINX Ingress: Internal routing
  4. Let's Encrypt: Automatic SSL certificates

    5. Security Layers


    1. Perimeter: Cloudflare protects against DDoS
    2. Network: Firewall rules segment traffic
    3. Application: NGINX ingress with rate limiting
    4. Container: Network policies in Kubernetes

      5. Monitoring


      • Uptime Kuma for service availability
      • Prometheus for metrics (coming soon)
      • Loki for log aggregation (planned)

      Lessons Learned


      • Start with security, not as an afterthought
      • Document everything - you'll forget why you did something
      • Test firewall rules before applying
      • Cloudflare tunnels are a game-changer for homelabs

      This network design gives me production-like experience without exposing my home network to the internet.