Network
The gate to my HomeLab is a UniFi Cloud Gateway Ultra. It is connected to a 1 Gbps fiber optic from my ISP and manages 3 static WAN IP addresses.
Hardware
WAN
Port forwarding
Firewall rules
In addition to default rules.
| Name | Action | Source Zone | Destination Zone |
|---|---|---|---|
| Allow UniFi remote access | Allow | External | Gateway |
Local network
VLANs
| Name | Subnet | Description | Isolate network |
|---|---|---|---|
| Default | 192.168.1.0/24 | Default local network for laptops, family phones and tablets | No |
| Pub | 192.168.50.0/24 | An isolated VLAN for public services | No |
| Guest | 192.168.5.0/24 | An isolated VLAN for guest WiFi access | No |
| IoT | 192.168.6.0/24 | An isolated VLAN for connected home appliance | No |
- Device Isolation is disabled for all networks
Firewall zones
| Name | Built in | Networks / Interfaces |
|---|---|---|
| Internal | ✅ | Default |
| External | ✅ | Primary (WAN1) Secondary (WAN2) |
| Gateway | ✅ | - |
| VPN | ✅ | Hearthstone VPS |
| Hotspot | ✅ | Guest |
| DMZ | ✅ | - |
| VLAN 50 | ❌ | Pub |
| VLAN 6 | ❌ | IoT |
Zones access rules
Additional Firewall rules allowing or blocking zone-to-zone or subnet-to-subnet communications.
| Source Zone | Destination Zone | Source | Destination | Action | Description |
|---|---|---|---|---|---|
| Internal | VLAN 50 | All | All | Allow with return | Allow all traffic from Default network to Pub |
| Internal | VLAN 6 | All | All | Allow with return | Allow all traffic from Default network to IoT |
| VPN | Internal | VPS subnet | All | Allow only return | Allow return traffic from VPS subnet to Default |
| VPN | Internal | VPS subnet | All | Block | Block VPS VPN clients from accessing the Default network |
| VPN | Hotspot | VPS subnet | All | Block | Block VPS VPN clients from accessing the Guest network |
| VPN | DMZ | VPS subnet | All | Block | Block VPS VPN clients from accessing the DMZ zone |
| VPN | VLAN 50 | All | Hearthstone | Allow all | Allow Hearthstone VPN clients access to Pub network |
| VPN | VLAN 6 (IoT) | All | Hearthstone | Allow all | Block Hearthstone VPN clients access to IoT network |
| VLAN 50 | VLAN 50 | All | All | Allow all | Allow Pub network clients accessing each other |
VPN
There are two Wireguard servers configured:
- Hearthstone. Subnet 192.168.3.0/24. For external access to all local networks.
- VPS. Subnet 192.168.4.0/24. For accessing VPS servers as local network devices.
DNS Server
I use my gateway as a local DNS server with additional records for internal services, allowing them to be accessed using domain names like beszel.int.example.com, but only from the LAN or VPN. Almost all internal domains are pointing to the ingress1 (Zoraxy reverse proxy), that also manages SSL termination.