Infrastructure Roadmap Homelab

Project: Secure and Segmented Network with pfSense

🎯 Project Vision

Build a professional, secure, and scalable homelab network infrastructure, based on pfSense, allowing segmentation by VLANs, blocking malicious content, advanced network monitoring, and self-hosting services.

Guiding Principles: - Security First: Deep defense (firewall + IDS + DNS filtering) - Scalability: Modular architecture prepared for growth - Performance: Optimized hardware, continuous monitoring - Controlled Cost: Balance between investment and functionality

✅ Phase 1: Foundations (Completed)

Duration: 2 weeks (Novembre 2025) Budget Invested: 112€

Base Infrastructure

Hardware Deployed

  • Mini PC Zotac ZBOX CI337 nano (85€)
    • Intel N100, 8GB DDR5, 128GB SSD
    • 2x Realtek GbE optimisés (realtek-re-kmod)
    • pfSense 2.8.1 installé et opérationnel
  • Access Point Afoundry EW1200 (27€)
    • WiFi AC1200 dual-band (2.4 + 5 GHz)
    • Native 802.1Q VLAN support
    • Multiple SSID (jusqu’à 8)

Software and Services

  • pfSense Community Edition 2.8.1
    • Firewall stateful moderne
    • NAT, routing, DHCP server
    • DNS Resolver (Unbound)
  • Security Packages Installed
    • pfBlockerNG-devel: Blocage DNS (DNSBL) + IP filtering
    • Suricata: IDS/IPS avec règles ET Open
    • WireGuard: Modern VPN (ready to configure)
    • ACME: Automatic Let’s Encrypt Certificates
    • ntopng: Real-time network monitoring
    • iftop: Bandwidth monitoring

Network Architecture

  • Simple topology in place: Internet → Box ISP → pfSense (WAN+LAN) → EW1200 AP → Clients WiFi

text - ✅ Preliminary segmentation: 1 VLAN (LAN principal) - ✅ Active Services: DHCP, DNS, Firewall, AdBlock, IDS

Security Implemented

  • Active Ad Blocking (pfBlockerNG DNSBL)

  • 500k+ domains blocked (ads, trackers, malware)

  • Daily automatic update

  • Blocking rate: 20-40% DNS queries

  • IDS Suricata on WAN

  • IPS inline mode (active blocking)

  • ET Open rules activated

  • Catégories: attack, dos, exploit, malware, scan

  • Firewall rules: Deny by default, explicit allow

  • WiFi Encryption: WPA2-PSK/AES

Documentation

  • Guides written:
  • Part 1: pfSense Installation and Initial Configuration
  • Part 2: WiFi AP and pfBlockerNG Deployment
  • Roadmap (this document)

🚀 Phase 2: Network Segmentation (Short Term)

Estimated Duration: 3-4 weeks Estimated Budget: 80-150€

Objectives

Implement a multi-segment VLAN architecture to isolate different traffic types: - VLAN 10 (LAN): Main Network (laptops, smartphones) - VLAN 30 (IoT): Isolated Connected Objects (smart home, cameras) - VLAN 99 (Guest): Guests without LAN access - VLAN 50 (Management): Network equipment admin access

Required Hardware

8-Port Managed Switch

Recommended Models: - TP-Link TL-SG108E (40-50€) - Budget - Netgear GS308T (60-80€) - Intermediate - UniFi Switch Flex Mini (70-90€) - Prosumer

Required Features: - Support 802.1Q VLAN tagging - Port-based VLANs - Web management interface - Fanless (silent)

Network Configuration

pfSense VLANs

Interfaces > Assignments > VLANs: VLAN 10 (LAN): Existing main network VLAN 30 (IoT): [Subnet IoT]/24 VLAN 99 (Guest): [Subnet Guest]/24 VLAN 50 (Mgmt): [Subnet Management]/24

text

DHCP Services per VLAN: - Distinct IP pools - DNS = pfSense (pfBlockerNG filtering for all) - DHCP Lease: 24h (LAN), 2h (Guest)

EW1200 Multiple SSID

Segmented WiFi Configuration: SSID: Homelab_Principal → VLAN 10 (WPA2-PSK) SSID: Homelab_IoT → VLAN 30 (WPA2-PSK) SSID: Homelab_Guest → VLAN 99 (WPA2-PSK, AP Isolation)

text

Security per VLAN: - VLAN 30 (IoT): Client Isolation enabled - VLAN 99 (Guest): No inter-VLAN access

Firewall Rules per VLAN

VLAN 10 (LAN): Full Internet access + inter-VLAN mgmt VLAN 30 (IoT): - Internet: Allow ports 80/443 only - Inter-VLAN: Block (except LAN for control devices) - IoT cloud destinations: Explicit Whitelist

VLAN 99 (Guest): - Internet: Allow - Inter-VLAN: Block ALL - Session time: 4 hours (Captive Portal optionnel)

VLAN 50 (Management): - Admin access to network equipment only - No Internet access (except updates)

Phase 2 Deliverables

🏗️ Phase 3: Rack Infrastructure (Short Term)

Estimated Duration: 1-2 weeks Estimated Budget: 70-150€

Objectives

Organize the infrastructure in a professional rack to improve cabling, cooling, and scalability.

Hardware to Acquire

Mini Server Rack

Recommended Size: 9U or 12U (19 pouces standard)

Options Tanger: - Avito.ma second hand: 250-400 dh (23-36€) - iris.ma new: 990 dh (90€) - DIY wood: 100-200 dh (9-18€)

Selection Criteria: - Depth: 400-600mm (sufficient for mini PC) - Ventilation: Side perforations - Doors: Front (glass/grid) + removable rear - Wheels: Mobility (optional)

Rack Surge Protector Power Strip

Options: - Rack power strip 19” 1U - 8 sockets (600-900 dh / 54-81€) - Standard surge protector power strip 8-10 sockets (150-300 dh / 14-27€)

Mandatory Protection: - Integrated surge protector (overvoltage protection) - Switch with indicator light - Cable 2-3m minimum

Rack Accessories

  • Fixed Shelves 1U (x2-3): 50-150 dh/piece
    • To place mini PC pfSense and EW1200
  • 8-port Patch Panel (optionnel): 100-200 dh
    • Ethernet cable organization
  • Cable Pass-Throughs (x2): 30-80 dh/piece
    • Clean cable management
  • Blank Panels 1U (x2-3): 20-50 dh/piece
    • Aesthetics + optimized airflow

Target 9U Rack Organization

┌─────────────────────────┐ │ 1U - 8-socket Power Strip│ ← Top (easy wiring) ├─────────────────────────┤ │ 1U - 8p Patch Panel│ ← Patch panel (optionnel) ├─────────────────────────┤ │ 1U - Shelf: pfSense │ ← Zotac ZBOX CI337 ├─────────────────────────┤ │ 1U - Shelf: EW1200 │ ← Access Point WiFi ├─────────────────────────┤ │ 1U - Managed Switch │ ← TP-Link ou Netgear ├─────────────────────────┤ │ 2U - Expansion Space │ ← Future serveur/NAS ├─────────────────────────┤ │ 2U - Proxmox / Docker │ ← Phase 4 └─────────────────────────┘

text

Phase 3 Deliverables

🔐 Phase 4: Self-Hosted Services (Mid Term)

Estimated Duration: 4-6 weeks Estimated Budget: 0-200€ (selon matériel existant)

Objectives

Deploy secure self-hosted services behind pfSense, accessible locally and remotely via VPN.

Server Infrastructure

Option A: Reuse Existing Proxmox Server

Proxmox network migration: - Reconfigure Proxmox network interfaces to new subnet - Integrate Proxmox to VLAN 10 (LAN) or VLAN 50 (Management) - Test VMs/Containers connectivity after migration

Option B: Dedicated Docker Server

Additional Mini PC (second hand): - Beelink, Intel NUC, ou similaire (100-200€) - Docker + Docker Compose - Lightweight containerized services

Services to Deploy

Network Management and Monitoring

  • Uptime Kuma: Monitoring uptime services
  • Grafana + Prometheus: Metrics Dashboards
  • LibreNMS: SNMP network equipment monitoring
  • Netdata: Real-time server monitoring

Productivity and Collaboration

  • Nextcloud: Personal cloud (files, calendar, contacts)
  • OnlyOffice ou Collabora: Online office suite
  • Bookstack: Internal Wiki/documentation
  • Vaultwarden: Password Manager (Bitwarden)

Multimedia

  • Jellyfin ou Plex: Media Server (movies, series, music)
  • Photoprism: Smart photo gallery
  • Audiobookshelf: Audiobook library

Automation and IoT

  • Home Assistant: Centralized home automation (VLAN IoT)
  • Node-RED: Workflow automations
  • Mosquitto MQTT: IoT Broker

Reverse Proxy and Security

  • Nginx Proxy Manager: Reverse proxy + automatic SSL
  • Authelia ou Authentik: SSO (Single Sign-On)
  • Fail2Ban: Brute-force protection

Secure Access

WireGuard VPN

road warrior configuration: - Nomadic clients (laptop, smartphone) - Secure access to internal services from Internet - Split tunneling (only LAN traffic via VPN)

Configuration: VPN > WireGuard > Tunnels > Add Listen Port: 51820 Tunnel Address: [Subnet VPN]/24 Peers: Laptop, Smartphone, Tablette

text

WireGuard Firewall Rules: - Allow WireGuard → LAN services - Block WireGuard → VLAN IoT (except Home Assistant) - Allow WireGuard → Internet (optionnel)

Phase 4 Deliverables

📊 Phase 5: Advanced Monitoring (Mid Term)

Estimated Duration: 2-3 weeks Estimated Budget: 0-50€

Objectives

Implement a complete monitoring stack with centralized dashboards, automatic alerts, and performance metrics.

Monitoring Stack

Grafana + Prometheus

Metrics collected: - pfSense: CPU, RAM, WAN/LAN throughput, firewall states - Servers: Uptime, CPU, RAM, disk, network - Services: Availability, response time - Network: Latency, packet loss, bandwidth

Pre-configured Dashboards: - pfSense Dashboard (community template) - Node Exporter Dashboard (Linux servers) - Docker Containers Dashboard

Loki + Promtail

Centralized log aggregation: - pfSense Logs (firewall, IDS Suricata, pfBlockerNG) - Linux server logs (syslog, auth, kernel) - Docker containers logs

Search and analysis: - Query language LogQL - Temporal filters - Event correlation

Alerting

Alertmanager + Ntfy.sh: - Slack/Discord/Email Alerts - Mobile push notifications - Configurable thresholds (CPU >80%, disk >90%, service down)

Phase 5 Deliverables

🌐 Phase 6: High Availability (Long Term)

Estimated Duration: 4-6 weeks Estimated Budget: 150-300€

Objectives

Implement redundancy on critical components to eliminate SPOF (Single Point of Failure).

pfSense High Availability (CARP)

Required Hardware

  • Second mini PC identical or similar (100-200€)
    • Beelink, HUNSN, Topton N5105/N100
    • 2x NIC Ethernet minimum

CARP Configuration

How it works: - 2 pfSense systems in master/backup - Virtual IP (VIP) shared via CARP - Real-time config synchronization (xmlrpc) - Automatic failover <2 seconds

HA Architecture: Internet → Box ISP → [VIP pfSense] ↓ ┌──────┴──────┐ pfSense1 pfSense2 (Master) (Backup) └──────┬──────┘ Switch

text

Redundant Managed Switch

Stack switches or LACP: - 2x switches with port aggregation - Redundant link between switches (stack or LAG) - Redundant uplink to pfSense (LACP)

Redundant Storage

NAS with RAID: - Synology, QNAP, ou TrueNAS (DIY) - Minimum RAID 1 (2 mirror disks) - Backup 3-2-1: 3 copies, 2 media, 1 off-site

UPS (Uninterruptible Power Supply)

Recommended Model: 600-1000VA - Power outage protection - Autonomy 10-20 minutes (clean shutdown) - USB monitoring via NUT (Network UPS Tools)

Budget: 80-150€

Phase 6 Deliverables

🚀 Phase 7: Advanced Optimizations (Long Term)

Estimated Duration: Ongoing Estimated Budget: Variable

Advanced Security

Multi-Factor Authentication (MFA)

  • pfSense WebGUI: 2FA Authentication (TOTP)
  • Services: SSO with Authelia/Authentik + mandatory 2FA
  • WireGuard VPN: Certificats + pre-shared keys

Internal Certificate Authority

  • Step-CA ou OpenSSL CA maison
  • Locally signed internal SSL certificates
  • Compromised certificate revocation

Threat Intelligence

  • Feeds IP reputation dans pfBlockerNG
  • GeoIP blocking: Block irrelevant countries
  • CrowdSec: Threat intel community-driven

Performance

Hardware Offloading

  • Netmap pour Suricata (si CPU bottleneck)
  • Hardware offloading enabled after Suricata validation
  • Multi-queue NIC si upgrade hardware

DNS Cache

  • Optimized Unbound cache: TTL, prefetch
  • DNS over TLS (DoT) vers upstream (Cloudflare, Quad9)

QoS (Quality of Service)

  • Traffic shaping per VLAN
  • VoIP/video priority if applicable
  • Bandwidth limits per client/VLAN

Automation

Infrastructure as Code (IaC)

  • Ansible playbooks: Automatic server configuration
  • Terraform: Proxmox VMs Provisioning
  • Git: Versioning configurations

CI/CD Pipeline

  • Gitea ou GitLab: Internal Git server
  • Drone CI: Automatic Build/test/deploy
  • Watchtower: Docker containers Auto-update

Phase 7 Deliverables

📈 Success Metrics

Technical KPIs

Availability

  • pfSense Uptime: >99.5% (goal: 99.9%)
  • Critical service Uptime: >99% (Nextcloud, VPN)
  • MTTR (Mean Time To Repair): <1 hour

Performance

  • WAN Latency: <30ms (vers 8.8.8.8)
  • LAN Latency: <5ms (WiFi vers pfSense)
  • 5GHz WiFi Throughput: >300 Mbps réel
  • Ad Blocking: >20% DNS queries

Security

  • Intrusion attempts blocked: Suricata Monitoring
  • Updates: <7 days after release
  • Backups tested: Monthly test restore
  • Vulnerabilities: 0 critical unpatched >30 days

Operational KPIs

Costs

  • OPEX electricity: <10€/month
  • Hardware ROI: <2 years vs equivalent cloud solutions
  • Annual budget: <200€ (maintenance + upgrades)

Productivity

  • Daily management time: <15 min/day
  • Major incidents: <1 per quarter
  • Planned downtime: <2 hours/month

🎓 Acquired Skills

Networking

  • ✅ Protocoles TCP/IP, routing, NAT
  • ✅ VLANs 802.1Q, trunking
  • ✅ DNS, DHCP, fundamental network services
  • 🔄 QoS, traffic shaping
  • 🔄 Advanced routing protocols (BGP, OSPF - futur)

Security

  • ✅ Firewall stateful, advanced rules
  • ✅ IDS/IPS (Suricata)
  • ✅ DNS Filtering (pfBlockerNG)
  • ✅ VPN (WireGuard)
  • 🔄 Certificate management
  • 🔄 Threat intelligence

Systems

  • ✅ Linux system administration
  • ✅ FreeBSD (pfSense)
  • ✅ Virtualisation (Proxmox)
  • ✅ Containerisation (Docker)
  • 🔄 Ansible automation
  • 🔄 Infrastructure as Code

Monitoring

  • ✅ ntopng, iftop
  • 🔄 Grafana, Prometheus
  • 🔄 Loki, Promtail
  • 🔄 Alerting

Legend: ✅ Acquired | 🔄 In Progress | ⏳ Planned

💰 Global Estimated Budget

Expenditure Achieved (Phase 1)

Zotac ZBOX CI337 nano: 85€ Afoundry EW1200: 27€ Total Phase 1: 112€

text

Planned Short-Term Expenditure (Phases 2-3)

8p Managed switch: 40-80€ 9U Rack: 25-40€ Surge protector power strip: 15-30€ Rack accessories: 10-30€ Total Short Term: 90-180€

text

Planned Mid-Term Expenditure (Phases 4-5)

Mini PC server (opt): 0-200€ Storage disks: 50-100€ Total Mid Term: 50-300€

text

Planned Long-Term Expenditure (Phases 6-7)

Second pfSense (HA): 100-200€ NAS/RAID Disks: 150-400€ UPS: 80-150€ Total Long Term: 330-750€

text

Total Project Budget (3 years)

Minimum (basic): 252€ (Phase 1+2+3 minimal) Average (complete): 642€ (Phases 1-5 complete) Maximum (HA + pro): 1,492€ (All phases maximal)

text

Average monthly cost over 3 years: 7-41€/month depending on ambition

Equivalent cloud comparison: - Managed Firewall: 20-50€/month - VPN: 10€/month - Cloud storage 1TB: 10€/month - VPS Servers: 20-50€/month - Total cloud: 60-120€/month = 2,160-4,320€ over 3 years

Homelab ROI: 3-10x cheaper than cloud over 3 years

📅 Timeline Summary

Nov 2025 ━━━━━━━━━━━━━━━━━━━━━━━━━━ Phase 1 ✅ │ └─ pfSense Installation └─ EW1200 Deployment └─ pfBlockerNG Configuration

Déc 2025 ━━━━━━━━━━━━━━━━━━━━━━━━━━ Phase 2 🔄 │ └─ Managed switch └─ Multi-segment VLANs └─ Multiple WiFi SSIDs

Jan 2026 ━━━━━━━━━━━━━━━━━━━━━━━━━━ Phase 3 ⏳ │ └─ 9U Rack + accessories └─ Physical organization └─ Cable management

Fév-Mar 2026 ━━━━━━━━━━━━━━━━━━━━━━ Phase 4 ⏳ │ └─ Proxmox Migration └─ Containerized services └─ WireGuard VPN

Avr-Mai 2026 ━━━━━━━━━━━━━━━━━━━━━━ Phase 5 ⏳ │ └─ Monitoring Stack └─ Grafana dashboards └─ Automated Alerting

Jun-Sep 2026 ━━━━━━━━━━━━━━━━━━━━━━ Phase 6 ⏳ │ └─ pfSense HA (CARP) └─ NAS RAID └─ UPS

Oct 2026+ ━━━━━━━━━━━━━━━━━━━━━━━━━ Phase 7 ⏳ │ └─ Continuous Optimizations └─ Advanced security └─ IaC Automation

text

🎯 Project Objectives (3-Year Vision)

Technical

Learning

Community

🔗 Resources and References

Official Documentation

Communities

  • Reddit: r/PFSENSE, r/homelab, r/selfhosted
  • Forums: Netgate Forum, ServeTheHome
  • Discord: Homelab Community, pfSense Unofficial

Tools

📝 Notes and Lessons Learned

Successes

  • Controlled budget: Second-hand hardware + mini PC = optimal cost
  • Outstanding pfBlockerNG: Blocks 30%+ queries without complex configuration
  • EW1200 excellent choice: Native VLAN + dual-band performance
  • Diligent documentation: Huge time saver for troubleshooting

Challenges Encountered

  • ⚠️ Realtek Cards: Unstable generic driver → Solution: realtek-re-kmod
  • ⚠️ Intel CNVi WiFi: Unusable FreeBSD → Fallback: External AP
  • ⚠️ Firewall rules: Initial WAN blocking → Solution: Temporarily disable blockpriv

To Improve

  • 🔧 Regular backup: Automate weekly config snapshots
  • 🔧 Failover tests: Simulate failures regularly
  • 🔧 Live documentation: Internal Wiki (BookStack) instead of static Markdown

🚀 Innovation and Future Projects

Short Term (6 months)

  • Guest Captive Portal: Styled login page for guests
  • Pi-hole Secondary DNS: DNS redundancy with list synchronization
  • Tailscale mesh VPN: WireGuard alternative/complement

Mid Term (1-2 years)

  • Kubernetes cluster: Docker → K3s/MicroK8s Migration
  • GitOps: ArgoCD for automated deployments
  • Observability: Traces (Tempo), metrics (Prometheus), logs (Loki)
  • Homelab YouTube/Blog: Community experience sharing

Long Term (2-3 years)

  • Multi-site VPN: Connect homelab to remote site (family/friends)
  • Edge computing: Raspberry Pi edge nodes
  • AI/ML services: Local LLMs (Ollama), image recognition
  • Ham Radio integration: APRS, Meshtastic, LoRa

✅ Regular Maintenance Checklist

Daily (5 min)

Weekly (20 min)

Monthly (1-2h)

  • For English articles: your-article-title.md
  • For French articles: your-article-title-fr.md

The workflow will automatically: - Detect language from filename - Generate title from filename - Add current date - Clean YAML for Pandoc processing –>