[CASE_STUDY] Secure Home Lab & Network Segmentation

Project: Secure Home Lab & Media Server

Full Blog Post

A comprehensive home lab built to reclaim data ownership from subscription services and create a secure, segmented network for IoT devices and security experiments.

OPNsense UnRAID Docker VLANs Jellyfin Unbound DNS

Security Challenge

Consumer-grade networks are typically "flat," meaning a single compromised IoT device can act as a beachhead for an attacker to compromise high-value targets like personal computers or file servers.

Solution

I implemented a multi-VLAN architecture using OPNsense to segment the network into four primary zones: Trusted, IoT, Guest, and Lab. Strict firewall rules block all inter-VLAN traffic by default, with specific exceptions for necessary communication.

+---------------------+
|    [Internet]      |
|      |             |
+------|-------------+
       |
+------v-------------+
|    OPNsense        |
|    Firewall        |
+--+--+--+--+--+-----+
   |  |  |  |  |
   |  |  |  |  +---> [ Trusted Network ]
   |  |  |  |         (VLAN 10)
   |  |  |  |
   |  |  |  +---> [ IoT Network ]
   |  |  |        (VLAN 20)
   |  |  |
   |  |  +---> [ Guest Network ]
   |  |         (VLAN 30)
   |  |
   |  +---> [ Lab Network ]
   |        (VLAN 40)
   |
   +---> [ UnRAID Server ]
          (Access Port: VLAN 40)

Implementation Details

  • OPNsense firewall with multi-WAN failover
  • VLAN segmentation for different device types
  • Strict firewall rules with default deny
  • UnRAID server with Docker containers for services
  • Jellyfin media server for local streaming
  • Unbound DNS with ad-blocking
  • WireGuard VPN for secure remote access

Results

  • Complete network segmentation for security
  • Eliminated reliance on cloud services
  • Improved network performance and reliability
  • Secure remote access to home network
  • Reduced attack surface for IoT devices