Home Lab 2026 – Advanced Network Architecture

About Project

In this project, I built an advanced home lab that focuses on security, high availability, and full control over my infrastructure. The goal was to create an environment similar to enterprise networks, but fully self-hosted and managed by me.

This project has been continuously developed for over 8 years, with many upgrades and improvements over time. If you want to see the earlier stages of this lab and previous changes, feel free to check my older posts - just click one of them below.

The lab combines networking, virtualization, monitoring, security and Zero Trust access into one consistent system.

Notes:

• All inter-network routing & firewall rules are handled by pfSense
• Wazuh SIEM provides centralized security monitoring for the homelab
• Zabbix Server monitors homelab servers, services, and network devices
• User access to services is provided via Pangolin and Cloudflare Tunnel (client on Mini-PC)
• Administrative access is provided via WireGuard VPN (server on pfSense)
• 802.1X authentication enforced on VLAN40 (MGMT) WiFi via FreeRADIUS
• General users connect via VLAN10 (UNIFI WiFi)
• Guest and IoT are isolated in their own VLANs
• Proxmox nodes use Ceph for HA storage
• TrueNAS provided NFS backups for Proxmox and SMB shares for clients

Network Overview

The core of my network is based on pfSense, which acts as the main router and firewall.

The network is divided into two main segments:

• LAN_1 (10.0.0.0/24) – servers and storage
• LAN_2 (172.16.8.0/24) – infrastructure and "UniFi ecosystem"

Additionally, I use VLANs for WiFi segmentation:

• VLAN10 – main WiFi network
• VLAN20 – guest network
• VLAN30 – IoT devices
• VLAN40 – management network (secured with 802.1X)

This segmentation improves security and allows better control over traffic between devices.

Core Networking and Security

The firewall is configured with several important services:

• Zabbix Server is used to monitor the health and availability of homelab infrastructure
• Wazuh SIEM is used for security monitoring and threat detection in the homelab
• Intrusion detection and prevention using Snort
• IP and geo-blocking with pfBlockerNG
• WireGuard VPN for secure remote access
• DHCP, DNS, and SNMP services
• Monitoring agents for infrastructure visibility

This setup creates a strong security layer at the edge of the network.

Server Infrastructure (LAN_1)

In the server network, I run a three-node Proxmox cluster with high availability and Ceph storage.

The cluster hosts:

• Linux containers (LXC) for core services
• Virtual machines including:
  • Windows Server 2019 (Active Directory)
  • Windows 10 clients

Key services include:

• Wazuh SIEM runs on a dedicated Rocky Linux virtual machine as a standalone server used for operating system monitoring and security event analysis

• Zabbix monitoring (frontend and backend cluster).  Zabbix was first deployed on a Raspberry Pi 3 B+ as a standalone installation running Zabbix 6.0 LTS with Apache and MySQL. Over time, the environment was migrated to the Proxmox cluster and redesigned for high availability. The current setup includes: 2x Rocky Linux LXC containers for the Zabbix Frontend (Nginx + Keepalived) and 3x Rocky Linux LXC containers for the Zabbix Backend (MariaDB Galera Cluster + Keepalived).
• Grafana runs as a standalone service on a Rocky Linux LXC and is used for infrastructure visualization and dashboard monitoring

For storage, I use a TrueNAS server that provides:

• NFS for Proxmox backups
• SMB shares for general usage

Infrastructure Network (LAN_2)

The second network segment is focused on infrastructure and network management.

It includes:

• UniFi switch and access point
• A Mini-PC running Debian Linux
• Multiple services in containers (Docker and Podman)

On this host, I run:

• Pangolin and Cloudflare client for Zero Trust connectivity
• FreeRADIUS server for 802.1X authentication
• UniFi controller (Podman)
• Docker services such as Portainer and AdGuard Home

This network acts as a control layer for WiFi and internal services.

Zero Trust Access

For secure user remote access, I use Pangolin. 

At the moment, I am still using Cloudflare Tunnel for several services because I am currently migrating everything to a fully self-hosted tunnel solution with Pangolin.

My current Pangolin setup works in a hybrid model. The Pangolin server is hosted on an external VPS from Linode, while the Pangolin client runs inside my homelab on a Mini-PC. This setup gives me secure remote access, better control over my infrastructure, and allows me to slowly replace external tunnel services with my own self-hosted solution.

The idea is simple:

• No services are exposed directly to the internet
• All access goes through a central gateway
• Authentication (including 2FA) is required before access is granted

This approach is similar to cloud-based Zero Trust solutions, but fully self-hosted.

Monitoring and Observability

Monitoring is a key part of the system.

I use:

• Zabbix for infrastructure monitoring
• Grafana for dashboards and visualization
• Uptime Kuma for service availability checks

This combination allows me to detect problems quickly and understand system behavior in real time.

Key Features of the Project

• Centralized monitoring with Zabbix and security analysis with Wazuh SIEM
• Strong network segmentation (LAN + VLANs)
• High availability with Proxmox cluster and Ceph
• Secure remote access using Zero Trust model
• Enterprise-style WiFi management with UniFi
• Centralized authentication using FreeRADIUS

Conclusion

This home lab is designed as a realistic simulation of a modern IT infrastructure. It focuses on security, scalability, and reliability.

By combining networking, virtualization, and Zero Trust access, I created an environment that is both powerful and secure.

This project helped me improve my skills in system administration and networking practices, while also giving me a stable platform for testing new technologies.

Using this project 1:1 in a production environment could be difficult to manage because of the large number of different technologies and solutions used together. However, a home lab is one of the best ways to learn new technologies in practice.

For me, independence and security are very important. Today, cloud services are extremely popular, but in the end, the cloud is simply “someone else’s computer”. 

Monitoring Windows and Active Directory using Wazuh and Zabbix

Wazuh is a great tool for security monitoring (SIEM). Thanks to it, I have a centralized environment that takes care of threat detection, file integrity monitoring, log analysis, vulnerability detection and malware identification.
Zabbix, on the other hand, complements Wazuh. While Wazuh focuses mainly on security, monitoring what's happening from a security perspective on our devices, Zabbix is useful for more administrative tasks. With Zabbix, we can check if anything is happening, if the disks are filling up, if the server temperatures are rising, and so on. From an administrative point of view, it allows us to check everything in one place and keep it handy. Not many people know that Zabbix is also great for security. It can check logs for failed login attempts or changes in files, for example.

 

Zabbix as a real-time monitoring of IT components and services

Now it's time for Zabbix... The difficulty of learning Zabbix depends on the knowledge of IT infrastructure monitoring concepts, experience with similar tools and general technical knowledge.

The project I am working on "Zabbix Architect - Network and Server Monitoring" showcases not only my skills with Zabbix software but also the extensive IT knowledge I have gained so far. It is based on my current home lab setup as well as cloud services. This project might take some time as I keep coming up with new ideas that I want to include. Below is the current architecture (which may change) and part of the work already completed.

The project looks like this:
Installation: Zabbix server, Zabbix proxy, database, high-availability cluster, load balancing, VRRP.
Ansible: deploying and adding agents, securing and optimizing Zabbix.
Monitoring: Windows and Linux, logs and events, services, Docker, agentless monitoring, SNMP, iDRAC, web applications, SSL certificates, SELinux, network devices, new unwanted devices, hypervisors, databases, mail server, backups, NVR/IP cameras.
Integration: Active Directory, ticketing system, Grafana.

 

Here are good practices for setting up and maintaining Zabbix:

1. Planning: Before you set up Zabbix, it's important to plan how the system will work. You should decide how many servers, proxies, and agents you need, and how you will organize your network and save data.

2. Scaling: Zabbix should be able to grow as your organization grows. This means making sure the server and database work well, adding proxies for monitoring in different locations, and using load balancing if necessary.

3. Database: The Zabbix database needs to be set up and maintained properly. This includes adjusting settings and making regular backups to keep everything running smoothly.

4. Security: To keep the system secure, you should encrypt communication between Zabbix components, limit access to the Zabbix interface, and update Zabbix regularly to fix security issues.

5. Refresh Time: Adjust how often Zabbix checks items and triggers to find a balance between detailed monitoring and system performance.

6. Use of Templates: Use or create templates to make setting up hosts and services easier and faster.

7. Alerts and Notifications: Set up alerts to inform the right people about important problems. Don't send too many alerts—just the important ones. Create rules for how alerts are handled, set limits for when alerts are triggered, and use different ways to notify people (like email, SMS, or chat apps).

8. Monitor Monitoring: Regularly check how well Zabbix itself is working. This includes looking at how much server and database resources are used, checking for failed data collection, and making sure the system is highly available and has backups where needed.