Start With a Network Diagram
Before buying or configuring anything, sketch a network diagram. Draw each device as a box and connect them with lines showing physical and logical relationships. Mark which ports on the switch are access ports (one VLAN) and which are trunk ports (multiple VLANs). Identify your WAN connection (fiber/cable modem), the router, the core switch, any secondary switches, and wireless access points. Note the IP subnet for each VLAN segment.
Free tools for diagramming: draw.io, Lucidchart (free tier), or pen and paper. The diagram becomes your reference when troubleshooting — you always know what should be connected to what and on which VLAN.
IP Addressing Strategy
Avoid the default 192.168.1.0/24 that every consumer router ships with — it clashes with almost every VPN you will ever use and with networks at hotels and coffee shops. Instead, pick something from 10.0.0.0/8 with a consistent scheme: 10.0.VLAN_ID.0/24. For example: 10.0.10.0/24 for VLAN 10 (trusted clients), 10.0.20.0/24 for VLAN 20 (servers), 10.0.30.0/24 for VLAN 30 (IoT). This makes reading firewall logs and routing tables intuitive — a packet from 10.0.30.x is immediately identifiable as coming from the IoT segment.
For servers and infrastructure, use static IP assignments or DHCP reservations so their addresses never change. Document every static assignment in a simple spreadsheet or your network diagram.
Core Switch Design
Your core switch connects everything. Configure the uplink port to your router as a trunk carrying all VLANs. Configure server ports as access ports in VLAN 20. Configure your AP uplink as a trunk carrying the WiFi SSIDs you have mapped to VLANs. Configure any workstation ports as access ports in VLAN 10. Reserve a management VLAN (e.g., VLAN 99) for accessing switch management from a specific port only.
Label every port. A piece of tape with the connected device name on each port saves enormous troubleshooting time. A patch panel with labeled jacks above the switch makes identification even cleaner.
Firewall Rule Philosophy
Write firewall rules with a default-deny stance: block all inter-VLAN traffic by default, then explicitly permit only the flows you need. This is the opposite of how consumer routers work (allow everything by default). Common allow rules for a homelab: workstations can initiate connections to servers on specific ports (Plex 32400, SSH 22, HTTPS 443); IoT devices can reach the internet on ports 80/443 only; servers can reach NTP servers on the internet; management devices can reach switch/AP management IPs on port 80/443. Everything else is denied and logged.
Homelab Network Design Checklist
| Component | Decision | Example Choice |
|---|---|---|
| Router/Firewall | Software or hardware? | OPNsense on mini PC or Proxmox VM |
| Core switch | Port count, managed? | 8-port managed (TP-Link TL-SG108E) |
| Wireless AP | VLAN-capable SSIDs? | TP-Link EAP or Ubiquiti UniFi |
| VLAN plan | Which segments? | Trusted / Servers / IoT / Guest / Mgmt |
| IP scheme | Which RFC1918 range? | 10.0.x.0/24 per VLAN ID |
| DNS | Local resolver? | AdGuard Home or Unbound on router |
| NTP | Local time server? | Router NTP relay (OPNsense built-in) |
| UPS | On router + switch + servers? | 1000VA line-interactive, USB NUT |
| Remote access | VPN into home network? | WireGuard on OPNsense |
| Monitoring | Service health checks? | Uptime Kuma + Grafana/Prometheus |
Frequently Asked Questions
How many VLANs should a beginner homelab have?
Three is a practical starting point: one for trusted clients (laptops, desktops), one for servers, and one for IoT. This prevents IoT devices from reaching your servers while keeping the complexity manageable. Add a guest WiFi VLAN and a management VLAN as you get comfortable.
Should the firewall run on Proxmox or on dedicated hardware?
Both work. Running OPNsense as a Proxmox VM is common and functional — use PCI passthrough to give the VM direct access to physical NICs for best performance. Dedicated hardware (a cheap mini PC running only OPNsense) provides better isolation and continues working if Proxmox is down for maintenance. Many homelabbers start with the VM approach and later move to dedicated hardware.
What is the difference between a router and a firewall in a homelab context?
In homelab use, the terms are often used interchangeably for the same device. Technically: a router forwards packets between different networks based on IP routing; a firewall inspects packets and enforces rules about which traffic is allowed. OPNsense and pfSense do both — they route traffic between your VLANs (and to the internet) while simultaneously applying stateful firewall rules to that traffic.
Do I need a 10GbE switch for a homelab?
Not initially. 1GbE (gigabit) is sufficient for most homelab workloads including streaming 4K video locally and transferring files to a NAS. 10GbE becomes worthwhile if you do frequent large file transfers to NAS (backup, VM migrations) and your NAS supports 10GbE. Entry-level 10GbE switches (5-port, 2.5GbE or 10GbE) are now available for $80–200 and are a practical upgrade when you have a specific performance bottleneck.