My Home(lab) Office Network Design

Network architecture for my home(lab) office

One of the best things of working in IT (DevOps) for me is that, A: I have the option to work from home, and B: I (should) have the know-how/competence of designing and implementing the network architecture for my home office, and by extension my homelab, which I'll get to later.

I have purposefully chosen the attic of our house as my home office/gym, because I really wanted to isolate myself from the rest of the house, but mainly because that was the only available room left. Besides isolating myself from the rest of the house, I also wanted to isolate the network in this room, and to do that, I've chosen to put an entire separate router here. So to visualize, internet enters the main router downstairs via the WAN-port, a cable connects from one of that main router's LAN-ports to the WAN-port of my router in the attic. This is also known as double NAT, which is often described as a problem to avoid, since it can break some protocols, but in my case it's actually a feature, not a bug.

The router that I went for is one from Unifi together with 2 5-port Unifi switches. To clarify, that is 10 ports in total, not a 25-port switch :)

One of the things I really like of these Unifi devices is the integration between their devices, but also the user-friendliness and ease for setting up different VLAN's and firewall rules, which was a pain in the ass on the TP-Link "ecosystem", for which I got a lot of, let's say attention when I posted that on LinkedIn,

So yes, I made the switch (no pun) from TP-Link to Unifi, and I must say, it's wonderful.

Having said that, which I've also mentioned in that post above, is that the hardware don't really matter, it's about the concept, and in this case that's securing your network. It just so happens to be that one brand makes doing that easier than the other. Then there's of course the whole discussion about one of those brands regarding integrity and such, but let's not get into that.

Now there are a lot of different things you can do to secure your network, but one of those is to create different VLAN's, group your devices and putting them into a VLAN, and then setting up firewall rules to restrict inter VLAN communication. To give an example, I have a 3d-printer that I've put in an IoT VLAN, which doesn't need to and can't talk to devices outside that VLAN, but my workstation in another VLAN can talk to the 3d-printer, because it needs to be able to send print jobs to that printer. Should my 3d-printer gets hacked, then that would be contained within that VLAN. If my workstation gets hacked, then I'm f'd.

With that rationale, I've created a couple of different VLAN's.

• Management
• Trusted
• Homelab
• Prod
• Non-Prod
• Guest
• IoT

These VLAN's have their own VLAN ID and subnet with custom firewall rules, which are also assigned to different ports on my switches and Wi-Fi. As you can see, I've created a separate VLAN for my Homelab, which is using one of the 2 switches. The only thing I'm still planning is to create 2 different VLAN's for my homelab: one for my production and non-production cluster.

But other than that, I think that this is a solid setup for my home(lab) office/gym.

Update: Renamed Homelab to Prod and added another VLAN named Non-Prod. Then set VLAN tagging on the switch, which connects to the 3 Proxmox nodes I have (vlan aware), so I can manually assign IP addresses from the Prod and Non-Prod subnet.