Homelab Network | Ethan Lawson

Network Overview

A production-ready network infrastructure featuring VLAN segmentation, enterprise routing, managed switching, and comprehensive network services, all running on enterprise hardware in a dorm room environment.

            Key Achievements
            VLAN Segmentation: Four isolated network segments for security and organization
Enterprise Routing: MikroTik RouterOS with advanced firewall capabilities
Network Services: Pi-hole DNS filtering, NTP, VPN, and centralized logging
Security-First Design: Network isolation, access controls, and monitoring

        

VLAN Segmentation

Network is logically segmented into four VLANs for security, performance, and organization:

VLAN ID	Name	Purpose	Access Level
VLAN 10	Management	Router, switch, AP management interfaces	Admin only
VLAN 20	Servers	Mini PC, Raspberry Pi, infrastructure services	Trusted devices
VLAN 30	Clients	Laptop, phone, personal devices	Standard access
VLAN 40	Guest	Visitor devices, IoT, untrusted hardware	Internet only

Switch Port Configuration

Port	Device	Mode	VLANs	PVID
Port 1	MikroTik ether2	Trunk	10, 20, 30, 40 (Tagged)	—
Port 2	Mini PC	Access	20 (Untagged)	20
Port 3	Raspberry Pi 5	Access	20 (Untagged)	20
Port 4	Wi-Fi AP	Hybrid	10 (Untagged), 30+40 (Tagged)	10
Port 5	Laptop / Spare	Access	30 (Untagged)	30

Network Services

Running on Raspberry Pi 5

Pi-hole

Network-wide DNS filtering and ad blocking. Provides DNS resolution for all VLANs with blocklist filtering.

ACTIVE

Chrony (NTP)

Network Time Protocol server for accurate time synchronization across all devices.

ACTIVE

WireGuard VPN

VPN client for secure remote access and encrypted tunneling when needed.

ACTIVE

Rsyslog

Centralized log forwarding to Mini PC for aggregation and analysis.

ACTIVE

Monitoring Agents

Prometheus node exporter and custom metrics collection for infrastructure monitoring.

ACTIVE

Ansible Control

Infrastructure automation and configuration management hub.

PLANNED

Running on Mini PC (Intel N100)

Splunk

Log indexing and SIEM platform for security monitoring and analysis.

ACTIVE

Prometheus + Grafana

Metrics collection and visualization for infrastructure monitoring and dashboards.

ACTIVE

Suricata IDS

Network intrusion detection system using switch port mirroring for traffic analysis.

PLANNED

Docker Containers

Containerized applications and services for easy deployment and management.

ACTIVE

Security & Design Principles

Network Security

Defense in Depth: Multiple layers including firewall, VLANs, and service-level controls
Least Privilege: Guest VLAN has internet-only access with no lateral movement
Network Segmentation: Isolation between management, servers, clients, and guests
Secure Management: SSH key authentication only, no password login
NAT Masquerading: Internal IPs hidden behind router's WAN interface

High Availability Design

Infrastructure Independence: Pi 5 services survive Mini PC reboots
Critical Services on Pi: DNS and NTP remain available even during maintenance
Separated Concerns: Router and switch configured independently
Documented Procedures: Complete runbook for disaster recovery

Hardware Infrastructure

Router

MikroTik hEX S (RB760iGS)

5× Gigabit Ethernet ports, 1× SFP cage, 880 MHz dual-core CPU, 256MB RAM, RouterOS v7

Handles routing, NAT, firewall, DHCP, and VLAN inter-routing

Switch

Netgear GS105E

5-port Gigabit managed switch with 802.1Q VLAN support, port mirroring, and QoS

VLAN distribution layer with trunk and access ports

Compute

Mini PC (Intel N100)

Quad-core Alder Lake-N, 16GB RAM, NVMe + external 2TB SSD storage

Runs Docker containers for services and applications

Infrastructure

Raspberry Pi 5

ARM Cortex-A76, 8GB RAM, Ubuntu Server 24.04 LTS

Critical infrastructure services: DNS, NTP, VPN, logging

Cabling & Connectivity

Cat6 Ethernet Gigabit (1000 Mbps) 802.1Q VLAN Tagging SSH Key Authentication

Key Learnings & Best Practices

Setup Methodology

Configure router standalone first (WAN, NAT, basic connectivity)
Configure switch standalone with all VLANs and port assignments
Connect in stages: router → switch → devices
Verify each layer before proceeding to the next
Document everything (runbook approach)

Project Outcomes

This homelab demonstrates practical implementation of enterprise networking concepts in a resource-constrained environment. Despite the 28.8 Mbps college network limitation, the infrastructure provides:

Production-grade VLAN segmentation for security and organization
High availability design with separated infrastructure and compute layers
Comprehensive network services (DNS, NTP, VPN, logging)
Foundation for advanced security projects (IDS/IPS, monitoring, analysis)
Fully documented, reproducible configuration
Real-world experience with enterprise networking hardware and software

This setup serves as both a learning platform and a practical infrastructure for daily use, proving that professional-grade networking doesn't require a dedicated server room or enterprise budget.

← Back to Portfolio

Professional Homelab Network

Project Gallery

Network Overview

Key Achievements

VLAN Segmentation

Switch Port Configuration

Network Services

Running on Raspberry Pi 5

Pi-hole

Chrony (NTP)

WireGuard VPN

Rsyslog

Monitoring Agents

Ansible Control

Running on Mini PC (Intel N100)

Splunk

Prometheus + Grafana

Suricata IDS

Docker Containers

Security & Design Principles

Network Security

High Availability Design

Hardware Infrastructure

Router

Switch

Compute

Infrastructure

Cabling & Connectivity

Technology Stack

Operating Systems

Networking

Management & Monitoring

Key Learnings & Best Practices

Setup Methodology

Project Outcomes

Contact