Why my homelab lives behind VLANs
Segmentation isn't just an enterprise checkbox — here's how I split a single Proxmox node into safe zones.
A flat network is comfortable right up until one compromised device can talk to everything. Even at home, I segment — because the habits you keep at home are the ones you bring to a client.
Three zones, one node
On a single Proxmox host I run an OVS bridge with tagged VLANs and treat each as a trust boundary:
| Zone | VLAN | What lives there |
|---|---|---|
| Management | mgmt | Proxmox, switches, the reverse proxy |
| Services | user | Containers and apps the LAN actually uses |
| DMZ | dmz | Anything that faces the internet |
The rule that makes it worth the effort: the DMZ can never initiate a connection back into the LAN. Traffic flows into the DMZ, never out of it toward management.
Why bother at home
- A breached public service is contained to the DMZ — no lateral movement.
- I can firewall management down to a single subnet and forget about it.
- It mirrors how I’d build it for a client, so there are no surprises on site.
Segmentation costs you a bit of planning up front and pays you back the first time something goes wrong. That trade is almost always worth it.