The Ultimate Homelab

Marc Schlaeppi

4 min read

The Brains of the Operation

Decorations by my children protect it from crashes.

The aim of this post is to inspire others to start up their own homelab as its been invaluable for me to not only conduct investigations but also help me to grow technically by being able to constantly experiment with new toolings.

Dashboard Heaven

At the center of my network is my router called Firewalla which also acts as a IDS/IPS. This little device has been pivotal in my homelab as it allowed me to segment my network, provide detailed insights into all traffic and provide me remote access when im away. What interested me the most about the Firewalla which I bought in 2022 is how the entire configuration is just done via a phone app. No need for having to debug anything, it just simply works out of the box...

Network Segmentation

An implicit deny rule for each segment ensures theres no interconnectivity unless I add an allow rule. Actually the Firewalla logs all network traffic and its possible to see which devices are trying to communicate with what. Its just a simple click and allow to create a rule that is not overly permissive by specifying the exact port and destination.

Firewalla Functionality

This little device has a plethora of functions but what I love the most about it, coming from someone who deals with security on a daily basis is i'm able to investigate the alerts it generates so easily.

Alert Investigations

Another invaluable feature is the ability to easily route different devices to VPNs in different locations or even going as granular as routing specific urls. I use this regularly when im investigating a domain and want to hide my IP. Threat actors also often configure geographical blocks to make it harder to investigate which is why being able to change locations is important.

Routing Options

Proxmox Server

The Black Beast

This machine was originally created to be an AI server but has since actually become my main server which runs Proxmox after discovering that despite having dual GPUs, it still ended up using less electricity than my other server. I have a separate post comparing the two and detailing how much power it consumes ( I track consumption using a Hombli Device). You can find the specs below if it interests you.

Specifications
  • Be quiet! Dark Base Pro 901
  • Be quiet! Silent Loop 2
  • ASUS ProArt X670E-Creator Wifi
  • AMD Ryzen 9 7950X3D (16 CPU Cores)
  • G.Skill Trident Z5 RGB 32 GB x4 (128 GB)
  • Corsair HX1500i Power Supply
  • Samsung 990 pro NVMe M.2 SSD 2TB x3 (6 TB)
  • NVIDIA GeForce RTX 3090 Founders Edition 24GB x2 (48 GB)
  • NVLink Bridge

Remote Access

Accessing my network remotely is relatively simple as the Firewalla comes with Wireguard and OpenVPN natively built into the software so im able to create and export configs for which ever machine I need without having to expose any ports.

As I also host a number of sites on my server, I use a Raspberry Pi with the cloudflare agent installed that acts as a tunnel into my network. As shown in the screenshot I have "Outbound only" rules to each individual machines and if a host were to get infected for what ever reason its isolated in its own VLAN with no access to anything else on the network. The Firewalla would also generate alerts if there is port scanning activity on the network which would give me a heads up of a possible issue.

CloudFlare Tunnels

One of my worries was what happens when im away and something happens to my server and it crashes for what ever reason. Thats where the BliKVM comes in which allows me to remotely boot the machine and even access the bios as if it was connected to a monitor. The Hombli device also has the ability to cut power to the port if I need a hard reset.

Closing Notes

Hopefully this has given you some insights and ideas for building your own network and don't hesitate to reach out to me on LinkedIn if you had any questions.