Homelab – Network Architecture

Wayne du Preez included in Homelab

2026-02-16 About 900 words 5 minutes

Contents

Overview

My network architecture has grown more complex over time, especially since I am self-hosting the website you are currently reading.

This post will serve two functions:

So that I do not have sleepless nights six months from now when I need to update something 😄.
To be useful to someone else — and if you see something obviously wrong, let me know.

The parts I want to document are the interactions between:

Router and firewall (this is the main firewall)
VLANs
DMZ and its firewall
Local cloud (my primary machine) and its firewall

Warn

This post documents the logical architecture of my network. Specific IP ranges, port numbers, and externally exposed services are intentionally omitted.

Network Diagram

flowchart TB
  Internet[Public Internet]

  subgraph Switch["Managed Switch"]
    VLAN_WAN[VLAN - WAN]
    VLAN_LAN[VLAN - LAN]
    VLAN_DMZ[VLAN - DMZ]
  end

  subgraph Edge["Router / Firewall"]
    ROUTER_FW[Router / Firewall]
    WG[WireGuard]
    OVPN[OpenVPN]
  end

  subgraph Local Cloud
    subgraph LAN
      LAN_FW[LAN Firewall]
    end
    subgraph KVM
      subgraph DMZ
        DMZ_FW[DMZ Firewall]
      end
    end
  end

  Internet --> VLAN_WAN
  VLAN_WAN --> ROUTER_FW

  ROUTER_FW --> WG
  ROUTER_FW --> OVPN

  ROUTER_FW --> VLAN_LAN
  ROUTER_FW --> VLAN_DMZ

  VLAN_LAN --> LAN_FW
  VLAN_DMZ --> DMZ_FW

flowchart TB
  Internet[Public Internet]

  subgraph Switch["Managed Switch"]
    VLAN_WAN[VLAN - WAN]
    VLAN_LAN[VLAN - LAN]
    VLAN_DMZ[VLAN - DMZ]
  end

  subgraph Edge["Router / Firewall"]
    ROUTER_FW[Router / Firewall]
    WG[WireGuard]
    OVPN[OpenVPN]
  end

  subgraph Local Cloud
    subgraph LAN
      LAN_FW[LAN Firewall]
    end
    subgraph KVM
      subgraph DMZ
        DMZ_FW[DMZ Firewall]
      end
    end
  end

  Internet --> VLAN_WAN
  VLAN_WAN --> ROUTER_FW

  ROUTER_FW --> WG
  ROUTER_FW --> OVPN

  ROUTER_FW --> VLAN_LAN
  ROUTER_FW --> VLAN_DMZ

  VLAN_LAN --> LAN_FW
  VLAN_DMZ --> DMZ_FW

flowchart TB
  Internet[Public Internet]

  subgraph Switch["Managed Switch"]
    VLAN_WAN[VLAN - WAN]
    VLAN_LAN[VLAN - LAN]
    VLAN_DMZ[VLAN - DMZ]
  end

  subgraph Edge["Router / Firewall"]
    ROUTER_FW[Router / Firewall]
    WG[WireGuard]
    OVPN[OpenVPN]
  end

  subgraph Local Cloud
    subgraph LAN
      LAN_FW[LAN Firewall]
    end
    subgraph KVM
      subgraph DMZ
        DMZ_FW[DMZ Firewall]
      end
    end
  end

  Internet --> VLAN_WAN
  VLAN_WAN --> ROUTER_FW

  ROUTER_FW --> WG
  ROUTER_FW --> OVPN

  ROUTER_FW --> VLAN_LAN
  ROUTER_FW --> VLAN_DMZ

  VLAN_LAN --> LAN_FW
  VLAN_DMZ --> DMZ_FW

Trust Model

The network follows a default-deny posture between zones. Each segment is treated as a separate trust boundary, and traffic is only allowed explicitly where required.

Why This Structure

Services that must be publicly reachable (this website) are contained within the DMZ. The DMZ itself is heavily restricted at multiple layers (more on this in later posts, be on the lookout if you are interested). Internal devices remain separated, and inter-zone communication is explicitly controlled. This reduces blast radius and keeps complexity mostly manageable.

VLAN Structure

VLAN	Purpose	Trust Level
WAN	Public Internet uplink	External
DMZ	Public-facing services	Restricted
LAN	Internal devices	Trusted

Switch Configuration (Logical Overview)

The ISP uplink is isolated into a dedicated WAN VLAN.
A trunk link connects the router/firewall to the managed switch and thus all zones.
Internal VLANs (LAN and DMZ) are distributed from the switch.

Firewall Rules

Router Firewall

This is the primary firewall controlling traffic between all network segments.

WAN -> Input = Drop, Output = Allow, Forward = Drop
DMZ -> Input = Drop, Output = Allow, Forward = Drop
LAN -> Input = Allow, Output = Allow, Forward = Allow

There are dedicated firewall rules allowing specific WAN and DMZ traffic to other zones and the router as needed.

DMZ Firewall

Input = Drop, Output = Drop, Forward = Drop

The input and output chains are controlled with specific rules.

LAN Firewall

Input = Drop, Output = Allow, Forward = Drop

Here only the input chain is controlled with specific rules, allowing access to trusted services.

External Access

No management interfaces are directly exposed to the public internet. All administrative access requires VPN authentication.

VPN

Both WireGuard and OpenVPN are configured. The reason for this is that WireGuard is UDP-based and can be easily blocked in restrictive environments (I’m looking at you, my previous employer 😂).

Website

Both ports 80 and 443 are DNAT’d to my DMZ machine, where Caddy handles HTTP to HTTPS redirection and certificate management.

When you visit my site, you’ll notice the connection is encrypted via HTTPS 👍.

Compute & Service Layer

The DMZ runs inside a virtual machine hosted on my primary machine, with all services running inside rootless Podman. My internal trusted services also run within rootless Podman, but operate with a higher level of trust.

I will document the virtualization and container setup in a separate post.

Configuration Management

All network and compute components are managed using Ansible.

This ensures consistent configuration across OpenWRT, internal servers, and DMZ hosts, and allows for reproducible infrastructure changes.

A separate post will cover how configuration management is structured and applied.

Future Improvements

Revisit VPN access policies and reassess the level of trust granted to remote clients.
Improve observability by enabling firewall logging on the OpenWRT router and reviewing inter-zone traffic.
Only use vlan trunks to local cloud.

Change Log

Feb 2026

Added DMZ
Started self-hosting