The homelab post
It’s finally time for a post about my homelab. Yes, it’s overly complicated. No, it’s not the most extensive.
I had planned this post months ago (maybe a year ago) and never got around to writing it. I even made a diagram.
Overview
We have five (5!) VLANs on our home network.
- One for random IoT crap, restricted from talking to the rest of the LAN.
- One for the surveilance system.
- One for Home Assistant, its tablet UIs, various ESPHome devices.
- One for my work laptop.
- One for a Steam Link to talk to a gaming VM.
Each of these, except for the Steam Link one, also has a corresponding SSID. Then, there is one more SSID for the default VLAN.
The majority of the infrastructural hardware is from Ubiquiti. It plays nice together and is easy enough to configure. The only exceptions are our two modems, provided by Comcast.
The “core” box
The coaxial drop for the internet comes down into a centrally located closet. There, one can currently find a 9u wall-mounted cabinet containing a 16-port PoE switch, a USG serving as a router, an LTE modem, a DOCSIS modem, some PoE injectors, a CloudKey, and a PDU – all hooked up to a little 500VA UPS.
The LTE modem serves as a backup when the primary cable internet goes down. Both modems are leased from Comcast Business, because for some reason they do not allow you to provide your own as they do for residential service.
There is a dedicated 20 amp circuit dropped at this box, as in a previous incarnation this closet was also home to a few beefier servers. This is the fourth different enclosure that this closet has held in three years. I do not keep it tidy.
From here, ethernet branches out to the roof, my office, the living room, and the primary bedroom.
The office
In my office, we find another enclosure – this one only 6u. It contains a 24-port switch, a UNVR (surveillance video recorder), and a Synology NAS, all attached to a 1500VA UPS.
This enclosure was once wall-mounted, but since has had casters jury-rigged to it and now lives on the floor. This switch used to sit in the core, but now most of its ports remain unutilized.
Atop this cabinet, we find an HP Z820 workstation with Proxmox installed. Inside are two E5-2670v2’s, 8TB worth of Intel DC SSDs, and an RTX 3060.
In addition to running some services like Home Assistant and a DNS server, there is also a Windows VM on this box to which the video card is attached. This box has its own dedicated 1500VA UPS, identical to the one in the cabinet.
My cat likes to sit on top of it. The dongles hanging haphazardly off the workstation are for Zigbee and Bluetooth.
Also located in my office is a little 8-port POE switch. Attached to it is an AP, a printer, and everything on my desk.
The roof
There’s a little three-port switch, powered by passive PoE, on the roof. It provides passthrough power to three Unifi cameras.
Another one of the ethernet drops on the roof crosses over to go into the garage. A third port connects an outdoor AP.
The living room
A UAP-IW-HD connects a Roku and the Steam Link, and also provides wifi coverage for the rest of the house. A very convenient piece of hardware.
Home Assistant stuff
The main Home Assistant VM runs on that HP box. The ZigBee dongle attached to it lets it communicate with 40 other devices such as buttons, sensors, lightbulbs, relays, and switches.
An enclosure formerly home to an alarm system mainboard now hosts a Rasperry Pi, which monitors the old system’s sensors and transmits their state via MQTT.
I have three Raspberry Pis with touchscreens serving as interfaces to Home Assistant. Two are wired in, powered by PoE splitters. A third was not in a convenient place for a new ethernet drop, so that one’s on wifi.
Other fun things on the Home Assistant VLAN include an ESPHome-based access reader, air quality sensors, smart speakers, a garage door open, power monitors for the washer and dryer, and an irrigation controller.
Others
In order to avoid TLS warnings on every internal service, I’ve set up Traefik VM to front them all with a custom domain. It gets a certificate from Let’s Encryupt using a DNS-based challenge, as otherwise the host is not accessible from WAN.
DNS is provided by Pi-hole, filtering requests for undesirable domains.