Standing Up my First Homelab

I’ve been spending a lot of my time lately down the homelab rabbit hole. It started as a hobby to get more hands on experience, but it’s quickly turned into a never ending infrastructure project. Now that I’m in my own home with full control over the network, I can spin up all the services and tools I want to play with, break, and learn about.

Routing and the Gateway

The first major step was getting my routing under control. I’ve practiced this, and I decided to go with OPNsense on bare metal. While I love the idea of virtualization, I wanted the core network to stay online even if I’m rebooting nodes or breaking things in the lab later on. Right now it’s handling my DHCP, NTP, and firewall needs. I’ve also got an alias for Spamhaus on my firewall updating everyday to cut down on the noise and keep the bad stuff out.

Containers and DNS

Once the foundation was solid, I set up Portainer to handle my lightweight core services. It’s currently running my UniFi network controller and AdGuard Home.

For the DNS side of things, I wanted to move away from standard unencrypted lookups. I’ve configured AdGuard to use DNS over QUIC with Quad9’s DoQ offering as my primary upstream resolver. Using QUIC gives me a nice balance of speed and security by reducing handshake overhead while keeping my queries private.

I’ve used a lot of the built in blocklists as well, and have spent the last week or so allowlisting domains so apps and websites will work without it sending requests to God knows where. It’s so satisfying looking at all the blocked queries and knowing that my family’s digital footprint is a bit smaller than what it used to be.

I also took the time to set up internal A records for my internal web GUIs. It’s a small quality of life improvement, but having everything resolve to friendly names instead of memorizing a dozen different IP addresses makes managing everything much smoother. I’d really like to explore getting SSL certificates for everything so my browsers can stop yelling at me.

The Frankenstein Proxmox Cluster

The project I'm most excited about right now is a scavenged cluster. I’ve managed to adopt three machines that were headed for recycling: a Dell Optiplex, an HP Prodesk, and a Lenovo Thinkcentre.

The plan is to use these to build a three node Proxmox cluster. Once I have that hypervisor layer stabilized, I'm going to start spinning up services to improve my network visibility and backups. I’m specifically looking at:

• Wazuh for SIEM and endpoint monitoring, with log ingestion from Suricata on a mirrored port

• Beszel and Uptime Kuma for observability

• rclone to automate my offsite backups

• some sort of VPN service so I can reap the benefits of my network while touching grass

Future Plans

The network is still flat right now, which is the next major hurdle. I’m planning out a series of VLANs and subnets to properly isolate client devices from my main machines and the lab environment. It’s a bit of a logic puzzle, but that’s the part of networking I find most interesting. My last attempt at building out VLANs led to me locking myself out, somehow corrupting the database for OPNSense, and starting from scratch.

Building this has been a massive learning curve, but it’s the best way to bridge the gap between reading about tech and actually running it. I’ll keep updating the blog as the setup continues to evolve!