Networking
Covers VLANs, VPN configuration, DNS, and network topology.
Network Topology
Internet
│
[router01 / Edge Firewall]
│
[sw01 / Managed Switch]
├── VLAN 10 — Management (192.168.10.0/24)
├── VLAN 20 — Servers / Homelab (192.168.20.0/24)
├── VLAN 30 — IoT (192.168.30.0/24)
└── VLAN 99 — Trusted Clients (192.168.99.0/24)
VLANs
| VLAN ID |
Name |
Subnet |
Gateway |
Notes |
| 10 |
Management |
192.168.10.0/24 |
192.168.10.1 |
Switch, AP, router management |
| 20 |
Servers |
192.168.20.0/24 |
192.168.20.1 |
All homelab hosts — static IPs only |
| 30 |
IoT |
192.168.30.0/24 |
192.168.30.1 |
Isolated — no inter-VLAN routing |
| 99 |
Trusted |
192.168.99.0/24 |
192.168.99.1 |
Laptops, phones |
DNS
Primary DNS: Pi-hole on pi01
- Upstream: Cloudflare
1.1.1.1 / 1.0.0.1 (DNS over HTTPS)
- Local domain:
home.lab
Key Local DNS Records
| Hostname |
IP |
Service |
| host01.home.lab |
192.168.20.x |
Primary Docker host |
| nas01.home.lab |
192.168.20.x |
NAS |
| grafana.home.lab |
192.168.20.x |
Grafana (via NPM) |
| portainer.home.lab |
192.168.20.x |
Portainer |
VPN
WireGuard (Remote Access)
- Port:
51820/UDP
- Server: runs on
host01 or edge router
Tailscale (Zero-config Remote Access)
- Used for quick remote access without port forwarding
- Exit node enabled on
host01
- MagicDNS: enabled
Firewall Rules
| Rule |
Source |
Destination |
Action |
| Allow management from trusted |
VLAN 99 |
VLAN 10 |
Allow |
| Block IoT to servers |
VLAN 30 |
VLAN 20 |
Block |
| Allow DNS to Pi-hole |
All VLANs |
pi01:53 |
Allow |
| Block inter-VLAN (default) |
All |
All |
Block |
| Allow WireGuard inbound |
WAN |
host01:51820 |
Allow |