The Real Setup
Every homelab guide shows you a perfect network diagram with enterprise hardware, rack mount servers, and clean cable management. This isn’t that. This is a homelab that grew organically over two years, running on a $200 used Dell OptiPlex, a consumer-grade managed switch, and whatever else was sitting around.
The goal isn’t perfection — it’s a network that works reliably, is segmented enough to contain damage, and doesn’t require constant maintenance.
The Hardware
Primary Server:
- Dell OptiPlex Micro (12th gen i5-12500T)
- 32GB DDR4 RAM
- 2TB NVMe (Samsung 970 EVO Plus)
- Proxmox VE 8.1
- 8 VMs, 14 containers total
- Idle power draw: ~18W
Storage (separate from compute):
- Synology DS923+ (4x 8TB WD Red in SHR)
- Handles file storage, Time Machine backups, photo library
- Runs Synology Drive Server and Active Backup
Network:
- TP-Link T1600G-28TS (managed, VLAN-capable)
- Netgear R7000 running OpenWrt 23.05 (WiFi AP + router)
- USG-XG8 VoIP gateway (for landline integration)
Physical layout: Server and switch live in a closet with passive ventilation. Power draw is low enough that passive cooling is fine. The Synology is in the same closet.
The Network Topology
VLAN 10 — Main LAN: Devices you trust completely. Family phones, laptops, tablets. Full access to everything.
VLAN 20 — IoT: Isolated from everything except internet access. Smart bulbs, sensors, thermostats — anything that doesn’t need to talk to your server directly. Access from main LAN via firewall rules for admin only.
VLAN 30 — Homelab: Where the server lives. Hosts all your services. Only accessible from VLAN 10, and only on specific ports.
VLAN Configuration (TP-Link Switch)
The TP-Link switch does the heavy lifting. Here’s how it’s configured:
The switch doesn’t do inter-VLAN routing — that’s the router’s job. The Netgear running OpenWrt has firewall rules that:
- Block VLAN 20 → VLAN 10 entirely (IoT can’t reach family devices)
- Allow VLAN 10 → VLAN 30 on specific ports only (22, 80, 443, 8123, etc.)
- Allow VLAN 20 → VLAN 30 only for MQTT (1883) — smart home control
- Allow all VLAN 10 → internet
- Allow all VLAN 20 → internet (smart devices need cloud access)
The Services and Where They Live
| Service | VLAN | Container/VM | Memory | Notes |
|---|---|---|---|---|
| Home Assistant | 30 | VM (LXC) | 2GB | Z-Wave/Zigbee via USB stick |
| AdGuard Home | 30 | Docker | 256MB | Network-wide DNS + ad blocking |
| Jellyfin | 30 | Docker | 4GB | Media server, hardware transcode |
| Nginx Proxy Manager | 30 | Docker | 128MB | Reverse proxy + SSL |
| Vaultwarden | 30 | Docker | 256MB | Password manager |
| Nextcloud | 30 | Docker | 1GB | File sync, calendar, contacts |
| Uptime Kuma | 30 | Docker | 128MB | Service monitoring |
| Duplicati | 30 | Docker | 512MB | Backup manager |
| Pi-hole | 20 | Docker | 128MB | Secondary DNS for IoT VLAN |
| Mosquitto | 30 | Docker | 64MB | MQTT broker for smart home |
Total memory used at idle: ~9GB. The server has 32GB, so there’s headroom for burst workloads.
How Services Communicate
All Docker containers run in a custom bridge network (homelab_net) that only spans the homelab server. Containers reference each other by container name — no IP addresses needed.
AdGuard is the DNS server for all VLANs. Requests from VLAN 30 go to AdGuard, which resolves internal names via /etc/hosts entries:
No more memorizing IPs — every service is reachable by name from any container.
External Access
Two tools, running simultaneously:
Cloudflare Tunnel — for services accessed by people outside the home:
- Family members accessing Home Assistant
- Remote access to Nextcloud for specific users
- Traefik routes through the tunnel, Cloudflare handles auth
Tailscale — for personal access:
- SSH into the server from anywhere
- rsync files from the NAS to a remote laptop
- Direct access to Jellyfin for media management
Both run with zero port forwarding. The server initiates outbound connections to their respective services, and external traffic flows back through those established connections.
The Backup Strategy
Three layers:
- Proxmox backup — daily VM/LXC snapshots to NAS. 7-day retention locally.
- Duplicati — config directories and important data volumes backed up to Backblaze B2 nightly.
- Synology Active Backup — daily full image backups of the Proxmox boot disk to the Synology.
If the server dies, I can be back up on replacement hardware in under 2 hours. If the Synology dies, I order a new one and restore from B2. The $8/month B2 bucket is cheaper than a second NAS and handles offsite redundancy.
What I’d Change
1. More switch ports from the start
Running out of ports mid-project meant buying a second switch. A 24-port from the start would have been cleaner.
2. Dedicated management VLAN
Right now admin access to the switch and router is from the main LAN. A dedicated out-of-band management VLAN (VLAN 99) connected to a $50 used console switch would be more secure.
3. UPS for the server
The server has no battery backup. A APC BE600M1 would give enough time to shut down gracefully during brief outages and save the container state.
4. 10GbE uplinks
The NAS sits on 1Gbps ethernet, which is fine for most access but bottlenecks when moving large media libraries. A CAT6A run to the server with a 2.5GbE adapter in the OptiPlex would be a reasonable upgrade.
The Point
A homelab doesn’t need to be elaborate. A single used desktop, a managed switch, and some time to set up VLANs correctly gives you a network that’s more reliable and more secure than most small business networks — because you built and configured every piece of it.
The services you run on top of that foundation are what make it useful. DNS blocking saves bandwidth. Media servers make content accessible. Backup tools make recovery possible.
Start small. Add services as you need them. Segment early.