← Back to blog

Designing the Network Architecture

Planning the network topology for a homelab — VLANs, firewall zones, DNS, and how it all connects together.

homelab networking architecture
On this page

A homelab without a well-designed network is just a computer on your desk. The network is what transforms standalone hardware into a real infrastructure environment. Let’s design it properly.

Network Zones

Security starts with segmentation. I’m creating four distinct network zones:

  1. Management (VLAN 10) — hypervisor access, IPMI, switch management
  2. Production (VLAN 20) — VMs and services that I actively use
  3. Lab (VLAN 30) — experimental workloads, isolated from everything
  4. IoT (VLAN 40) — smart home devices, heavily firewalled
Internet


┌─────────────┐
│  ISP Router  │ (bridge mode)
└──────┬──────┘

┌──────┴──────┐
│  MikroTik   │ Router/Firewall
│  RB5009     │
└──────┬──────┘

┌──────┴──────┐
│  Managed    │
│  Switch     │ (VLANs)
├─────────────┤
│ VLAN 10: Mgmt    │
│ VLAN 20: Prod    │
│ VLAN 30: Lab     │
│ VLAN 40: IoT     │
└─────────────┘

Firewall Rules Philosophy

The principle is simple: deny all, allow specific. Each VLAN gets:

  • Outbound internet: Allowed (with exceptions for IoT)
  • Inter-VLAN: Denied by default, specific rules for needed flows
  • Management access: Only from VLAN 10 to all others
  • Lab isolation: No access to production or management, internet only

DNS Strategy

Internal DNS is critical for a good lab experience. I’m running:

  • Pi-hole for ad-blocking and local DNS resolution
  • Custom zone: lab.local for all internal services
  • Split-DNS: Internal queries resolve to private IPs, external queries go upstream

IP Addressing

A clean IP scheme makes life easier:

VLANSubnetGatewayDHCP Range
10 - Mgmt10.10.10.0/2410.10.10.1.100-.200
20 - Prod10.10.20.0/2410.10.20.1.100-.200
30 - Lab10.10.30.0/2410.10.30.1.100-.200
40 - IoT10.10.40.0/2410.10.40.1.100-.200

What I Learned

Planning the network on paper before touching any hardware saved hours of troubleshooting later. The key insights:

  • Document everything — you will forget why you created that firewall rule
  • Start restrictive — it’s easier to open access than to lock it down later
  • Test isolation — verify VLANs can’t talk to each other before deploying services

Next Steps

With the network designed, it’s time for the exciting part: installing the hypervisor and bringing the first VMs to life. That’s coming in the next post.