I started off my homelabbing journey using a Raspberry Pi 1 Model B+ and deployed Pi-hole to it as I am a massive hater of ads and trackers. This got me into the whole idea of deploying and hosting something locally and it was cool to see it have a tangible effect on my life. I actually still have this same Pi-hole deployed at my mum’s house as the DHCP and DNS server.

From there, I decided to buy myself a Raspberry Pi 5 8GB as I wanted to try out a media server for my Blu-ray rips I had just sitting on a hard drive on my desktop PC. So I got that setup with a new 2.5" HDD that I connected using a SATA to USB cable, and installed Jellyfin. This was a huge eye opener and started off that itch in my head to find other cool projects I could self host and play around with.

I moved in with my partner to a new build flat that had ethernet ports in the living room and bedroom that all went back to a small room/cupboard where the fibre came in.

Commence operation mini comms room.

I bought myself a second hand Dell Optiplex Micro PC and installed Proxmox. I’d only been exposed to hypervisors a little at this point at my previous place of work to spin up a few test machines or small internal web servers for various things other employees had needed but of course these came with the annoying albeit important caveat of ‘don’t break anything!’. Now I had my own mini server where I could break things to my heart’s content and the only person I’d annoy would be my partner trying to watch Netflix - equally high stakes it could be said.

The first thing on my list was to get my Jellyfin and Pi-hole back up and running. Couple of LXC containers spun up, done. Now I really wanted to ditch my ISP provided router and deploy OPNsense which had been the router used at my previous place of employment so I was familiar with the power of it. But as all IT people know, you can’t deploy a cool router without some equally cool networking hardware. So I purchased a Ubiquiti U7 Pro access point and a small Ubiquiti 8 Port PoE switch to power it. Of course with these and no Ubiquiti router, I needed a network controller to manage them, so I made a new Ubuntu VM in Proxmox, and got cracking with the setup of my Unifi Network Controller. I have since moved it to an LXC container to save on some RAM to deploy some other VMs and projects, but more on that later.

Now I had my dream base setup with my OPNsense router, Pi-hole DNS server, Jellyfin media server and the Ubiquiti hardware to bring it to life. I started off with just one subnet which connected all my VMs, containers and physical hardware to make it easy to get stuff sorted initially. Then I remembered an old project I’d tried to start at work using MAC Address based VLAN assignment using RADIUS authentication and decided this would be pretty neat to use in order to get a guest network setup without having to tell people that come round that they aren’t cool enough to get on to the main WiFi.

I deployed 2 more LXC containers, one as an SQL server and the other as the RADIUS server. I got a database setup using the FreeRADIUS provided schema and then linked up the FreeRADIUS deployment to this. Over in my Unifi Network Controller I added the RADIUS server IP, port and credentials, and then I setup the new VLAN in OPNsense. It took some tinkering but eventually I got it working. I had a config file on the FreeRADIUS server container that had a list of MAC addresses that were to be assigned the VLAN tag of the main trusted network, and everything else was to have no tag applied by the server. This worked as I set the default network in Unifi to be the guest VLAN. In practice this meant a device joins the WiFi, passes it’s MAC address over, if it matches one of the trusted network entries, this VLAN tag is applied, if it doesn’t match then the FreeRADIUS server doesn’t apply one and the default guest tag is applied by Unifi. The best part about this was that I had peace of mind and people coming over didn’t know they were being relegated to the wild west of untrusted devices on my home network.

I’ve since changed this around a bit and now have multiple VLANs; Management, Trusted, Testing, Untrusted, and Mullvad VPN, but the core principle remains the same. I also moved away from the dedicated SQL and FreeRADIUS containers and just installed the FreeRADIUS plugin to OPNsense. This has the benefit of meaning it’s all managed in one place and I have a nice GUI to do it instead of editing config files in the terminal.

I did originally have TrueNAS core deployed to turn a couple of 8TB HDDs into a NAS, but have moved to just having the Proxmox host look after this ZFS pool and then a dedicated LXC to host Fileserver which is a fantastic small piece of software to create network shares. This reduced RAM usage significantly and also made it much easier to add bind mounts to my LXCs and VMs to give them access to folders on my NAS if they need it.

I also have an LXC with Tailscale on there that I use as a VPN to get into my home network when I’m out and about or on holiday. This worked great and the Tailscale apps are really simple to use and as they automate the whole Wireguard deployment it’s incredibly easy to setup. My one issue I did have was the speed. My home network is behind a CG-NAT which means I can’t just remote in from the outside as I don’t have my own public IP and cannot open ports. This means that Tailscale would work, but it would route me through their DERP servers which are essentially just relays they host around the world that allow your Tailscale nodes to connect to them to facilitate these connections behind CG-NATs and other such environments. In order to combat this, I found about the new Peer Relay function. Essentially you can host another Tailscale node, and if that one does have it’s own Public IP and you can connect into it, it will just relay the traffic into your other node that can’t be reached publicly. Lucky for me, I managed to snag one of the free Oracle Cloud Ampere ARM based VMs that have 4 cores and 24GB of RAM. They also have 4 gigabit networking which means that it will never be a bottleneck and allows you to use your full upload and download speeds.

That brings us to the deployment of this web server and how I’m making it accessible on the public internet. The web server itself is a simple Nginx deployment, with some tweaks for security hardening and best practices. Now the keen eyed among you may have noticed the server on the response headers say cloudflare. This is because I am using the cloudflared tool deployed in a Docker container to establish what is essentially a reverse proxy to the Cloudflare network where the domain is hosted. This is great because it comes with all of Cloudflare’s protections built in and also means I don’t have anything on my local network exposed to the public internet (which I can’t do anyway). I then have another Docker container running Nginx Proxy Manager that handles the incoming requests and routes them to my webserver LXC. I find this to be a great combination for the security and ease of which I can mess around with settings or even disable the request going through at all with the flick of a toggle.

The last and most recent thing I’ve deployed on my network is the eve-ng network simulation tool. This is so I can mess around with config and do some labs while studying and working towards my CCNP certification. If you know anything about eve-ng, you’ll know why I had to resize and reshape some other tools to free up some RAM as it is one hungry bit of kit.

That’s about it right now, but of course more stuff will be deployed and tinkered around with in the future. I hope this was at least a little interesting and gave some insight into my homelab and my setup. Thanks for reading.

I am using Hugo, the static site generator, to create this blog/portfolio/project. The link for Hugo is at the bottom of every page, in case you want to check it out. I’m still learning how to use it to it’s full potential, but I can already say it’s an amazing project.

I am a big fan of IT infrastructure - both the different components and how it all links together. In order to learn and to satisfy the itch, I host many things on my own Proxmox server, running on a Dell Optiplex Micro PC. I’ll go into my homelab and network in more detail in another post at a later date, but for this website, I am running an nginx webserver on an LXC.

As my home ISP is utilising CG-NAT, I have a Docker VM running a cloudflared container and an Nginx Proxy Manager container. Through this, I have a reverse tunnel allowing this webserver to be reached from the internet.

Like I said, I’ll be going in to more detail on what I’m doing in my homelab in further posts. I hope you check them out when the time comes.

Thanks for visiting!