Skip to content

Network Architecture

Overview

My home network is built on OpnSense and UniFi, with proper VLAN segmentation between the home network and the homelab. The goal is simple: give the homelab a clean, fast, isolated path to the internet and keep everything else tidy and predictable.

Network Topology

Internet
    │
    ▼
┌─────────────────┐
│   ISP Router    │  ← DMZ Mode (pseudo-bridge)
└─────────────────┘
    │ 10 Gb
    ▼
┌─────────────────┐
│   OpnSense      │  ← DIY router, 10 Gb NIC
│   Firewall      │
└─────────────────┘
    │ 10 Gb
    ▼
┌─────────────────┐
│ Managed Switch  │  ← 10 Gb uplink + 8× 2.5 Gb ports, VLAN-aware
└─────────────────┘
    │
    ├─ VLAN 10: Home Network
    │     ├─ Desktop PCs
    │     ├─ Laptops
    │     ├─ Smart devices
    │     └─ Media devices
    │
    ├─ VLAN 20: Homelab Network (2.5 Gb link)
    │     └─ Bare-metal k0s host
    │           ├─ GitLab
    │           ├─ Matrix (Synapse)
    │           ├─ Immich
    │           ├─ Jellyfin + *arr stack
    │           ├─ Headscale
    │           └─ everything else in the cluster
    │
    └─ WiFi Access Point (UniFi U7 Lite)
          ├─ Home WiFi  (VLAN 10)
          └─ Guest WiFi (isolated)

Hardware Components

ISP Router

  • Role: Internet gateway, DMZ mode
  • Why DMZ: No true bridge mode available; DMZ is the closest alternative
  • Uplink to OpnSense: 10 Gb

OpnSense Firewall / Router

  • Type: Custom DIY router
  • OS: OpnSense (FreeBSD-based)
  • NIC: 10 Gb
  • Role: Routing, firewalling, VPN termination, traffic shaping, intrusion detection, logging

Managed Switch

  • Type: Enterprise-grade managed switch
  • Uplink to OpnSense: 10 Gb
  • Access ports: 8× 2.5 Gb
  • Features: VLAN tagging, port mirroring, LAG support, SNMP, web UI

WiFi Access Point

  • Model: UniFi U7 Lite
  • Standard: WiFi 7 (802.11be)
  • Managed by: UniFi Network Controller

Network Segmentation

VLAN 10 — Home Network

  • Role: Trusted devices (workstations, phones, smart-home)
  • Access: Full internet, restricted inter-VLAN
  • Throughput: 2.5 Gb per port

VLAN 20 — Homelab Network

  • Role: Homelab-only traffic
  • Device: Bare-metal k0s host (a single cable, a single cluster)
  • Link: 2.5 Gb (previously 1 Gb — upgraded along with the new hardware)
  • Access: Restricted inter-VLAN, explicit allow rules only

Guest Network

  • Role: Isolated WiFi for visitors
  • Access: Internet only, no internal networks, rate-limited
Link Speed Medium
ISP Router → OpnSense 10 Gb 10GBASE-T
OpnSense → Switch 10 Gb 10GBASE-T
Switch access ports 2.5 Gb 2.5GBASE-T
Homelab host → Switch 2.5 Gb 2.5GBASE-T
WiFi (U7 Lite) up to 2.4 Gb WiFi 7

Security

  • Firewall: default-deny, explicit allow rules, inter-VLAN restrictions
  • VPN: WireGuard-based access via Headscale
  • WiFi: WPA3 where supported
  • Monitoring: OpnSense logs and real-time traffic analysis

Management

  • OpnSense — web UI over HTTPS, SSH for advanced config
  • Switch — web UI, SNMP monitoring
  • UniFi Controller — centralized WiFi management

See Also

  • Setup Details — the homelab hardware itself
  • Services — what's actually running behind that VLAN 20 link