Firewall

Most organizations can tell you whether their firewalls are healthy. Fewer can prove every allow rule is inspected, logged, owned, and still required. The gap between those two things is where audits become painful. Multiple firewall admins, emergency changes at 2am, quarterly reviews that turn into archaeology digs, vendor access rules that were “temporary” in February and are still there in October. Nobody disabled them because nobody noticed they were still there. No alert fires when a rule that was supposed to be temporary quietly becomes permanent.

TL;DR # A Python script that identifies every device on your network in PAN-OS traffic logs, without Active Directory. Combines Pi-hole DNS, UniFi Controller, and DHCP leases into one priority merge. 124 devices named on my PA-440. Before: 1 2 3 192.168.10.128 → 8.8.8.8 user: unknown 192.168.30.240 → 1.1.1.1 user: unknown 172.30.50.77 → 52.26.132.60 user: unknown After:

Enterprise security principles applied to a homelab. This wiki covers the layered security architecture — from next-gen firewall policies to XDR threat detection to certificate lifecycle automation. Firewall Architecture # The Palo Alto Networks PA-440 provides the network security foundation with App-ID, zone-based policies, and centralized logging. Full details in the Networking wiki — including security zones, VLAN trust levels, and DNS proxy configuration.

My homelab network is segmented into 5 VLANs with a multi-tier DNS architecture and high-availability reverse proxy. This wiki covers the design decisions and implementation details. Complete Network Topology # ⛶ Click to expand Homelab Network Topology 5 VLANs · PA-440 NGFW · HA DNS · HA Reverse Proxy ☁️ INTERNET 🌐 ISP Gateway 🛡️ Cloudflare CDN + WAF + Access 🔥 SECURITY EDGE 🛡️ PA-440 Next-Gen Firewall App-ID · DNS Proxy · DHCP · NAT · Zone Security ☁️ CF Tunnel Agent Zero-Trust Tunnel 🔀 NETWORK FABRIC 🚪 UniFi Gateway Inter-VLAN Routing 📡 USW-24 Managed 24-Port PoE Switch 📶 U6-LR WiFi 6 AP 📶 U6-Pro WiFi 6 AP TP-Link Switch Authenticated Trunk Trunk Trunk 🔒 VLAN 10 · MANAGEMENT 192.168.10.0/24 💾 NAS-Primary DS920+ · 4-Bay NFS · iSCSI 💾 NAS-Secondary DS719 · 2-Bay Backup Target DNS HIGH AVAILABILITY HA 🟢 DNS-Primary Pi-hole · Pri 200 VIP .110 🟡 DNS-Secondary Pi-hole · Pri 100 keepalived VRRP 🖥️ TinyPilot KVM Remote Console 🖥️ GL KVM IP-KVM Device 🔥 FW Management Out-of-Band Mgmt 📡 Uplink Switch TP-Link Managed ⚙️ VLAN 30 · SERVERS & SERVICES 192.168.30.0/24 PROXMOX VE CLUSTER 📦 Node-2 LVM-thin Mini PC 📦 Node-3 ZFS Primary API 📦 Node-5 LVM-thin Mini PC 📦 Node-6 ZFS Mini PC 💿 PBS Backup Server NFS → NAS REVERSE PROXY HA HA 🔀 Caddy Primary Reverse Proxy VIP .161 🔀 Caddy Backup Hot Standby MONITORING & LOGGING 📊 Graylog SIEM · Log Server 🛡️ Wazuh XDR FIM · Vuln · CIS 📈 Uptime Kuma Status × 2 📉 Prometheus Metrics + Grafana 🔍 Pi.Alert Network Scanner 💨 MySpeed Speed Tracker AUTOMATION & WORKFLOWS ⚡ n8n Workflow Engine 🎯 Semaphore Ansible CI/CD 🐳 Portainer Container Mgmt 📡 UniFi Controller Network Mgmt APPLICATION SERVICES 🔐 Vaultwarden Passwords 🏠 Home Assist. Smart Home 📱 Homarr Dashboard 🔑 Infisical Secrets Mgmt 🌐 NetBox IPAM SECURITY & VPN 🔒 WireGuard VPN Server 🛡️ Panorama FW Mgmt 🔥 VM Firewalls PAN-OS Lab × 5 🤖 AI Assistants Claude · Gilfoyle 40+ LXCs 🧠 VLAN 20 · AI / DEV 192.168.20.0/24 💻 OpenClaw AI Agent MacBook Pro M4 Max · 48GB · Ollama LLM Inference 🔸 VLAN 40 · ISOLATED 172.30.40.0/24 🌐 DNS-40 Standalone Pi-hole 🔒 Isolated Services Restricted Access ❌ No cross-VLAN access 📱 VLAN 50 · IoT 172.30.50.0/24 🌐 DNS-50 Standalone Pi-hole 📱 Smart Devices IoT · Home Auto 🔒 Fully isolated network 🔐 VLAN 254 · FW MGMT 10.254.254.0/24 🔥 PAN-OS Out-of-Band Management Interfaces LEGEND Physical Connection Virtual / Tunnel VIP HA Virtual IP (VRRP) Management Servers Isolated IoT AI / Dev FW Mgmt EXTERNAL ACCESS PATHS ☁️ Cloudflare Tunnel (Zero-Trust): Vaultwarden · WireGuard · TinyPilot Emby · OpenSpeed Test · KASM 🔀 Caddy HA (Internal TLS): *.loc.domain.com wildcard cert All internal services via DNS-01 🔒 Direct (Management only): Proxmox UI · NAS DSM · Pi-hole VLAN Design # VLAN Subnet Purpose Key Services Security Level 10 192.168.10.0/24 Management & Core NAS, DNS HA, KVM devices 🔒 High 30 192.168.30.0/24 Server Network Proxmox, Docker, Apps ⚙️ Medium 40 172.30.40.0/24 Isolated Services Restricted access 🔸 Low 50 172.30.50.0/24 IoT Devices Smart home 📱 Minimal 254 10.254.254.0/24 Firewall Management Out-of-band mgmt 🔐 Critical Design principle: Servers (VLAN 30) can reach management (VLAN 10), but management devices are protected from server-initiated connections. IoT devices are fully isolated—they cannot initiate connections to any other VLAN.