Securing Your Home Lab
Running a home lab is a great way to learn and self-host services. But exposing services—even on your local network—carries risk. Here’s how to secure your setup without going overboard.
Network Segmentation
Don’t put everything on one network. Separate your devices by trust level.
VLAN Setup
A typical home lab might have:
| VLAN | Name | Purpose |
|---|---|---|
| 1 | Management | Router, switches, access points |
| 10 | Trusted | Personal devices, workstations |
| 20 | Lab | Servers, experimental services |
| 30 | IoT | Smart devices, cameras |
| 40 | Guest | Visitor devices |
Why This Matters
If your IoT camera gets compromised (they often do), attackers can’t pivot to your servers or personal machines. Each VLAN is an island.
Basic pfSense/OPNsense Rules
# Allow Lab to access internet
pass out on WAN from VLAN20 to any
# Allow Trusted to access Lab services
pass in on VLAN10 from VLAN10 to VLAN20 port { 80, 443, 22 }
# Block IoT from accessing other VLANs
block in on VLAN30 from VLAN30 to VLAN10
block in on VLAN30 from VLAN30 to VLAN20
# Allow IoT to internet only
pass out on WAN from VLAN30 to any
Firewall Fundamentals
Default Deny
Start with blocking everything, then allow what you need:
|
|
Rate Limiting
Prevent brute force attacks:
|
|
Exposing Services Safely
Reverse Proxy with TLS
Never expose services directly. Use a reverse proxy:
|
|
VPN Instead of Port Forwarding
For services that don’t need public access, use a VPN:
WireGuard is simple and fast:
|
|
Now you can access internal services from anywhere without exposing them.
Cloudflare Tunnel
For public services without opening firewall ports:
|
|
Traffic goes through Cloudflare’s network—your IP stays hidden.
Authentication
Don’t Rely on Obscurity
“It’s on a weird port” is not security. Add real authentication.
Authelia or Authentik
Put an authentication layer in front of services:
|
|
This gives you:
- Single sign-on
- Two-factor authentication
- Access control policies
Monitoring and Alerting
You can’t secure what you can’t see.
Log Aggregation
Collect logs centrally with Loki or the ELK stack:
|
|
Intrusion Detection
Run Crowdsec or Fail2ban to detect and block attacks:
|
|
Uptime Monitoring
Know when things go down. Uptime Kuma is simple and self-hosted:
|
|
Quick Security Checklist
- Network segmented by trust level
- Default deny firewall rules
- SSH key-only authentication
- Services behind reverse proxy with TLS
- Two-factor authentication enabled
- Regular automated backups
- Log aggregation configured
- Intrusion detection running
- Automatic security updates enabled
- Strong, unique passwords in a password manager
Conclusion
Home lab security is about layers. No single measure is perfect, but combined they make attacks significantly harder. Start with network segmentation and a proper firewall, then add authentication and monitoring. You don’t need enterprise-grade solutions—just consistent application of fundamentals.
Comments