You have just reached my homelan, which serves as both my daily professional workspace and my dedicated IT lab for experimentation.
I am a seasoned IT professional with over 30 years of experience, specializing in Windows network administration, infrastructure security, and an ever-expanding expertise in Linux environments.
My homelan is built on (amongst others):
The HPE MicroServer Gen10 Plus, equipped with an Intel Xeon E-2224 and 48GB of ECC RAM, is the primary host for my virtualization environment. It features four integrated Gigabit interfaces and a dedicated iLO port for remote management. This compact server is specifically chosen for its excellent balance between performance and low power consumption, making it an ideal choice for a 24/7 homelab environment where reliability and energy efficiency are equally important.
Proxmox Virtual Environment serves as the central nervous system of my server infrastructure, managing a diverse array of virtual machines and containers. It leverages the power of ZFS for high-performance, resilient storage, utilizing dual enterprise-grade Kingston DC500M SSDs in a mirrored RAID configuration. This setup ensures maximum data integrity and uptime, providing a stable and scalable platform for hosting all critical services while allowing for rapid snapshots and seamless resource management across the entire lab.
I run Sophos Firewall Home Edition as a virtual machine on a dedicated mini-PC equipped with four 2.5Gbps network interfaces. This hardware-focused virtualization ensures enterprise-grade security, including IPS and deep packet inspection, without compromising performance. With throughput speeds exceeding 900Mbps on my gigabit fiber connection, it provides a powerful, low-latency security gateway that orchestrates all traffic between my internal VLANs and the wide area network.
My Synology DS920+ serves as the central storage backbone, managing critical backups for my Microsoft 365 environment and Proxmox virtual machines. It utilizes an automated offsite backup exchange with a remote NAS to ensure data redundancy, while immutable snapshots provide a robust defense against ransomware. This centralized approach guarantees high data integrity and rapid recovery capabilities, serving as a reliable foundation for all persistent data within the homelan.
My network core, powered by smart-managed Netgear switching, orchestrates a robust VLAN architecture to ensure strict traffic isolation. This multi-switch fabric manages dedicated segments for Management, Work, and Private traffic, alongside isolated zones for IoT, Guest, and DMZ networks. By enforcing these granular security boundaries at the hardware level, I maintain a professional-grade infrastructure that balances high-speed connectivity with rigorous access control.
Traefik acts as the advanced edge router and reverse proxy for my infrastructure, orchestrating traffic with a focus on high performance and security. It integrates sophisticated middleware stacks, including GeoIP blocking and CrowdSec, to provide real-time threat intelligence and automated IP bouncers. By combining these layers with a dedicated Identity Provider (IdP), I ensure that every service is protected by a robust, multi-layered defense system against unauthorized access and malicious traffic.
AdGuard Home acts as a high-performance DNS sinkhole, providing network-wide protection by intercepting ads and tracking telemetry at the source. My deployment utilizes redundant containers across different VLANs to ensure high availability and seamless filtering. This setup secures internal name resolution while significantly reducing bandwidth overhead and the overall attack surface for all connected devices.
My environment includes a dedicated segment for Windows Server 2025, facilitating advanced management of Windows-based workloads. This infrastructure provides a robust platform for directory services and automated deployment strategies, ensuring a seamless integration between Linux and Windows environments.
By utilizing Cloudflare Tunnels, I have eliminated the need for open inbound ports, creating a secure bridge between my DMZ and the global edge network. This setup is complemented by automated DNS management via Cloudflare APIs, allowing for dynamic record updates and seamless integration with my internal services. This multi-layered approach ensures high availability while maintaining a zero-trust security posture for all public-facing endpoints.
A significant portion of my lab services is powered by Docker. Using a wide array of stacks and containers, I host essential applications such as Traefik, AdGuard Home, Nextcloud, and Immich. This containerized approach ensures high portability, easy maintenance, and efficient resource allocation across my entire infrastructure.
Immich serves as a high-performance, self-hosted backup solution for my photos and videos. It is a feature-rich alternative to Google Photos, offering seamless mobile syncing and powerful AI-driven organization. By hosting it within my own infrastructure, I maintain full ownership and privacy of my personal media library without relying on third-party cloud providers.
Nextcloud serves as the primary collaboration platform within my homelan. It provides secure file hosting, calendar synchronization, and contact management, all while keeping data strictly on-premises. By integrating various office productivity tools, it offers a powerful, self-hosted alternative to mainstream cloud suites, ensuring complete digital sovereignty.
Paperless-ngx is the heart of my digital archive, transforming physical documents into a searchable online database. It utilizes advanced OCR technology to index every file, making document retrieval nearly instantaneous. This stack is essential for maintaining a clutter-free, paperless environment while ensuring all important records are backed up and easily accessible.
To maintain a professional overview of my infrastructure, I utilize phpIPAM for centralized IP address management. This tool allows me to meticulously document every subnet, VLAN, and individual IP assignment within my network. It serves as the single source of truth for my complex network topology, ensuring that my documentation always stays in sync with my actual lab environment.
For seamless wireless connectivity, I host a dedicated UniFi Network Application. This controller provides a centralized interface to manage and monitor my various UniFi Access Points. It allows for advanced configuration of SSIDs, VLAN tagging for wireless networks, and real-time analytics of client traffic, ensuring optimal WiFi performance throughout the entire premises.
Gitea serves as the central version control system for my local projects and infrastructure-as-code scripts. It offers a lightweight, high-performance Git experience similar to GitHub, but hosted entirely within my own network. This ensures full ownership of my repositories and integrated documentation, while maintaining maximum privacy and control over my source code.