What
The physical and logical design of my homelab network. Everything sits behind a pfSense VM acting as the default gateway and firewall. A managed HP ProCurve switch handles 802.1Q trunking down to Proxmox Linux bridges.
VLANs in use:
| VLAN | Name | Purpose |
|---|---|---|
| 1 | Native | Untagged physical ports |
| 10 | LAN | Trusted home devices |
| 20 | Lab | VMs and containers |
| 30 | IoT | Smart home devices (isolated) |
| 99 | Mgmt | Proxmox, switch, AP management |
Why
A flat network means a compromised IoT device can reach every other device. Segmenting with VLANs limits blast radius and mirrors real ISP/enterprise design. It also means I practice the same troubleshooting workflow (trace the VLAN, check the trunk, check the firewall rule) that I use every day at work.
How
pfSense Setup
- Installed pfSense CE 2.7 as a Proxmox VM with two virtual NICs:
vtnet0→ WAN (connected to home router via a /30)vtnet1→ LAN trunk (carries all VLANs to Proxmox)
- Created VLAN interfaces (VLAN 10, 20, 30, 99) as children of
vtnet1. - Assigned IP gateways:
10.10.X.1/24per VLAN. - Configured DHCP server per VLAN with short leases for lab (10 min) and long for LAN (24 h).
Firewall Rules (simplified)
LAN → any: allow (trusted)
Lab → LAN: block
Lab → internet: allow
IoT → LAN: block
IoT → internet: allow (port 80/443 only)
Mgmt → any: allow from 10.10.99.0/24 onlySwitch Trunking
- Uplink to Proxmox host: 802.1Q trunk, all VLANs tagged.
- Proxmox Linux bridges: one per VLAN, used as
vmbr10,vmbr20, etc.
Challenges
- VLAN 1 native leaking — some HP ProCurve firmware versions forward untagged traffic on trunks. Fixed by explicitly assigning VLAN 1 to no ports except the uplink.
- pfSense asymmetric routing — when a VM on VLAN 20 tried to reach the gateway via a different path, pfSense blocked it as a state violation. Added a static route and it was fine.
- DNS split-horizon — devices on lab VLAN need to resolve internal names. Set up Unbound DNS on pfSense with a custom host override zone for
lab.nerdcore.pro.
Tech Used
- pfSense CE 2.7 — routing, firewall, DHCP, DNS
- HP ProCurve 2510G-24 — managed switch (802.1Q)
- Proxmox Linux bridges — virtual switching inside the hypervisor
- Unbound — recursive DNS resolver with local overrides