Hiddenden/Knowledge-Base
2
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

first version of the knowledge base :)

Browse Source
This commit is contained in:
Latte
2026-03-14 11:41:54 +01:00
commit 27965301ad
47 changed files with 4356 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
30 - Systems/homelab/homelab-network-architecture.md Normal file
View File

@@ -0,0 +1,67 @@
---
title: Homelab Network Architecture
description: Reference network architecture for a segmented homelab with private access and clear service boundaries
tags:
- homelab
- networking
- architecture
category: systems
created: 2026-03-14
updated: 2026-03-14
---
# Homelab Network Architecture
## Summary
A homelab network architecture should separate trust zones, keep administrative paths private, and make service traffic easy to reason about. The goal is not enterprise complexity, but a structure that reduces blast radius and operational confusion.
## Why it matters
Flat networks are easy to start with and difficult to secure later. A basic segmented design helps isolate management, servers, clients, guest devices, and less trusted endpoints such as IoT hardware.
## Core concepts
- Segmentation by trust and function
- Routed inter-VLAN policy instead of unrestricted layer-2 reachability
- Separate administrative access paths from public ingress
- DNS and reverse proxy as shared network-facing platform services
## Practical usage
Example logical layout:
```text
Management -> hypervisors, switches, storage admin
Servers -> applications, databases, utility VMs
Clients -> workstations and laptops
IoT -> low-trust devices
Guest -> internet-only access
VPN overlay -> remote access for administrators and approved services
```
This model works well with:
- A firewall or router handling inter-segment policy
- Private access through Tailscale or another VPN
- Reverse proxy entry points for published applications
## Best practices
- Keep management services on a dedicated segment
- Use DNS names and documented routes instead of ad hoc host entries
- Limit which segments can reach storage, backup, and admin systems
- Treat guest and IoT networks as untrusted
## Pitfalls
- Publishing management interfaces through the same path as public apps
- Allowing lateral access between all segments for convenience
- Forgetting to document routing and firewall dependencies
- Relying on multicast-based discovery across routed segments without a plan
## References
- [RFC 1918: Address Allocation for Private Internets](https://www.rfc-editor.org/rfc/rfc1918)
- [RFC 4193: Unique Local IPv6 Unicast Addresses](https://www.rfc-editor.org/rfc/rfc4193)
- [Tailscale: Subnet routers](https://tailscale.com/kb/1019/subnets)