Networking

Homelab Network Architecture Guide: VLANs and Firewalls

Plan a sane homelab network architecture with VLANs, firewall zones, DNS, reverse proxy placement, monitoring, and room to grow.

AU

Author

Marcus Chen

Disclosure: This article contains affiliate links. If you purchase through these links, we may earn a commission at no additional cost to you.

Key Takeaways

  • A good homelab network architecture separates management, servers, clients, IoT, and guest traffic before things get messy.
  • You do not need fifteen VLANs and a personality disorder. Four to six well-named networks is enough for most home labs.
  • Put your firewall at the center, keep DNS and reverse proxy decisions intentional, and back up network configs like they matter - because they do.
  • Monitoring should start early. If you wait until the network is broken, congratulations, you now have a mystery instead of observability.
  • Plan the growth path on day one so adding Proxmox nodes, a NAS, or more containers does not mean rebuilding the whole network on a Sunday.

After rebuilding my homelab network three times, I can say this with absolute confidence: most homelab networking pain is not a switch problem, a Proxmox problem, or a Docker problem. It is an architecture problem.

The first version of my lab was "flat network and vibes." Everything lived on the same subnet. My NAS, laptops, Proxmox host, test VMs, smart plugs, and one cheap camera I bought during a sale I should have ignored all talked to each other like that was a good idea. It was not.

The second version was the opposite mistake. I discovered VLANs, got excited, and built something that looked suspiciously like I was studying for a certification exam instead of trying to run a sane home network. It worked, but only in the same way a hand-built race engine works - beautifully, right up until you are the one maintaining it.

This guide is the design I recommend now. It is simple enough for a small homelab, structured enough to grow, and opinionated enough to save you from a few avoidable mistakes.

What a sane homelab network architecture looks like

At a high level, I like this layout:

1. Router/firewall at the edge

2. Managed switch doing VLAN tagging and access ports

3. Wireless access points with SSIDs mapped to VLANs

4. Hypervisor and servers on a server VLAN

5. Admin workstations on a trusted client VLAN

6. IoT and guest networks isolated from everything interesting

7. DNS, reverse proxy, monitoring, and backups treated as first-class services, not afterthoughts

If you want the short version, your lab should answer these questions clearly:

  • Which devices can manage infrastructure?
  • Which workloads expose services to the LAN?
  • Which devices should never talk to your hypervisor or NAS?
  • How do you reach services remotely?
  • Where do DNS and TLS decisions happen?

If you cannot answer those in thirty seconds, the network is already too fuzzy.

The VLAN blueprint I recommend for most homelabs

I do not start with ten VLANs. I start with five.

VLAN Name Example subnet Purpose
10 management 10.10.10.0/24 Hypervisors, switches, APs, UPS, out-of-band management
20 servers 10.10.20.0/24 Proxmox VMs, Docker hosts, reverse proxies, app servers
30 clients 10.10.30.0/24 Laptops, desktops, trusted personal devices
40 iot 10.10.40.0/24 Cameras, smart plugs, TVs, random gadgets with questionable firmware
50 guest 10.10.50.0/24 Guest Wi-Fi with internet only

That is enough for most people.

If you run a storage-heavy setup, you can add a dedicated storage VLAN later. If you run a lab with multiple clusters or more advanced routing, you can split further. But earn that complexity. Do not start there because Reddit told you to cosplay as a data center.

Why this layout works

The management VLAN keeps infrastructure admin traffic separate.

That means your Proxmox web UI, switch management IPs, AP controllers, and firewall UI do not share a segment with random clients or IoT junk. If you have already read my post on Proxmox networking explained, you know how fast small bridge mistakes become big outages.

The server VLAN gives self-hosted apps room to breathe.

Your reverse proxy, DNS filter, dashboards, monitoring, Git forge, and media stack can live together with predictable east-west traffic. That makes firewall rules easier and keeps service discovery sane.

The client VLAN is where your laptop lives.

That is the device you use to manage things, browse dashboards, and SSH into systems. It is trusted, but it still should not be the same network as your infrastructure control plane.

The IoT VLAN is the adult supervision VLAN.

If a smart plug, TV, or camera gets compromised, it should not be able to wander into your Proxmox host, hit your NAS shares, or discover your backup server out of curiosity. The guest VLAN exists for similar reasons, except the threat model is "friends and family who just want Wi-Fi and should not see your lab at all."

Where the firewall should sit

Your firewall is the policy engine. Treat it like one.

Whether you run OPNsense, pfSense, or a decent prosumer gateway, the job is the same: route between VLANs and deny traffic by default unless there is a reason to allow it. I prefer a small x86 box or an appliance-style platform here because it stays flexible longer than an all-in-one consumer router.

A few sane starter rules:

  • Allow clients -> management only for admin protocols you actually use
  • Allow clients -> servers for app access
  • Block iot -> management
  • Block iot -> servers unless a service truly requires it
  • Allow guest -> internet only
  • Allow servers -> dns resolver
  • Allow servers -> outbound updates as needed

That last point matters more than people think. If you blindly allow any-any outbound because it is easier, you are not segmenting. You are decorating.

For firewall policy design, the official OPNsense firewall documentation is worth bookmarking. It is less exciting than buying another mini PC, but it is also more useful.

DNS, reverse proxy, and remote access placement

A lot of network diagrams pretend services magically resolve and certificates appear through positive thinking.

In reality, you need to decide where name resolution and ingress happen.

DNS

Put your internal DNS resolver on the server VLAN.

That might be Pi-hole, AdGuard Home, or another resolver. I have already compared the common options in Pi-hole vs AdGuard Home, but the architecture point is more important than the brand choice.

Use local records for core infrastructure.

Examples:

  • pve1.home.arpa
  • nas.home.arpa
  • grafana.home.arpa
  • auth.home.arpa
  • proxy.home.arpa

Do not rely on remembering IP addresses. You are not that good, and neither am I.

Reverse proxy

Your reverse proxy also belongs on the server VLAN.

I normally front web apps with a dedicated proxy VM or container host and keep TLS termination there. That gives you a single place to manage certificates, headers, and app exposure. If you are still deciding between tools, I covered the tradeoffs in Caddy vs Traefik vs Nginx Proxy Manager.

Remote access

My default advice is still boring: prefer VPN first.

Cloudflare Tunnel has real advantages for specific services, and port forwarding still exists because bad ideas are resilient, but for administrative access I want a proper trust boundary. I already broke down the tradeoffs in Cloudflare Tunnel vs VPN vs port forwarding.

Keep management interfaces off the public internet.

That sentence should not be controversial, and yet here we are.

Example implementation on Proxmox and a managed switch

If your hypervisor is Proxmox, make the trunk to the host explicit and keep the bridge VLAN-aware.

Official reference: Proxmox network configuration docs.

A simple /etc/network/interfaces pattern on a single-NIC lab host might look like this:

auto lo\niface lo inet loopback\n\nauto eno1\niface eno1 inet manual\n\nauto vmbr0\niface vmbr0 inet static\n    address 10.10.10.11/24\n    gateway 10.10.10.1\n    bridge-ports eno1\n    bridge-stp off\n    bridge-fd 0\n    bridge-vlan-aware yes\n    bridge-vids 10 20 30 40 50

That gives the host itself a management address on VLAN 10 while allowing tagged traffic for guest VMs and containers.

On the switch side, I normally configure:

  • firewall uplink as tagged trunk for all lab VLANs
  • Proxmox uplink as tagged trunk for all lab VLANs
  • AP uplinks as tagged trunk for SSID-mapped VLANs
  • workstation ports as untagged access on client VLAN
  • camera or smart device ports as untagged access on IoT VLAN

A generic managed-switch style pseudo-config looks like this:

interface 1/1\n  description firewall-uplink\n  switchport mode trunk\n  switchport trunk allowed vlan 10,20,30,40,50\n\ninterface 1/2\n  description proxmox-host\n  switchport mode trunk\n  switchport trunk allowed vlan 10,20,30,40,50\n\ninterface 1/3\n  description admin-workstation\n  switchport mode access\n  switchport access vlan 30\n\ninterface 1/4\n  description camera-poe\n  switchport mode access\n  switchport access vlan 40

You do not need switch syntax perfection here. You need the concept right.

The mistake I made: putting Docker everywhere

This is where homelab architecture quietly falls apart.

People start with one Docker host. Then another. Then a Proxmox node gets a few LXCs. Then the NAS starts running apps too because "it had the option." Before long, the service map looks like an archaeological record of your decisions.

I now keep service placement boring on purpose:

  • infrastructure services together on a stable server segment
  • experimental workloads isolated from core services
  • public-facing apps clearly separated from internal-only apps
  • backup targets not living on the same blast radius as the source data

You can absolutely run Docker across multiple machines. I do. But document what lives where, and do not let placement become accidental.

If you need a refresher on logging and runtime hygiene, my Docker logs guide is useful once those services are actually running.

Monitoring belongs in the architecture, not the cleanup phase

Monitoring is not a phase two concern. It is part of the design.

At minimum, I want these signals from day one:

  • firewall up/down and WAN status
  • switch uplink status
  • Proxmox node reachability
  • DNS response health
  • reverse proxy status
  • disk usage on core service hosts
  • certificate expiry warnings

That is enough to tell you whether the network is broken, the service is broken, or you broke something yourself five minutes ago and are pretending it was already like that.

For tooling, I compared the main options in Zabbix vs LibreNMS vs Uptime Kuma. The short version is that Uptime Kuma is great for fast visibility, while Zabbix and LibreNMS make more sense once you want deeper device and metrics coverage.

Backups for the network itself

Everyone remembers to back up containers eventually.

Fewer people remember to back up switch configs, firewall configs, AP settings, and DHCP reservations. That is a mistake. The fastest way to turn a small outage into a weekend project is losing the thing that defines how traffic flows.

Back up these items:

  • firewall config exports
  • managed switch config backups
  • controller configs for APs
  • DNS filter settings and local records
  • reverse proxy configuration
  • infrastructure-as-code repos if you use Ansible, Terraform, or Compose

Also protect access. If your admin laptop is the only device with SSH keys and VPN profiles, that is not redundancy. That is a single point of embarrassment.

For server-side baseline security, read my SSH hardening guide. Networking and host security are not separate conversations just because it would make life easier.

Recommended gear for this layout

You do not need enterprise gear to build a solid network. You need equipment that can do VLANs, stay stable, and avoid making you hate firmware updates.

1) Firewall appliance or compact x86 box

If you want to run OPNsense or pfSense properly, I would rather see you use a small dedicated x86 box than overload a disposable consumer router.

Recommended search link: Protectli-style firewall appliance

2) Managed PoE switch

A small managed PoE switch solves more problems than people expect. It lets you power APs and cameras cleanly, keeps VLANs practical, and removes the temptation to bolt random unmanaged switches into the design like you are building a haunted house.

Recommended search link: Managed PoE switch for homelabs

3) Wi-Fi access point that supports multiple SSIDs and VLAN mapping

If you plan to separate clients, IoT, and guest traffic, your AP needs to understand that plan. This is not a place for the cheapest anonymous white-plastic router you found in a warehouse clearance bin.

Recommended search link: VLAN-capable Wi-Fi access points

The growth path I actually recommend

Start with this:

  • one firewall
  • one managed switch
  • one AP
  • one Proxmox host
  • one server VLAN
  • one client VLAN
  • one IoT VLAN
  • one guest VLAN
  • one DNS service
  • one monitoring service

Then expand only when the reason is obvious.

Good reasons to add complexity:

  • you need storage isolation for a NAS-heavy environment
  • you are exposing public services and want cleaner policy boundaries
  • you are running multiple hypervisors or clusters
  • you want lab-only experimental segments that cannot break the core stack

Bad reasons to add complexity:

  • someone on a forum had twelve VLANs and a rack photo with blue LEDs
  • you were bored on a Saturday
  • the switch UI made it look easy

My default homelab network checklist

If I were building from scratch tomorrow, this is the checklist I would follow:

1. Pick the subnets and VLAN IDs first

2. Name every VLAN based on purpose, not mood

3. Configure the firewall interfaces and DHCP scopes

4. Build switch trunks and access ports intentionally

5. Make Proxmox bridge VLAN-aware

6. Put DNS and reverse proxy on the server VLAN

7. Map SSIDs to the right VLANs

8. Deny IoT to management by default

9. Back up the firewall and switch configs immediately

10. Add monitoring before calling the network "done"

That last item is important because a homelab network is never done. It just reaches a temporary ceasefire.

Final thoughts

The best homelab network architecture is not the most advanced one. It is the one you can understand at 11:30 PM when a DHCP scope is wrong, a bridge tag is missing, and your family would like the internet back.

Keep the layout simple. Separate what matters. Use VLANs with a purpose. Put the firewall in charge. Decide where DNS and ingress live. Monitor the basics. Back up the configuration.

If you do those things early, you can grow the lab without tearing it down every six months. Which is nice. I recommend it.

Frequently Asked Questions

How many VLANs should a homelab have?

For most people, four to six is the sweet spot. Management, servers, clients, IoT, and guest are enough to solve the big problems without turning maintenance into a second job.

Do I need a management VLAN in a small homelab?

Yes. Even a small lab benefits from keeping Proxmox, switch, AP, and firewall admin interfaces off the same segment as clients and smart devices.

Should Docker containers live on their own VLAN?

Usually not. Put the host or VM on a server VLAN and use firewall policy, reverse proxy rules, and service-level authentication before creating a new VLAN for every app stack.

What should be isolated first in a homelab network?

IoT and guest traffic first. After that, protect your management plane. Those two steps reduce risk quickly and make the rest of the design much easier.