My Homelab
I run a Proxmox cluster that consists of 2 nodes currently but will hopefully be adding 1 more node to the cluster to be able to use High Availability which if one of the nodes goes offline the VMs (virtual machines) will be migrated to another node or nodes. One way to improve performance while migrating would have a strong backbone of my network with one dedicated NIC on each node to migrate VMs while other running VM maybe using the other NIC.
What services am I running? I have most of these on Proxmox cluster which runs Plex, 2 Minecraft servers (which are port forwarded), this website, Tailscale (VPN to access LAN), Openspeedtest https://speedtest.benbernhardt.com, and Uptime Kuma.
Where is THIS website hosted from?
Well, it is actually hosted in my basement on a Proxmox VM using Ubuntu server for the OS. When first setting up my website port forwarded the machine but later changed it to go through a Cloudflare tunnel (proxy) for additional security against DDOS attacks.
Network
My network is seperated into what I call my own “datacenter” which lets me open ports without risking the safety of my all my main devices. Looking at my home network I have 3 U6 lites which are all POE (powered over ethernet). Main router is virtual which runs OPNsense which also does DHCP and DNSmasq (DNS caching). My main switch is a cisco 2960g 48 port. My secondary switches are TP-link 8 port and unifi flex mini.
I had to terminate new RJ45 ends on my CAT5e cables which run to the access points. Which were tested that each cable was connected correctly. My cellular Backup is mostly a concept because I couldn’t turn on a hotspot on my phone when packet loss happened. Instead I’m going to have a hotspot turn on past 10pm while charging and at home. My raspberry pi 3b+ will connect to my wifi hotspot which is running OpenWRT which then connects it’s lan over ethernet which goes down to my basement where OPNsense is setup for failover to that port if up.
To move my servers off the floor I had to make 8 ethernet cables to another room which I had keystones to pass the cables through to the other side of the wall. I pulled the 8 cables through a previous hole which has a box where I connected all 8 cables into. On the other side of the wall I have my server rack which now on the wall there's ethernet ports which lead to that box. My server rack has a patch pannel which all the ethernet is connected to then to my cisco switch.
Monitoring
My monitoring is locally hosted using uptime kuma which gives a good dashboard and alerts me through discord webhook. I have 5 uptime kuma and one master which the 5 are on each separate network and the master checking if all 5 are up. One of them is at someone else's house to check if my house is down.
Testing
For testing my networks I use open speed test which is self-hosted inside my network to test the local connections. I also have it running through a Cloudflare tunnel but because it runs through one of my free Cloudflare tunnels it is limited on how fast it run. For testing internet speed I use speedtest.net or fast.com BUT I only use fast.com because it is faster to type in or ask some to type in and it starts automatically.
For testing cables and finding cables I use a finder tool which also checks if the cable is corretly terminated. Testing disks I use cystal disk info and cystal disk mark which tells me how many writes and reads and drive has and the another one tests how fast a drive is.
Cyber Security
For exertnal connections most of the time I use Tailscale for any web gui or ssh. The main reason I use tailscale and not other VPN software is because of security; tailscale doesn’t require port forwarding and has 2fa through google auth, which I use 2uf key. When on LAN on my two primarny networks I use a OpenVPN to do site-to-site connection. If I need to use that a computer with a desktop I am using Anydesk which has time based 2fa.
For WIFI security I'm using WPA3 personal which doesn't let attackers deauthicate clients and makes cracking the 4-way handshake hard because every time the attacker has to talk back to the access point. I have tried using WPA3 enterprise which use a RADIUS server for authication process. The nice things about using a RADIUS server is to specify the IP address, DNS server, and gateway for each user.
I use OPNsense for my firewall which I have blocked IPs from the opendbl and spamhaus which have many different reasons to be blocked like botnets, emergerging threaths, and other malicous activity. I have created my own blacklist of ips for port scanner websites so anyone using the bigger port scanner website won't be able to map the open ports I have open for my vpn and other services.