You have just reached my homelan, which consists not just of my normal
everyday (home)working environment, but also my IT lab (play) environment.
I am a die-hard IT-guy with more than 25 years of experience, primarily
in administering Windows networks. network devices such as routers,
firewalls and switches and increasing knowledge in Linux.
My homelan is built on (amongst others):
The HP Enterprise MicroServer Gen10 Plus with an Intel Xeon-2224
processor and currently 48GB of ECC-RAM serves as an important link
in my homelan.
Equipped with 4 Gigabit network interfaces and a separate
ILO-interface this is the perfect small (and energy-efficient)
server to do some serious virtualization.
Proxmox Virtual Environment is the virtualization platform running
on my HPE MicroServer. Proxmox VE is an open source server
virtualization management solution based on QEMU/KVM and LXC. It can
create virtual machines as well as Linux Containers and it is free
to use for home users.
It can handle ZFS for a reliable and very fast storage solution,
especially with 2 (Data Center grade) Kingston DC500M 960 GB SATA
drives operating in ZFS RAID.
Another great product that is free to use in a home environment is
the Sophos XG Firewall Home Edition.
This is a fully equipped software version of the Sophos XG firewall
with full protection including anti-malware, web security, URL
filtering, application control, IPS, VPN and more.
I am running this as a virtual machine on Proxmox on the HPE
MicroServer and it is capable of delivering speeds of over 800Mbps
using speedtest.net with just about all features switched on. That
is without using IOMMU (Intel VT-d) to pass-through the physical
NICs/processors from the server to the virtual firewall.
A Synology DS920+ NAS serves my homelan with the necessary
storage capacity to store all my data as well as backups from my
Proxmox virtual machines, my Microsoft365 environment, my personal
Onedrive data and of course the computers in my home.
Besides my own data, this NAS also stores encrypted offsite backups
of my parents' NAS while encrypted copies of my backups are stored
offsite at the NAS at their location.
As a first defense against possible ransomware attacks, the NAS makes
regular snapshots that can be restored really quickly.
The central switch in my homelan is this 'smart-managed' Netgear
GS324TP gigabit switch with Power over Ethernet and capable of
handling all my VLAN-needs. VLAN's in use are:
management;
guest;
IoT;
home-network;
work-network;
DMZ
One of the docker containers running in docker in my environment
is running the Traefik reverse proxy. Traefik is a reverse proxy
that centrally manages all my available sites.
Traefik supports several middlewares to enhance its functionality.
Some of the middlewares I use are GeoIP blocking, Crowdsec (an open-source
and collaborative cybersecurity solution) and an Identiy Provider (IdP)
to protect access to my resources and to make sure my security always
uses a layered approach.
Another docker container (or actually 3 containers in several VLANS)
are running AdGuard Home DNS.
AdGuard is a network-level advertisement and internet tracker
blocking application acting as a DNS sinkhole.
Main purpose is to remove as much ads as possible while browsing
the internet from every device inside my house.
Of course I also have a couple of (evaluation) versions of Windows
Server 2019 installed in my homelan, all running as a virtual
machine in Proxmox on the HPE MicroServer.
This environment is my playground in which I can make changes as
much as I like and keep my knowledge at a high level without
breaking anything in a production environment.
Currently I am running
1 domain controller;
1 Windows Deployment Server;
Cloudflare is not just the DNS resolver for all DNS names that
Pi-hole allows, but I also use Cloudflare as a (free)
DNS-provider for most of the domain names I own.
Cloudflare cooperates nicely with Let's Encrypt and is capable of
automatically renewing wildcard SSL certificates. Cloudflare can
also act as a proxy between a domain name and the physical
IP-address (location) where a server is hosted, making websites
running from my home environment reachable on multiple public IPv4
and IPv6 addresses.
And best of all is that Cloudflare supports creating a tunnel between
their and my network, eliminating the need to forward ports on my
firewall from my public IP-address.
The tunnel is set up from a DMZ zone in my firewall and only allows
traffic from this zone to my Traefik reverse proxy creating an additonal
layer of security.