Building a Home Lab: Network Configuration
Set up a home lab network for learning, self-hosting, and experimentation. Cover VLANs, managed switches, firewall appliances, and lab best practices.
What Is a Home Lab?
A home lab is a personal environment for learning, testing, and self-hosting services. Network professionals, developers, and enthusiasts build home labs to gain hands-on experience with enterprise networking concepts.
A home lab can be as simple as a Raspberry Pi running Pi-hole, or as complex as a full rack with multiple servers, managed switches, and enterprise firewalls.
Essential Networking Components
Firewall/Router
Replace your ISP's consumer router with a dedicated firewall appliance:
| Option | Cost | Difficulty | Features |
|---|---|---|---|
| pfSense (Netgate) | $-$$$ | Moderate | Full firewall, VPN, DHCP, DNS |
| OPNsense | Free (on own hardware) | Moderate | Fork of pfSense, modern UI |
| UniFi Dream Machine | $$$ | Easy | Integrated AP controller, IDS |
| MikroTik | $ | Hard | Extremely capable, steep learning curve |
For beginners, OPNsense on a mini PC (Intel N100, 2-4 NIC ports, ~$150) is the best value.
Managed Switch
A managed switch enables VLANs, port mirroring, and traffic monitoring:
Popular home lab switches:
- TP-Link TL-SG108E (8-port, ~$30) — Basic VLAN support
- Netgear GS308T (8-port, ~$60) — Full management
- UniFi USW-Lite-8-PoE (8-port, ~$110) — PoE for APs + cameras
- MikroTik CSS326 (24-port, ~$130) — Dense, affordable
VLAN Architecture
A well-designed home lab uses VLANs to isolate different types of traffic:
VLAN 1 (10.0.1.0/24) — Management (switches, APs, IPMI)
VLAN 10 (10.0.10.0/24) — Trusted devices (workstations, phones)
VLAN 20 (10.0.20.0/24) — Lab / Servers (Docker, VMs)
VLAN 30 (10.0.30.0/24) — IoT devices
VLAN 40 (10.0.40.0/24) — Guest network
VLAN 50 (10.0.50.0/24) — DMZ (internet-facing services)
Firewall Rules Between VLANs
# OPNsense / pfSense rule examples:
# Trusted → Lab: Allow (access self-hosted services)
# Trusted → IoT: Allow (control smart home)
# IoT → Trusted: Block (IoT cannot reach workstations)
# IoT → Internet: Allow DNS, NTP only
# Lab → Internet: Allow (updates, container pulls)
# Guest → Internet: Allow (nothing else)
# DMZ → Internet: Allow (web serving)
# DMZ → Trusted/Lab: Block (compromised DMZ stays isolated)
IP Addressing Plan
Consistent IP allocation makes management easier:
x.x.x.1 — Gateway (firewall)
x.x.x.2-9 — Network infrastructure (switches, APs)
x.x.x.10-49 — Static assignments (servers, NAS)
x.x.x.50-99 — DHCP reservations (known devices)
x.x.x.100-254 — Dynamic DHCP pool
Document everything. A simple spreadsheet tracking hostname, MAC, IP, VLAN, and purpose saves hours of troubleshooting later.
Self-Hosted Services
Common home lab services that benefit from proper networking:
| Service | Purpose | Network Requirement |
|---|---|---|
| Pi-hole / AdGuard | DNS filtering + ad blocking | Accessible from all VLANs |
| Nginx Proxy Manager | Reverse proxy with SSL | DMZ VLAN, ports 80/443 |
| Plex / Jellyfin | Media streaming | Accessible from trusted + guest |
| Grafana + Prometheus | Monitoring dashboards | Management VLAN |
| WireGuard | Remote VPN access | WAN-facing, routes to all VLANs |
Best Practices
- Start small — Begin with a single VLAN and expand as you learn. Over-engineering early leads to frustration.
- Label everything — Cables, ports, devices. Use a label maker.
- UPS protection — A small UPS ($50-100) prevents filesystem corruption during power outages.
- Backup configs — Export firewall and switch configurations regularly. Store them in a git repository.
- Separate lab from production — Your family's internet should always work, even when you are experimenting. Keep the lab VLAN isolated so misconfigurations do not affect the household.