Skip to main content
Homelab Journal
  1. Wiki/

Networking

Table of Contents

Network Architecture

My homelab network is segmented into 5 VLANs with a multi-tier DNS architecture and high-availability reverse proxy. This wiki covers the design decisions and implementation details.

Complete Network Topology
#

⛶ Click to expand
Homelab Network Topology5 VLANs · PA-440 NGFW · HA DNS · HA Reverse Proxy☁️ INTERNET🌐ISP Gateway🛡️CloudflareCDN + WAF + Access🔥 SECURITY EDGE🛡️PA-440 Next-Gen FirewallApp-ID · DNS Proxy · DHCP · NAT · Zone Security☁️CF Tunnel AgentZero-Trust Tunnel🔀 NETWORK FABRIC🚪UniFi GatewayInter-VLAN Routing📡USW-24 Managed24-Port PoE Switch📶U6-LRWiFi 6 AP📶U6-ProWiFi 6 APTP-Link SwitchAuthenticatedTrunkTrunkTrunk🔒 VLAN 10 · MANAGEMENT192.168.10.0/24💾NAS-PrimaryDS920+ · 4-BayNFS · iSCSI💾NAS-SecondaryDS719 · 2-BayBackup TargetDNS HIGH AVAILABILITYHA🟢DNS-PrimaryPi-hole · Pri 200VIP.110🟡DNS-SecondaryPi-hole · Pri 100keepalived VRRP🖥️TinyPilot KVMRemote Console🖥️GL KVMIP-KVM Device🔥FW ManagementOut-of-Band Mgmt📡Uplink SwitchTP-Link Managed⚙️ VLAN 30 · SERVERS & SERVICES192.168.30.0/24PROXMOX VE CLUSTER📦Node-2LVM-thinMini PC📦Node-3ZFSPrimary API📦Node-5LVM-thinMini PC📦Node-6ZFSMini PC💿PBSBackup ServerNFS → NASREVERSE PROXY HAHA🔀Caddy PrimaryReverse ProxyVIP.161🔀Caddy BackupHot StandbyMONITORING & LOGGING📊GraylogSIEM · Log Server🛡️Wazuh XDRFIM · Vuln · CIS📈Uptime KumaStatus × 2📉PrometheusMetrics + Grafana🔍Pi.AlertNetwork Scanner💨MySpeedSpeed TrackerAUTOMATION & WORKFLOWSn8nWorkflow Engine🎯SemaphoreAnsible CI/CD🐳PortainerContainer Mgmt📡UniFi ControllerNetwork MgmtAPPLICATION SERVICES🔐VaultwardenPasswords🏠Home Assist.Smart Home📱HomarrDashboard🔑InfisicalSecrets Mgmt🌐NetBoxIPAMSECURITY & VPN🔒WireGuardVPN Server🛡️PanoramaFW Mgmt🔥VM FirewallsPAN-OS Lab × 5🤖AI AssistantsClaude · Gilfoyle40+ LXCs🧠 VLAN 20 · AI / DEV192.168.20.0/24💻OpenClaw AI AgentMacBook Pro M4 Max · 48GB · Ollama LLM Inference🔸 VLAN 40 · ISOLATED172.30.40.0/24🌐DNS-40Standalone Pi-hole🔒Isolated ServicesRestricted Access❌ No cross-VLAN access📱 VLAN 50 · IoT172.30.50.0/24🌐DNS-50Standalone Pi-hole📱Smart DevicesIoT · Home Auto🔒 Fully isolated network🔐 VLAN 254 · FW MGMT10.254.254.0/24🔥PAN-OS Out-of-Band Management InterfacesLEGENDPhysical ConnectionVirtual / TunnelVIPHA Virtual IP (VRRP)ManagementServersIsolatedIoTAI / DevFW MgmtEXTERNAL ACCESS PATHS☁️ Cloudflare Tunnel (Zero-Trust):Vaultwarden · WireGuard · TinyPilotEmby · OpenSpeed Test · KASM🔀 Caddy HA (Internal TLS):*.loc.domain.com wildcard certAll internal services via DNS-01🔒 Direct (Management only):Proxmox UI · NAS DSM · Pi-hole

VLAN Design
#

VLANSubnetPurposeKey ServicesSecurity Level
10192.168.10.0/24Management & CoreNAS, DNS HA, KVM devices🔒 High
30192.168.30.0/24Server NetworkProxmox, Docker, Apps⚙️ Medium
40172.30.40.0/24Isolated ServicesRestricted access🔸 Low
50172.30.50.0/24IoT DevicesSmart home📱 Minimal
25410.254.254.0/24Firewall ManagementOut-of-band mgmt🔐 Critical

Design principle: Servers (VLAN 30) can reach management (VLAN 10), but management devices are protected from server-initiated connections. IoT devices are fully isolated—they cannot initiate connections to any other VLAN.

DNS Architecture
#

Multi-Tier Design
#

The DNS stack uses a three-tier architecture for performance, redundancy, and ad-blocking:

DNS three-tier architecture with firewall proxy, Pi-hole HA, and Cloudflare upstream

DNS Performance Tiers
#

Query TypeResponse TimePath
🚀 Firewall static entry<5msDirect from PA-440 cache
⚡ Firewall cached<10msPA-440 → cached response
💨 Pi-hole cached10-30msPA-440 → Pi-hole → cached
🌐 Uncached (full lookup)50-150msFull DNS resolution chain

Layer 1: Firewall DNS Proxy
#

The Palo Alto firewall provides the first DNS layer:

FeatureBenefit
CachingSub-10ms response for repeated queries
Static EntriesCore infrastructure resolves instantly (<5ms)
Domain RoutingLocal domains → Pi-hole, external → Cloudflare
DHCP IntegrationAll VLANs receive firewall as DNS server

Static entries include Proxmox nodes, NAS devices, and firewall interfaces—services that must resolve even if Pi-hole is down.

Layer 2: Pi-hole HA
#

Two Pi-hole instances with automatic failover:

ComponentDescription
PrimaryPriority 200, handles all queries normally
SecondaryPriority 100, takes over on primary failure
Virtual IPFloating IP that firewall DNS proxy targets
Technologykeepalived (VRRP)

Failover timing:

  • Health check interval: 5 seconds
  • Failures before failover: 3 consecutive
  • Recovery Time Objective: ~15 seconds

Health checks verify:

  1. FTL service is running
  2. Port 53 is listening
  3. DNS queries resolve (tests dns.google, cloudflare)

Layer 3: Upstream DNS
#

Pi-hole forwards to Cloudflare for external resolution:

  • Primary: Firewall (which uses Cloudflare)
  • Fallback: Direct to Cloudflare 1.1.1.2

High-Availability Architecture
#

Three critical services run as HA pairs using keepalived VRRP:

Three HA pairs: DNS, Reverse Proxy, and NFS with VRRP failover

ServicePrimarySecondaryVIPVRRP IDFailover Time
DNSPi-hole 1Pi-hole 2.11055~15 seconds
Reverse ProxyCaddy 1Caddy 2.16161~10 seconds
Cert StorageNFS 1NFS 2.16565~10 seconds

Key settings:

  • Preemption: Enabled (primary reclaims VIP on recovery)
  • Notifications: Discord webhooks on state changes
  • Health checks: Service-specific validation before accepting traffic

Reverse Proxy Architecture
#

Dual-Proxy Design
#

Dual-proxy design with Cloudflare Tunnel and Caddy HA paths

ProxyPurposeAuthUse Case
Cloudflare TunnelExternal accessCloudflare AccessPublic-facing services
Caddy HAInternal + direct externalNone (service-level)Internal services, high-throughput

Cloudflare Tunnel Path
#

Benefits:

  • Zero exposed firewall ports (outbound-only)
  • DDoS protection included
  • User identity via Cloudflare Access
  • Automatic TLS termination

Protected services: Password manager, VPN management, media server.

Caddy HA Path
#

Benefits:

  • No external dependency
  • Lower latency for internal traffic
  • Full control over TLS certificates
  • Wildcard cert via DNS-01 challenge

Domain Tiers
#

PatternExamplePurposeTLS
*.localservice.homelab.localDirect backend accessNone
*.loc.domain.comservice.loc.domain.comInternal TLSWildcard cert
*.domain.comservice.domain.comExternal via CloudflareCloudflare

Firewall Architecture
#

Palo Alto Networks PA-440
#

PA-440 firewall security zones and traffic flow

FeatureUsage
App-IDApplication-aware traffic inspection
DNS ProxyIntelligent caching and routing
DHCP ServerCentralized IP assignment for all VLANs
NATDestination/source translation for services
Zone SecurityVLAN-based access policies
LoggingAll traffic to Graylog via Syslog TCP

Security Zones
#

ZoneVLANsTrust LevelOutboundCross-Zone
L3-LAN1010🔒 High✅ AllProtected
L3-INFRA30⚙️ Medium✅ All→ LAN10 only
L3-ISOLATED40, 50🔸 Low✅ Limited❌ Blocked
L3-UNTRUST-❌ NoneN/AInspect only

Network Monitoring
#

UniFi Controller
#

Manages all network hardware:

  • UniFi Gateway (inter-VLAN routing)
  • 24-port managed switch (USW-24-G2)
  • 2 WiFi 6 access points (U6-LR, U6-Pro)

Monitoring features:

  • Real-time client list
  • Bandwidth per device
  • DPI (Deep Packet Inspection) stats
  • Anomaly detection

Pi.Alert Network Scanner
#

Scans subnets every 5 minutes for:

  • New device detection
  • MAC address tracking
  • Port scanning
  • Vendor lookup

Lessons Learned
#

1. Multi-Tier DNS Saves the Day
#

When Pi-hole crashed due to database pressure, the firewall’s static entries kept core infrastructure resolving. Without this layer, Proxmox nodes couldn’t reach each other.

2. Config Drift Kills HA
#

The Caddy HA pair once drifted out of sync when I updated only one node. The VIP failed over to the outdated node, breaking several services. Always deploy to BOTH nodes.

3. VRRP ID Collisions
#

Each HA pair needs a unique VRRP ID. When I accidentally reused ID 55 for both DNS and NFS, one pair’s failover broke the other. Now I track IDs in documentation.

4. Health Checks Need Redundancy
#

Early Pi-hole health checks tested only one upstream. If that upstream was slow, the check failed and triggered unnecessary failover. Now checks test multiple targets with fallback.

Related Pages#

There are no articles to list here yet.