Building my Home Lab part 2: Architecture

In the first part of my homelab upgrade series, we assembled the hardware for the homelab. Our next step is to design the network topology and come up with an appropriate network addressing scheme. We also need to have a rough idea of what we intend to do with the different network segments. The lab is intended for the following purposes:

  • To simulate traffic similar to that of an actual production environment
  • For malware analysis and threat research
  • For Threat Hunting
  • For testing new tools and / or technologies

To ensure that the lab is robust enough and to avoid having to redo networking frequently, I plan to segment my lab using a pfSense firewall and OpenWRT router into a couple of networks.

Attacker NetworkThe purpose of this network is to simulate an external adversary that is trying to gain access to the production environment. In this network, we will place tools like Kali or Parrot Linux, Atomic Red Team and etc.
DMZ NetworkThe DMZ network will host services that are normally available to the external network such as an FTP server, web server and the like. I plan on hosting the vulnerable VMs like metasploitable, DVWA and Vulnhub in this network.
VPN ClientsIn a normal environment, we would have a couple of users connecting via VPN to the production environment. For this reason, I will probably have a linux and Windows machine located in this segment to allow for connectivity via openVPN or other vpn client to production network.
Malware Analysis This segregated vlan is designed for DFIR activity and specifically malware detonation and analysis. For safety, I’d prefer to keep this environment segmented by a firewall from the rest of my lab.
Server NetworkThis network hosts production servers like Windows Domain controller, a mail and proxy server, certificate and file server etc.
NetSec ManagementIn the management network, I plan on housing an IDS, network and security tools used for management of systems, log collection, signature creation etc.
User NetworkIn this network, I plan on installing a couple of machines with EndPoint protection and sysmon just like in normal user environments.
PlaygroundJust as the name states, this messy environment is for any new tools or technologies that I would like to quickly spin up and test and perhaps tear down or that I have no clear plans for.

The planned network topology is shown below. There may be some changes when it comes to the actual segmentation and installation of the lab components depending on the hypervisor I choose (wither Proxmox or ESXi) but I believe the planned network segmentation is achieve-able in either scenarios.

That’s all for today. See you in part 3: Hypervisor installation.

4 thoughts on “Building my Home Lab part 2: Architecture

    1. Not really cost, I just needed layer 3 segmentation between the vlans but also the ability to and maybe be able to create a tunnel should there be need. But mostly, I have not played with virtual switches at layer 3 level so went with something I was comfortable with.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s