My Homelab

Did I tell you that I have an insanely cool homelab? I’m genuinely passionate about my homelab — it’s my personal tech playground where I get to experiment, learn, and continuously level up my skills. I’ve already accomplished a lot, and I’m excited about all the projects I have planned for the future!

I started with an affordable MiniPC from Amazon that quickly became my best tech companion. On it, I set up a robust server running Proxmox, which allows me to dive deep into virtualization, experiment freely, and grow both personally and professionally as a Computer Science Engineer. I’m always expanding my setup, adding new services, and fine-tuning configurations to boost performance and security.

Networking fascinates me — from configuring VLANs and firewalls (shoutout to pfSense!) to exploring different virtualization platforms like Proxmox. My homelab isn’t just about running servers; it’s about understanding how all the pieces fit and communicate together. Plus, having this environment means I can safely test exploits, security tools, and automation scripts without worrying about disrupting anything critical. (Well, mostly!)

1. Overview & Goals

My homelab was born the 6th February 2025 from a passion for IT and the desire to learn by doing. My main goals are:

Become the owner of my data. I don't like relying on external providers.
Build an environment for learning and experimentation, especially on Proxmox, networking, cybersecurity, and of course... self-hosting.
Learn by doing, get my hands dirty and be a step further when I'll be thrown in the working world.

Current limitations:

No redundancy in the infrastructure.
Backups are manual, with no dedicated NAS yet.

2. Hardware Inventory

Component

Model / Specs

Notes

ONT

Provided by ISP

Fiber connection

ISP Router

Physical router

First-level firewall, NAT, WAN management

Main Server

NiPoGi Essenx E1 Mini PC

16 GB DDR4, 500 GB SSD (replaced 1 TB Chinese Stock), Intel N100 4 cores, 1 Gbps NIC

Ethernet

Cat 6

Various Cat 6 cables for connectons

3. VM & Services Inventory

Name/Service

Type

Resources

Notes

Proxmox VE GUI

Host

Main hypervisor

Website (Nginx static)

LXC

256 MB RAM, 1 core

HTML, CSS, JS

Pi-hole

LXC

256 MB RAM, 1 core

DNS filtering (currently not being used. Reason: lazyness)

Nginx Proxy Manager

LXC

512 MB RAM, 1 core

Handles LE certs for lucafacchini.com and lucafacchini.ch and forwards HTTP traffic to website lxc

Immich

LXC

4 GB RAM, 2 cores

Self-hosted photo manager. Yeah, I hate paying for Google Drive or iCloud. Just, no!

Xubuntu (Obsidian Git Pusher)

2 GB RAM, 2 cores, 25 GB SSD

I am paying for Obsidian Sync. But I kind of want a backup on Github, so... automatic commits to GitHub

pfSense

2 GB RAM, 2 cores, 25 GB SSD

Main router/firewall, LAN gateway

4. Network Topology

LAN → LAN Communication

To reach an internal service within the LAN:

An Ethernet frame originates from my local device and is sent to the LAN switch.
The switch forwards the frame to the destination host (e.g., a Proxmox server).
The Proxmox server routes the packet to the appropriate internal service (e.g., a VM or container).
The response follows the same path back to the original device.

LAN → WAN Communication

To reach an external service from a device inside the LAN:

The Ethernet frame is sent to the LAN switch, which forwards it to the default gateway (pfSense firewall VM running on Proxmox).
The pfSense firewall receives the packet on its LAN interface, performs NAT, and routes it to its WAN interface.
The packet is then forwarded to the ISP router, which sends it to the wider internet using its public IP.
The response follows the reverse path back to the original device.

WAN → LAN Communication

To expose internal services to the internet:

A double NAT configuration is used to forward specific ports (e.g., for web services and VPN).
Incoming traffic on the exposed ports first passes through the ISP router, which forwards it to the pfSense firewall.
The pfSense firewall then routes the traffic to the appropriate internal service based on port forwarding rules.
The response follows the reverse path back to the internet client.

5. Domain & DNS

Domains:
- lucafacchini.com
- lucafacchini.ch
Both are proxied via Cloudflare for protection and caching.
Nginx Proxy Manager handles HTTPS traffic (plus auto-renewed Let’s Encrypt certificates).

6. Firewall & Security

ISP Router: blocks all inbound traffic, except explicitly forwarded ports.
pfSense firewall (VM)

pfSense (Firewall -> NAT)

Interface

Protocol

Source Address

Source Ports

Dest. Address

Dest. Ports

NAT IP

NAT Ports

WAN

TCP

This firewall (self)

LAN Server

WAN

TCP

This firewall (self)

443

LAN Server

WAN

UDP

This firewall (self)

WireGuard's Port

LAN Host

WireGuard's Port

Proxmox VE firewall: enabled at host level for WireGuard (wg0.conf for WireGuard config)

ListenPort = <wireguards-port>
    PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o vmbr0 -j MASQUERADE
    PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o vmbr0 -j MASQUERADE

7. Backup & Recovery

Regular monthly backups of Proxmox Entire System.
No dedicated NAS yet.

I am planning to either buy Synology NAS, or virtualize Synology and buy an external SSD drive.

PreviousOverview NextCCNA 200-301

Last updated 3 months ago

hashtag1. Overview & Goals

hashtag2. Hardware Inventory

hashtag3. VM & Services Inventory

hashtag4. Network Topology

hashtagLAN → LAN Communication

hashtagLAN → WAN Communication

hashtagWAN → LAN Communication

hashtag5. Domain & DNS

hashtag6. Firewall & Security

hashtagpfSense (Firewall -> NAT)

hashtag7. Backup & Recovery

1. Overview & Goals

2. Hardware Inventory

3. VM & Services Inventory

4. Network Topology

LAN → LAN Communication

LAN → WAN Communication

WAN → LAN Communication

5. Domain & DNS

6. Firewall & Security

pfSense (Firewall -> NAT)

7. Backup & Recovery