Decided to create a homelab.. your thoughts, experiences, and advice

Long time lurker… decided to finally get an account and see what I can learn from this great community…

I started out a few months ago planning a move to pfsense from my edgerouter x and then getting adgaurd or pihole running – planning means just whenever I find time  Last week, I came into some luck and got a beelink sei, i5-1240?? for free and am now going to make it into a makeshift homelab. . The kids host a mincraft server with their friends that currently runs off of a standard pc – they also host discord and some other stuff…

My thought is to put that all on the beelink. In addition I run the unifi controller on a windows pc, so that would move too. Even may move plex to it as well… or might just go with jellyfish… lots of cool things out there.

I have a dedicated TrueNas box, unifi switches and access points, a dedicated chrome box for homeassistant, and a dedicated blue iris server – not looking at moving any of those… I even have a lenovov sff i5-4900 for home assistant when I outgrow the chromebox.

My question, or really just looking for opinions as to what are some of your ideas… I have been watching anything and everything – especially here on Lawernce Systems… homelabs / vms - proxmox, Ubuntu server or desktop with virtualbox, xcp, I see even truenas scale may even be a possibility.

My end goal I think would be to have some sort of always on vm for the unifi controller, adgaurd, jellyfish/plex, and then as needed for what the kids fire up every now and then. My thought right now is to use either proxmox or xcp to spin up a few servers and go from there… comments, thoughts and your own experiences would be welcomed.

Thanks!

Welcome to the forums and I am partial to XCP-NG myself as my preferred hypervisor.

I initially started off with PROXMOX on a small Lenovo box but came up with a limitation of RAM and wanted more network ports as I run several vlans. If you put PROXMOX on that box and run vlans you can still have them all passing through with a single NIC.

I looked at Jellyfish in the past, but for some reason I couldn’t access network shares, not sure if that has been changed now, don’t like Plex. I keep coming back to Kodi, you can easily setup a MariaDB, have all devices connect to that db and sync up.

It does sound like your homelab is becoming your network ! In which case I’d keep backups of the vms on another box.

I’m a VMware guy myself, but that’s mostly because I work in enterprise IT. Plus, it has better network security. I don’t think you can go wrong with XCP-NG or PROXMOX though, especially if it is just a single host.

What makes you say VMware has better security?

I run NSX on my cluster. It lets me do micro-segmentation and IPS. Most other hypervisors only let you do VLANs. It’s pretty affordable at $200/yr with VMUG Advantage.

@LTS_Tom Here is a good video that covers how VMware does IPS. NSX Distributed IDS/IPS Overview - YouTube

Micro segment is a feature that can be used to secure things, but that does not make it a “More Secure” system, just a feature.

Also XCP-NG does support IP restrictions and firewall rules per VM VIF.

True, but NSX will still let you run IPS on a virtual NIC and I don’t think any of the open source stuff provides that, right?

Not something I have tested

My early planning decisions were about what apps could run in docker and which ones needed a dedicated VM. If you’ve not done so already I’d recommend watching some of the homelab youTubers for ideas on this.

1 Like

thanks for the advice everyone… still learning and trying to figure out what is best… Working on XCP now… finally got it to install with the test iso verson 3 that has updated xe video drivers.

So your saying just because you have an virtual firewall with IPS enabled it’s more secure? You do realize the same security can be accomplished with a pfsense box by running IPS on the VLAN’s you want, right? You just opted to spend a lot more unnecessary money and added unnecessary complexity to accomplish this.

IPS running within NSX is not the same as a virtual firewall running in VMware or any hypervisor. If you are running a firewall such as pfSense the only way you can get IPS inspection is you would have to isolate each VM to its own separate broadcast domain. Basically each VM has to be on it’s own VLAN and route back through the firewall. With NSX you don’t have to worry about that and this solution has much lower complexity especially when you start scaling up the system count.

That isn’t true. Pfsense does the entire VLAN interface(s) for IPS. The point I am trying to make is you are running a nested firewall claiming the security is arguably better because it has the IPS feature in it.

If I have two VMs on the same VLAN/broadcast domain how is it that the firewall would be able to inspect that traffic with IPS since traffic would just flow between the two VMs?

Ahh, now I see what you are saying. You are only talking about inner subnet traffic and not inbound and outbound traffic from the internet. In that case I could see the benefit of doing that if someone was paranoid about their threat surface coming from another machine on the same VLAN.

Yep, and this is a big deal especially when hackers are trying to pivot between systems. It is common practice to move between systems on the same subnet before working between networks.

1 Like

@XMAXIMUSx is it like East-West security, but on the vlan-level instead of inter-vlan level like NGFW let us do now. NSX is quite the tool if you need that kind of security on the same vlan on an hypervisor.

1 Like

Hopefully other free or open source options will offer a similar solution soon!