A|S

DATA EXTREMES

HomeLab HQ.hub

Network Topologies for Homelabs

Pick a layout and get tailored firewall, DNS, and reverse-proxy guidance without opening random WAN ports.

Choose a layout

single-lan

Single LAN with Secure Edge

One flat subnet with a reverse proxy + Cloudflare Tunnel to avoid WAN port forwarding.

When it fits

Small lab, single switch, no need for IoT isolation yet.
Home router doing DHCP; you control DNS.
Few services exposed externally, prefer tunnel over open ports.

Network Plan

Subnet: 192.168.10.0/24 (reserve .1 router, .2 proxy, .3 tunnel host).
Static leases for core: proxy, NAS, hypervisor, and DNS/DoH box (Pi-hole/Unbound).
MTU 1500 everywhere; avoid jumbo unless you control every hop.

Firewall Plan

Block all inbound WAN; allow only Cloudflare Tunnel egress (443/tcp).
Allow LAN -> Tunnel host, NAS, hypervisor; deny IoT devices hitting lab hosts.
Log and rate-limit DNS/DoH from LAN; block all from WAN.

DNS Plan

Local DNS: Pi-hole/Unbound on LAN IP; DHCP hands out local resolver.
Split-horizon: internal A/AAAA for services; public DNS only for tunnel CNAMEs.
ACME via DNS-01 (Cloudflare) so no HTTP-01 exposure.

Reverse Proxy & Access

Nginx Proxy Manager or Traefik terminating TLS with DNS-01.
ForwardAuth/SSO for admin apps; plain auth for low-risk dashboards.
Health checks for backends; add per-service access lists.

Extras & hardening

Add Tailscale/ZeroTier as break-glass access to the proxy host.
Schedule config backups for router + proxy; ship to NAS.