Infrastructure Overview

A production homelab with multi-VLAN network segmentation, a full monitoring stack, containerized services, and automated backups. Every component is managed as code with Ansible.

Physical Hardware

OPNsense Firewall

Asus Desktop

  • Intel Core i5-4570S @ 2.90GHz
  • 16GB DDR3 RAM
  • 128GB SSD
  • 2× Intel I350-T4 (WAN + per-VLAN)

Core of the network. Handles all inter-VLAN routing, firewall rules, Kea DHCP, Unbound DNS, and WireGuard VPN. Fully managed via REST API with Ansible.

Proxmox VE Hypervisor

HP Z440

  • Intel Xeon E5-2698v3 @ 2.30GHz
  • 128GB DDR4 RAM
  • 1TB PNY SSD (VM storage)
  • 6TB + 3TB Seagate HDD
  • 1× Intel I350-T4

Main compute host running 10+ VMs: monitoring stack, logging, Docker services, ZoneMinder, OpenMediaVault, a Windows 11 gaming VM with PCI passthrough, a Linux Mint dev VM, and test servers.

Proxmox Backup Server

HP EliteDesk 800 G2

  • Intel Xeon E3-1245v3
  • 16GB DDR3 RAM
  • Integrated NIC

Dedicated backup host running Proxmox Backup Server. Encrypted backups of all VMs run every night.

Primary NAS

Synology DS418

  • 4× 3TB Seagate Ironwolf
  • 12TB raw storage
  • Encrypted volumes

Primary backup target. Uses Synology SHR Raid and encrypted folders. Receives Proxmox backups every two nights.

Switch

Zyxel GS1900-24E

  • 24-port managed Gigabit
  • VLAN-aware (802.1Q)

Managed switch handling all traffic. Configured for handling VLAN tagged and untagged traffic.

WiFi Access Point

Zyxel NWA50AX

  • WiFi 6 (802.11ax)
  • Multi-SSID with VLAN tagging

Access point serving separate SSIDs for trusted devices, guest WiFi, and CCTV — each tagged to their respective isolated VLAN.

Architecture

OPNsense Firewall  (multi-VLAN gateway, Kea DHCP, Unbound DNS, WireGuard VPN)
├── Management VLAN
│   ├── Centreon          — service monitoring & alerting
│   └── Synology NAS      — primary backup storage
│
├── Server VLAN
│   ├── Proxmox           — hypervisor (hosts all VMs below)
│   │   ├── Grafana VM    — metrics dashboards (InfluxDB + Telegraf)
│   │   ├── Graylog VM    — centralized log aggregation
│   │   ├── Docker VM     — containerized services
│   │   │   ├── Vaultwarden   (password manager)
│   │   │   ├── Maloja        (music scrobbling stats)
│   │   │   └── Navidrome     (music streaming server)
│   │   ├── ZoneMinder VM — NVR / IP camera management
│   │   └── OMV VM        — secondary NAS backup storage
│
├── Desktop VLAN          — workstations & development machines
├── Trusted WiFi VLAN     — personal wireless devices
├── Guest WiFi VLAN       — isolated guest wireless
├── Guest Ethernet VLAN   — isolated guest wired
├── CCTV VLAN             — isolated camera network → ZoneMinder
└── WireGuard VPN         — secure remote access

Network Segmentation

The network uses VLAN-based segmentation with policy-based routing. Multi-homed servers have interfaces on both management and server VLANs. Guest and camera VLANs are fully isolated.

Segment Purpose Description
VLAN 10 Management Infrastructure administration and monitoring access
VLAN 12 Servers Production server infrastructure
VLAN 14 Desktops Workstation and gaming systems
VLAN 16 Trusted WiFi Personal wireless devices
VLAN 18 Guest WiFi Guest wireless access (isolated from infrastructure)
VLAN 20 CCTV WiFi Security camera network (isolated from everything)
VLAN 22 Guest Ethernet Guest wired access (isolated from infrastructure)
WireGuard VPN Secure remote access tunnel

Infrastructure Inventory

Firewall

OPNsense

BSD-based firewall with REST API management, multi-VLAN routing, Kea DHCP, Unbound DNS, and firewall rules automation.

Hypervisor

Proxmox

KVM/LXC hypervisor hosting most of the infrastructure as virtual machines.

Metrics

Grafana + InfluxDB

Time-series metrics visualization (Grafana) and storage (InfluxDB), with Telegraf agents on all hosts.

Logging

Graylog

Centralized log aggregation with a dedicated data node. All hosts forward syslog via rsyslog.

Monitoring

Centreon

Service and performance monitoring platform with SNMP-based checks and alerting.

Docker Host

Redhat

Container host running Vaultwarden, GitLab, Navidrome, Maloja, 2FAuth, and more. All containers sit behind Nginx Proxy Manager with individual SSL certificates. Accessible only from within the network.

NVR

ZoneMinder

Network video recorder managing IP security cameras on an isolated CCTV VLAN.

NAS — Primary

Synology

Primary backup target. Receives automated backups of Proxmox VMs, Docker data, and more.

NAS — Secondary

OpenMediaVault

Secondary backup target running as a Proxmox VM, providing redundant storage for all critical data.

Key Practices

Everything as Code

All infrastructure configuration managed via Ansible roles with idempotent, version-controlled playbooks. Changes are previewed with --check before applying.

Dual Backup Strategy

Critical services backed up to both a Synology NAS and a Proxmox-hosted OpenMediaVault VM. Backups are automated and scheduled.

Network Isolation

Guest and camera networks are fully isolated. Firewall rules enforced via OPNsense with automated, idempotent rule deployment.

Full Observability

Grafana dashboards for metrics, Graylog for centralized logs, Centreon for service checks — every host is monitored.