9.6 KiB
9.6 KiB
Network Architecture
Homelab network topology and configuration
Overview
The homelab uses a multi-layered network architecture with external access via Cloudflare, internal services through Nginx Proxy Manager, and mesh VPN for secure remote access.
Network Topology
┌────────────────────────────────────────────────────────────────────┐
│ INTERNET │
│ (Public IP via ISP) │
└────────────────────────────────────────────────────────────────────┘
│
▼
┌────────────────────────────────────────────────────────────────────┐
│ CLOUDFLARE │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ DNS │ │ Proxy │ │ Tunnels │ │
│ │ vish.gg │ │ vish.gg │ │ (if used) │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ │
└────────────────────────────────────────────────────────────────────┘
│
▼
┌────────────────────────────────────────────────────────────────────┐
│ HOME NETWORK │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ Router │ │ Switch │ │ WiFi AP │ │
│ │ (Gateway) │ │ (Managed) │ │ (Ubiquiti) │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ │
│ │ │ │
│ └──────────────────┬────────────────────┘ │
│ │ │
│ ┌──────┴──────┐ │
│ │ VLANs │ │
│ │ 10 (MGMT) │ │
│ │ 20 (IOT) │ │
│ │ 30 (MAIN) │ │
│ └─────────────┘ │
└────────────────────────────────────────────────────────────────────┘
│
┌───────────────┼───────────────┐
▼ ▼ ▼
┌───────────┐ ┌───────────┐ ┌───────────┐
│ ATLANTIS │ │ CALYPSO │ │ NUC │
│ (NAS) │ │ (NAS) │ │ (HA) │
└───────────┘ └───────────┘ └───────────┘
IP Address Scheme
Subnet Configuration
| VLAN | Network | Gateway | DHCP Range | Purpose |
|---|---|---|---|---|
| 10 (MGMT) | 192.168.0.0/24 | .1 | .100-.150 | Infrastructure |
| 20 (IOT) | 192.168.1.0/24 | .1 | .100-.200 | Smart home |
| 30 (GUEST) | 192.168.2.0/24 | .1 | .100-.150 | Guest access |
Static Assignments
| Host | IP | MAC | Purpose |
|---|---|---|---|
| Atlantis | 192.168.0.200 | - | Primary NAS (DS1823xs+) |
| Calypso | 192.168.0.250 | - | Secondary NAS (DS723+), runs NPM |
| Guava | 192.168.0.100 | - | TrueNAS Scale workstation |
| PVE | 192.168.0.205 | - | Proxmox hypervisor |
| Pi-5 | 192.168.0.66 | - | Raspberry Pi 5 |
| Homelab VM | 192.168.0.210 | - | Proxmox VM, monitoring |
Port Forwarding
External Access
| Service | External Port | Internal IP | Internal Port | Protocol |
|---|---|---|---|---|
| NPM HTTP | 80 | 192.168.0.250 | 80 | HTTP |
| NPM HTTPS | 443 | 192.168.0.250 | 443 | HTTPS |
| Headscale | 8443 | 192.168.0.250 | 8085 | TCP (control server) |
| Plex | 32400 | 192.168.0.200 | 32400 | TCP |
Internal Only (No Port Forward)
| Service | Internal IP | Port | Access Method |
|---|---|---|---|
| Grafana | 192.168.0.210 | 3000 | VPN only |
| Prometheus | 192.168.0.210 | 9090 | VPN only |
| Home Assistant | 192.168.12.202 | 8123 | VPN only (via GL-MT3000 subnet) |
| Authentik | 192.168.0.250 | 9000 | VPN only |
| Vaultwarden | 192.168.0.200 | 8080 | VPN only |
DNS Configuration
Primary: Pi-hole / AdGuard
Upstream DNS:
- 1.1.1.1 (Cloudflare)
- 8.8.8.8 (Google)
Local Domains:
- vish.local
- vish.gg
Local DNS Entries
| Hostname | IP | Description |
|---|---|---|
| atlantis | 192.168.0.200 | Primary NAS (DS1823xs+) |
| calypso | 192.168.0.250 | Secondary NAS (DS723+) |
| guava | 192.168.0.100 | TrueNAS Scale |
| pve | 192.168.0.205 | Proxmox host |
| homelab | 192.168.0.210 | Proxmox VM |
| pi-5 | 192.168.0.66 | Raspberry Pi 5 |
Reverse Proxy Flow
External Request (vish.gg)
1. User → https://service.vish.gg
2. Cloudflare DNS → resolves to home IP
3. Home Router → forwards to 192.168.0.250:443
4. NPM (Calypso) → terminates SSL
5. Authentik (if SSO) → authenticates
6. Backend service → responds
7. NPM → returns to user
Internal Request
1. User → http://service.local (or IP)
2. Pi-hole/AdGuard → resolves to internal IP
3. NPM (optional) or direct → service
4. Response → user
VPN Configuration
Headscale (Primary Mesh VPN)
All nodes use the Tailscale client pointed at the self-hosted Headscale control server.
| Setting | Value |
|---|---|
| Control Server | headscale.vish.gg:8443 |
| Host | Calypso (192.168.0.250) |
| Admin UI | Headplane (via NPM at :8443/admin) |
| DERP Servers | Tailscale public DERP map |
| MagicDNS suffix | tail.vish.gg |
| IP Range | 100.64.0.0/10 |
| Exit Nodes | atlantis, calypso, setillo, vish-concord-nuc, seattle, homeassistant |
WireGuard (Point-to-Point, Secondary)
| Setting | Value |
|---|---|
| Server | Concord NUC (wg-easy, port 51820) |
| Interface | Dynamic |
| Use Case | Clients that can't run Tailscale |
VLAN Configuration
Management VLAN (10)
- Devices: NAS, switches, APs
- Access: Admin only
- Internet: Full
IoT VLAN (20)
- Devices: Smart home, cameras
- Access: Restricted
- Internet: Filtered (Pi-hole)
- Isolation: Yes
Main VLAN (30)
- Devices: Personal devices
- Access: Full
- Internet: Full
Firewall Rules
Router (UFW/iptables)
# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow HTTP/HTTPS
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Allow WireGuard
iptables -A INPUT -p udp --dport 51820 -j ACCEPT
# Drop everything else
iptables -A INPUT -j DROP
Docker Network
# docker-compose.yml
networks:
default:
driver: bridge
ipam:
config:
- subnet: 172.20.0.0/24
Monitoring
Network Metrics
| Metric | Source | Dashboard |
|---|---|---|
| Bandwidth | Node Exporter | Network |
| Packet loss | Prometheus | Network |
| DNS queries | Pi-hole | DNS |
| VPN connections | WireGuard | VPN |
Troubleshooting
Cannot Access Service
- Check DNS:
nslookup service.vish.local - Check connectivity:
ping 192.168.0.x - Check port:
nc -zv 192.168.0.x 443 - Check service:
curl -I http://localhost:PORT - Check firewall:
sudo iptables -L
Slow Network
- Check bandwidth:
iperf3 -c 192.168.0.x - Check for interference (WiFi)
- Check switch port speed
- Check for broadcast storms
VPN Issues
- Check WireGuard status:
wg show - Check Headscale nodes:
headscale nodes list - Verify firewall allows UDP 51820
- Check NAT traversal