Thomas Bella
About my Homelab

My homelab hosts a growing collection of self-hosted services that I (and sometimes family/friends) use almost daily – from password and photo management to monitoring, logging, and CI/CD. It serves as my "digital home" for private data and a realistic test environment where I can practically explore infrastructure, security patterns, and automation. 🧪

Technically, most of it runs as containers/VMs on Proxmox, supplemented by individual bare-metal workloads. The focus is not on "as many services as possible," but on clean separation, maintainability, and understandable security and utility: segmented networks (VLANs), central accessibility via reverse proxy (nginx/PassBeyond), internal PKI (step-ca), automated updates, as well as monitoring & alerting (e.g., checkmk) and centralized logging (Graylog). 🔐

The network setup is deliberately overengineered: OPNsense handles PPPoE, IPv4 NAT, and IPv6 routing, complemented by dynamic routing (FRR/BGP) and WireGuard site-to-site/remote access. The core switching paths are designed for 10Gb fiber optic, with access layer and Wi-Fi covered by PoE switching and multiple APs. Externally, I provide services depending on risk and purpose through three methods: classic NAT/reverse proxy, Cloudflare Tunnel, or VPN-based access. 🌍

On this page, I showcase the setup, key services, and why I deliberately make some things more complicated but thereby more convenient and easier to operate – and where I consciously do not. If you have questions or are interested in details, feel free to contact me! 📬

Über dieses Homelab
Auszug aus dem Homelab über verwendete Software:
Proxmox, Plex, Tautulli, Mailcow, Plausible, Vaultwarden, Monica, Firefly III, AdGuard Home, step-ca, FreshRSS, Grafana, Athens, Syncthing, WireGuard, FRR, GitLab, GitLab Runner, Motion, sftpgo, Postfix Mail Relay, Sentry, parsedmarc, phpIPAM, SonarQube, Graylog, OPNsense, checkmk, wger Workout Manager, Nextcloud, Windows Active Directory, Active Directory Federation Services, Active Directory Certificate Services, UniFi Controller, paperless-ngx, Guacamole, Weblate, Immich, Open WebUI, Mealie, ...

Interested or have questions? Contact me at Contact in German or English.
Last Outages
  • Loading last outages...
Seite 1

Short internet outages, self-inflicted outages, and follow-up outages are not listed.
Time information is rounded to full minutes. All information without guarantee.
(Under 1 minute is rounded up to one minute, non-rounded duration is available in the recording)

Network Architecture

The connection is made via a FritzBox 7530, which acts as a VDSL2 modem for DSL 35b G.Vector as a media converter. The PPPoE login takes place behind it through an OPNsense, which is responsible for IPv4 NAT and IPv6 routing. OPNsense also functions as a BGP router and VRF router to separate different networks. The firewall is connected to the switch in the server room via a 10Gb fiber optic connection.

The switches are all interconnected with 10Gb fiber optic connections to ensure high bandwidth and low latency. Since the FritzBox is located in the basement, it is connected via 1Gb Ethernet directly to the switch in the carport and so on to the OPNsense, allowing server services to remain accessible even if the basement switch fails. Due to the old cabling, all switches are additionally connected via 2x 1Gb Ethernet, which are only available as a fallback. All switches are monitored by checkmk to ensure high availability, detect errors, and high loads early.

Switches are interconnected via TRUNK ports to transport required VLANs. Most VLANs are located in the carport to operate server services separately. Further VLANs are passed through to end devices (LAN, IoT, guests, ...) to enable service separation. Here, dot1x authentication, MAC-based VLAN assignment, and dynamic VLAN assignment for Ethernet and Wi-Fi access point clients via RADIUS are used.

The access points are powered by the switches via PoE+ and are strategically placed to ensure optimal Wi-Fi coverage throughout the house, terrace, and garden. 

---
config:
  theme: dark
---
flowchart TB
INET[Internet]
ISP[FritzBox 7530]
FW[opnsense
BGP/VRF/IPS]

SW-CARPORT[WS-C2960X-48TD-L
Server Room]
SW-KELLER[WS-C2960X-48PD-L
Basement]
SW-DACHBODEN[WS-C2960X-48PD-L
Attic]

SW-GARTENHAUS[Garden House Switch]
SW-MOCA[MoCA Master]
SW-TB[Kids Room Switch]
SW-BUERO[Office Switch]
SW-WOHNZIMMER[Living Room Switch]
SW-FITNESS[Basement Gym Switch]

AP1[U6-Pro
Attic]
AP2[U6-Pro
Wohnzimmer]
AP3[U6-Plus
Serverraum]
AP4[U6-LR
Terrasse]
AP5[UAP-AC-Lite]
AP6[TP-Link AccessPoint]
AP7[AP Wasserschacht]
AP8[AP Kellerstüberl]

subgraph Servers
	A@{ shape: processes, label: "Servers" }
	B@{ shape: processes, label: "Storage" }
	C@{ shape: processes, label: "VMs" }
end

ISP --VDSL2+ --> INET
ISP --PPPoE --- FW
FW -- 10Gb LWL --- SW-CARPORT
SW-KELLER ---> AP8
SW-CARPORT --- Servers
SW-CARPORT --> AP3
SW-CARPORT --1Gb Ethernet --- SW-GARTENHAUS
SW-GARTENHAUS --> AP6
SW-GARTENHAUS --> AP7
SW-CARPORT -- 1x 10Gb LWL
3x 1Gb Ethernet --- SW-KELLER
SW-KELLER -- 1x 10Gb LWL
2x 1Gb Ethernet --- SW-DACHBODEN

SW-DACHBODEN ---- SW-MOCA
SW-DACHBODEN -- 1Gb Ethernet ---- SW-TB
SW-DACHBODEN --> AP1
SW-DACHBODEN --> AP2
SW-DACHBODEN --> AP4
SW-DACHBODEN -- 1Gb Ethernet --- SW-BUERO --- SW-WOHNZIMMER --- SW-FITNESS --> AP5
External Reachability

Most of my homelab services are accessible exclusively via HTTPS through various methods. Fundamentally, the type of provision differs here based on the achieved utility, safeguards, accessibility, and modernity of the technology.
This results in the current availability of 3 different methods to access the services, as shown in the illustration.

NAT Port Forwarding - proxy.bella.network
Since my homelab has a public static IPv4 address as well as an IPv6 network, it is possible to access services directly via port forwarding. This is the oldest and most widespread method of accessing services. However, this method is not as secure as the other methods, as it is vulnerable to attacks.
The components are secured locally, IDS/IPS of the firewall is only partially active as HTTPS is not decrypted. IPv6 is released directly, the firewall only regulates the ports to be released. Since multiple internal web servers are provided, a central reverse proxy is required.

Cloudflare Tunnel - tunnel.bella.network
This access is made via a Cloudflare Tunnel, which establishes a secure connection to my internal services without exposing them directly to the internet.
The services are only accessible via HTTPS, and the connection is protected by Cloudflare. This method is more secure than NAT port forwarding, as it uses an encrypted connection and the services are not directly available on the internet. However, the provider Cloudflare has access to all data transmitted through the tunnel.

WireGuard VPN & BGP Routing - pulse.bella.network
My servers are connected via WireGuard VPN and BGP routing. This allows me to access my services without needing a public IP address. This protects all internal communication for internal data access, maintenance, and administration. This method is more secure than NAT port forwarding, as it uses an encrypted connection and the services are not directly available on the internet.
This setup is the most complex and error-prone of all, as it requires multiple servers, VPN connections, dynamic routing, and access controls for operation.

Representation of External Access
---
config:
  theme: dark
---
flowchart TD
	A[Homelab Web Server]
	A -->|Direct| A1[Reverse Proxy] -->|NAT| U1[Users]
	A -->|Cloudflare Tunnel| B1[Cloudflare] --> U2[Users]
	A -->|WireGuard| C1[BGP Routing] -->|WireGuard| C2[Reverse Proxy] --> U3[Users]

Future projects that do not provide sensitive HTTPS services will be made available via a mix of Cloudflare Tunnel and WireGuard VPN & BGP Routing.

This provides me with an easy and secure way to provide services without a central reverse proxy, without having to create a VPN connection, and without needing a public IP address.

Additionally, these services benefit from increased security, DDoS protection, and other advantages of Cloudflare.

Services in the Homelab
Immich
My family and I use Immich to manage and back up our photos and videos. All media is automatically synchronized and protected by multiple backup strategies.

This currently includes:
95,000 photos & 2,500 videos
Totaling 950.00 GB
Proxmox VE
Proxmox VE is the virtualization platform on which I run my containers and virtual machines. It enables efficient resource utilization, easy management, and flexible scaling of my homelab workloads.

Currently 25 (of 50) VMs & containers active
RAM: 50 GB / 100 GB
CPU: 16 cores, 8% utilization
Paperless-NGX
Paperless-NGX helps me digitize and organize my physical documents. I scan important papers and store them in Paperless-NGX, where they are searchable and easily accessible.
OPNsense
OPNsense is the firewall and router software that secures and manages my network. It offers features like intrusion detection, VPN, traffic shaping, and detailed monitoring.
AdGuard Home
AdGuard Home acts as my local DNS server, blocking ads and trackers at the network level. This improves privacy and the browsing experience for all devices in my homelab.
Vaultwarden
I manage my passwords and sensitive data with Vaultwarden, a self-hosted password management solution. It provides me with secure access to my passwords from anywhere and supports features like two-factor authentication and password sharing.
GoAPTCacher
GoAPTCacher speeds up software updates for my Debian-based systems by caching downloaded packages. This saves bandwidth and significantly reduces update times.
Syncthing
Syncthing securely synchronizes files between my devices without the need for a central server. It ensures that my data is always up-to-date and accessible, no matter where I am.
checkmk
checkmk monitors the availability and performance of my servers, network devices, and services. It notifies me of issues and helps ensure the health of my homelab.
Devices & Hardware
PV & USV

PV-Eigenproduktion, Notstromversorgung bei Netzunterbrechung

  • E3DC S10 E
  • 8.850 Wp Leistung
  • 13.800 Wh Batteriekapazität
  • 2.900 Wh Transferleistung
  • Versorgung komplettes Haus
  • 2x APC Back-UPS Pro 1500 VA
  • Serverversorgung
  • Unterbrechungsfrei
Homecontrol Pi

Datenerfassung, Notstromüberwachung und Automatisierung mit pv-proxy

  • Raspberry Pi 4
  • 4 GB RAM
  • 64 GB microSD
  • 120 GB SSD
  • 1Gb Ethernet
  • Aktive Kühlung
  • 3x DS18B20
Time Pi

Sensorik und GPS PPS basierter Stratum 1 NTP Server

  • Raspberry Pi 3 B
  • WAVGAT NEO-6M GPS
  • 4x DS18B20
  • 32 GB microSD
  • 100Mb Ethernet
MultiControl

Home automation und Entwicklungsplattform (Visual Studio Code Remote Development)

  • Lenovo ThinkCentre M710q
  • Intel Core i3-7100T @ 3.40GHz
  • 8 GB RAM
  • 1 TB SSD
  • 256 GB NVMe
  • 1Gb Ethernet
BigVirt

Virtualisierung

  • HP Proliant DL360p G8
  • 2x Intel Xeon E5-2680 @ 2.70GHz
  • 192 GB ECC RAM
  • 4x 4 TB HW-RAID 10 HDD & 2GB FBWC
  • 4 GB SD
  • 4x 1Gb Ethernet
  • 1Gb Ethernet iLO 4
IX7

Storage, LLM und Virtualisierung

  • ASUS MAXIMUS VII HERO
  • Intel Core i7-4790K @ 4.00GHz
  • 32 GB RAM
  • 2x 500 GB SSD RAID 1
  • 2x 1 TB SSD RAID 1
  • 4x 8 TB HDD RAIDZ (RAID 5)
  • 3x 12 TB HDD RAIDZ (RAID 5)
  • 4 TB HDD
  • 500 GB HDD
  • 4x 1Gb Ethernet
  • 2x 10Gb SFP+
opnSense

Primary Firewall, IDS/IPS & Router

  • NRG Systems IPU672
  • Intel Core i5-7200U @ 2.50GHz
  • 8 GB RAM
  • 120 GB SSD
  • 6x 1Gb Ethernet
ThinkCentre2

Virtualisierung, DVR und Backup

  • Lenovo ThinkCentre M710q
  • Intel Core i3-7100T @ 3.40GHz
  • 32 GB RAM
  • 64 GB SSD
  • 256 GB NVMe
  • 4 TB HDD
  • 1 TB HDD
  • 1Gb Ethernet
ThinkCentre3

Virtualisierung

  • Lenovo ThinkCentre M710q
  • Intel Core i3-7100T @ 3.40GHz
  • 16 GB RAM
  • 256 GB SSD
  • 256 GB NVMe
  • 1Gb Ethernet
ThinkCentre4

Virtualisierung

  • Lenovo ThinkCentre M710q
  • Intel Core i3-7100T @ 3.40GHz
  • 16 GB RAM
  • 480 GB SSD
  • 256 GB NVMe
  • 1Gb Ethernet
ThinkCentre5

Virtualisierung

  • Lenovo ThinkCentre M710q
  • Intel Core i3-7100T @ 3.40GHz
  • 16 GB RAM
  • 1 TB SSD
  • 256 GB NVMe
  • 1Gb Ethernet
DATADRIVE

Backup NAS

  • QNAP TS-419P II
  • Feroceon 88F6282 @ 2 GHz
  • 512 MB RAM
  • 3x 4 TB RAID 5 HDD
  • 1.5 TB HDD
  • 2x 1Gb Ethernet
Brunnix

Offsite-Server für Datensicherung, Virtualisierung, DVR und Routing

  • ACEMAGICIAN AM06 Pro
  • AMD Ryzen 7 5825U - 8C/16T @ 4.50GHz
  • 32 GB RAM
  • 512 GB NVMe
  • 1 TB SanDisk SSD Plus
  • 2x 1Gb Ethernet
Plexus

Storage, Multimedia-Server (Plex) und Synchronisation

  • SZBOX N305 NAS MINI ITX Motherboard
  • Intel Core i3-N305 @ 3.80GHz
  • 32 GB RAM
  • 2x 1 TB NVMe SSD (RAID 1)
  • 6x 16TB HDD RAIDZ (RAID 5)
  • 4x 1Gb Ethernet
Network Devices

Netzwerkgeräte

  • 4x WS-C2960X-48PD-L
    (48x 1Gb PoE+, 2x 10Gb SFP+)
  • 1x WS-C2960X-48TD-L
    (48x 1Gb, 2x 10Gb SFP+)
  • 3x UniFi U6-Pro
  • 1x UniFi U6-LR
  • 1x UniFi U6-Lite
  • UniFi Switch US-24-250W
  • FritzBox 7530 (VDSL2 35b G.Vector)