Sunday, 26 April 2026

My Advanced Home Lab 2026 – Network Architecture and Zero Trust Setup


Introduction

In this project, I built an advanced home lab that focuses on security, high availability, and full control over my infrastructure. The goal was to create an environment similar to enterprise networks, but fully self-hosted and managed by me.

The lab combines networking, virtualization, monitoring, and Zero Trust access into one consistent system.


Network Overview

The core of my network is based on pfSense, which acts as the main router and firewall.

The network is divided into two main segments:

  • LAN_1 (10.0.0.0/24) – servers and storage
  • LAN_2 (172.16.8.0/24) – infrastructure and UniFi ecosystem

Additionally, I use VLANs for WiFi segmentation:

  • VLAN10 – main WiFi network
  • VLAN20 – guest network
  • VLAN30 – IoT devices
  • VLAN40 – management network (secured with 802.1X)

This segmentation improves security and allows better control over traffic between devices.


Core Networking and Security

The firewall is configured with several important services:

  • Intrusion detection and prevention using Snort
  • IP and geo-blocking with pfBlockerNG
  • WireGuard VPN for secure remote access
  • DHCP, DNS, and SNMP services
  • Monitoring agents for infrastructure visibility

This setup creates a strong security layer at the edge of the network.


Server Infrastructure (LAN_1)

In the server network, I run a three-node Proxmox cluster with high availability and Ceph storage.

The cluster hosts:

  • Linux containers (LXC) for core services
  • Virtual machines including:
    • Windows Server 2019 (Active Directory)
    • Windows 10 clients

Key services include:

  • Zabbix monitoring (frontend and backend cluster)
  • Grafana for data visualization
  • Wazuh SIEM for security monitoring

For storage, I use a TrueNAS server that provides:

  • NFS for Proxmox backups
  • SMB shares for general usage


Infrastructure Network (LAN_2)

The second network segment is focused on infrastructure and network management.

It includes:

  • UniFi switch and access point
  • A mini PC running Debian Linux
  • Multiple services in containers (Docker and Podman)

On this host, I run:

  • Pangolin client for Zero Trust connectivity
  • FreeRADIUS server for 802.1X authentication
  • UniFi controller (Podman)
  • Docker services such as Portainer and AdGuard Home

This network acts as a control layer for WiFi and internal services.


Zero Trust Access

For secure remote access, I use Pangolin.

The idea is simple:

  • No services are exposed directly to the internet
  • All access goes through a central gateway
  • Authentication (including 2FA) is required before access is granted

This approach is similar to cloud-based Zero Trust solutions, but fully self-hosted.


Monitoring and Observability

Monitoring is a key part of the system.

I use:

  • Zabbix for infrastructure monitoring
  • Grafana for dashboards and visualization
  • Uptime Kuma for service availability checks

This combination allows me to detect problems quickly and understand system behavior in real time.


Key Features of the Project

  • Strong network segmentation (LAN + VLANs)
  • High availability with Proxmox cluster and Ceph
  • Secure remote access using Zero Trust model
  • Advanced monitoring and logging
  • Enterprise-style WiFi management with UniFi
  • Centralized authentication using FreeRADIUS


Conclusion

This home lab is designed as a realistic simulation of a modern IT infrastructure. It focuses on security, scalability, and reliability.

By combining networking, virtualization, and Zero Trust access, I created an environment that is both powerful and secure.

This project helped me improve my skills in system administration and networking practices, while also giving me a stable platform for testing new technologies.

 

Posted by at

Monday, 9 September 2024

Monitoring Windows and Active Directory using Wazuh and Zabbix

Wazuh is a great tool for security monitoring (SIEM). Thanks to it, I have a centralized environment that takes care of threat detection, file integrity monitoring, log analysis, vulnerability detection and malware identification.
Zabbix, on the other hand, complements Wazuh. While Wazuh focuses mainly on security, monitoring what's happening from a security perspective on our devices, Zabbix is useful for more administrative tasks. With Zabbix, we can check if anything is happening, if the disks are filling up, if the server temperatures are rising, and so on. From an administrative point of view, it allows us to check everything in one place and keep it handy. Not many people know that Zabbix is also great for security. It can check logs for failed login attempts or changes in files, for example.

 


















Posted by at

Thursday, 22 February 2024

Zabbix as a real-time monitoring of IT components and services

Now it's time for Zabbix... The difficulty of learning Zabbix depends on the knowledge of IT infrastructure monitoring concepts, experience with similar tools and general technical knowledge.

The project I am working on "Zabbix Architect - Network and Server Monitoring" showcases not only my skills with Zabbix software but also the extensive IT knowledge I have gained so far. It is based on my current home lab setup as well as cloud services. This project might take some time as I keep coming up with new ideas that I want to include. Below is the current architecture (which may change) and part of the work already completed.

The project looks like this:
Installation: Zabbix server, Zabbix proxy, database, high-availability cluster, load balancing, VRRP.
Ansible: deploying and adding agents, securing and optimizing Zabbix.
Monitoring: Windows and Linux, logs and events, services, Docker, agentless monitoring, SNMP, iDRAC, web applications, SSL certificates, SELinux, network devices, new unwanted devices, hypervisors, databases, mail server, backups, NVR/IP cameras.
Integration: Active Directory, ticketing system, Grafana.

 

Here are good practices for setting up and maintaining Zabbix:

1. Planning: Before you set up Zabbix, it's important to plan how the system will work. You should decide how many servers, proxies, and agents you need, and how you will organize your network and save data.

2. Scaling: Zabbix should be able to grow as your organization grows. This means making sure the server and database work well, adding proxies for monitoring in different locations, and using load balancing if necessary.

3. Database: The Zabbix database needs to be set up and maintained properly. This includes adjusting settings and making regular backups to keep everything running smoothly.

4. Security: To keep the system secure, you should encrypt communication between Zabbix components, limit access to the Zabbix interface, and update Zabbix regularly to fix security issues.

5. Refresh Time: Adjust how often Zabbix checks items and triggers to find a balance between detailed monitoring and system performance.

6. Use of Templates: Use or create templates to make setting up hosts and services easier and faster.

7. Alerts and Notifications: Set up alerts to inform the right people about important problems. Don't send too many alerts—just the important ones. Create rules for how alerts are handled, set limits for when alerts are triggered, and use different ways to notify people (like email, SMS, or chat apps).

8. Monitor Monitoring: Regularly check how well Zabbix itself is working. This includes looking at how much server and database resources are used, checking for failed data collection, and making sure the system is highly available and has backups where needed.








 
 




































Posted by at
Subscribe to: Comments (Atom)