Infrastructure Overview

A production homelab with multi-VLAN network segmentation, a full monitoring stack, containerized services, and automated backups. Every component is managed as code with Ansible.

Physical Hardware

OPNsense Firewall

Asus Desktop

  • Intel Core i5-4570S @ 2.90GHz
  • 16GB DDR3 RAM
  • 128GB SSD
  • 2× Intel I350-T4 (WAN + per-VLAN)

Core of the network. Handles all inter-VLAN routing, firewall rules, Kea DHCP, Unbound DNS, and WireGuard VPN. Fully managed via REST API with Ansible.

Proxmox VE Hypervisor

HP Z440

  • Intel Xeon E5-2698v3 @ 2.30GHz
  • 128GB DDR4 RAM
  • 1TB PNY SSD (VM storage)
  • 6TB + 3TB Seagate HDD
  • 1× Intel I350-T4

Main server running 10+ VMs: monitoring stack, logging, Docker services, ZoneMinder, OpenMediaVault, a Windows 11 gaming VM with PCI passthrough, a Linux Mint dev VM, and test servers.

Proxmox Backup Server

HP EliteDesk 800 G2

  • Intel Xeon E3-1245v3
  • 16GB DDR3 RAM
  • Integrated NIC

Dedicated backup host running Proxmox Backup Server. Encrypted backups of important VMs run every night.

Primary NAS

Synology DS418

  • 4× 3TB Seagate Ironwolf
  • 12TB raw storage
  • Encrypted volumes

Primary backup target. Uses Synology SHR Raid and encrypted folders. Receives Proxmox backups every two nights.

Switch

Zyxel GS1900-24E

  • 24-port managed Gigabit
  • VLAN-aware (802.1Q)

Managed switch handling all traffic. Configured for handling VLAN tagged and untagged traffic.

WiFi Access Point

Zyxel NWA50AX

  • WiFi 6 (802.11ax)
  • Multi-SSID with VLAN tagging

Access point serving separate SSIDs for trusted devices, guest WiFi, and CCTV — each tagged to their respective isolated VLAN.

Architecture

Internet
ISP Router WAN
OPNsense Firewall Multi-VLAN routing · Kea DHCP · Unbound DNS · WireGuard VPN
VLAN 10 Management Web interfaces (Centreon, Grafana, Graylog, Proxmox…) · SSH access
VLAN 12 Servers Production infrastructure
Proxmox VE Hypervisor · hosts all VMs below
Grafana Metrics dashboards (InfluxDB + Telegraf)
Centreon System monitoring server
Graylog + Datanode Centralized log aggregation (2 VMs)
Docker Containerized services behind Nginx Proxy Manager
2FAuthARABentoPDFDokuWikiGitLabGlanceIT-ToolsJoplinMalojaMariaDBMealieNavidromeNextcloudNginx Proxy ManagerphpIPAMPortainerPostgreSQLVaultwarden
ZoneMinder NVR / IP camera management
OpenMediaVault Secondary NAS backup storage
Test servers Debian and RedHat test environments
VLAN 14 Desktops Workstations & development machines
VLAN 16 Trusted WiFi Personal wireless devices
VLAN 18 Guest WiFi Isolated guest wireless · client isolation enforced at AP level
VLAN 20 CCTV Isolated camera network → ZoneMinder
VLAN 22 Guest Ethernet Isolated guest wired · client isolation enforced at switch level
WireGuard VPN Secure remote access

Infrastructure Inventory

Firewall

OPNsense

BSD-based firewall with REST API management, multi-VLAN routing, Kea DHCP, Unbound DNS, and firewall rules automation.

Hypervisor

Proxmox

KVM/LXC hypervisor hosting most of the infrastructure as virtual machines.

Backup Server

Proxmox BS

Dedicated Proxmox Backup Server running nightly encrypted backups of important VMs.

Metrics

Grafana + InfluxDB

Time-series metrics visualization (Grafana) and storage (InfluxDB), with Telegraf agents on all hosts and via SNMP for Synology.

Logging

Graylog + OpenSearch

Centralized log aggregation split across two VMs: a Graylog main node and a dedicated OpenSearch data node storing logs on a separate disk. All hosts forward syslog via rsyslog.

Monitoring

Centreon

Service and performance monitoring platform with SNMP-based checks. Mail alerts are sent via Postfix.

Docker Host

Redhat

RedHat VM running 15+ containerized services behind Nginx Proxy Manager with individual SSL certificates. Accessible only from within the network.

NVR

ZoneMinder

Network video recorder managing IP security cameras on an isolated CCTV VLAN.

NAS — Primary

Synology

Primary backup target. Receives automated backups of Proxmox VMs, Docker data, and more.

NAS — Secondary

OpenMediaVault

Secondary backup target running as a Proxmox VM, providing redundant storage for all critical data.

Key Practices

Everything as Code

All infrastructure configuration managed via Ansible with idempotent, version-controlled roles. Changes are previewed with --check before applying.

Dual Backup Strategy

Critical services backed up to both a Synology NAS and a Proxmox-hosted OpenMediaVault VM. Backups are automated and scheduled.

Network Isolation

VLANs are isolated from each other, except for specifically allowed traffic. Firewall rules enforced via OPNsense with automated, idempotent rule deployment.

Full Observability

Grafana dashboards for metrics, Graylog for centralized logs, Centreon for service checks — every host is monitored.