Networking & Routing — Build a Proper Network
VLANs, DNS, reverse proxies, VPNs, firewalls, and network segmentation for self-hosters and home lab enthusiasts.
Your Network Is Your Foundation
Everything else in this toolshed — every service, every backup, every remote connection — depends on your network. A messy network creates messy problems. A thoughtful one becomes invisible.
DNS: Where Everything Starts
Every device on your network resolves domain names through DNS. By default, your ISP handles this, often slowly and with limited privacy. Running your own DNS gives you control, speed, and ad-blocking for free.
Pi-hole — Network-Wide Ad Blocking
Pi-hole acts as a DNS sinkhole, blocking ads, trackers, and malicious domains for every device on your network — including smart TVs, phones, and IoT devices that can't run ad-blockers.
Setup overview:
- Install Pi-hole on any Linux device (Raspberry Pi is ideal)
- Point your router's DHCP DNS setting to the Pi-hole's IP
- All devices on the network now filter through Pi-hole
Typical block rates: 15–30% of all DNS queries are ads or trackers.
AdGuard Home — Modern Alternative
AdGuard Home offers similar functionality with a more polished web interface, built-in DNS-over-HTTPS (DoH), and DNS-over-TLS (DoT) support.
| Feature | Pi-hole | AdGuard Home |
|---|---|---|
| Ad blocking | Excellent | Excellent |
| UI/UX | Functional | Modern |
| DNS encryption | Via Unbound | Built-in DoH/DoT |
| Client tracking | Basic | Per-client rules |
| Resource usage | Very low | Low |
| Community | Very large | Growing |
Reverse Proxies: The Front Door
A reverse proxy sits between the internet and your services, routing traffic based on domain names and handling TLS certificates.
Caddy — Automatic HTTPS
Caddy is the simplest reverse proxy to configure. It automatically obtains and renews Let's Encrypt certificates.
# Caddyfile
nextcloud.yourdomain.com {
reverse_proxy localhost:8080
}
vaultwarden.yourdomain.com {
reverse_proxy localhost:8081
}
jellyfin.yourdomain.com {
reverse_proxy localhost:8096
}That's it. Caddy handles TLS, HTTP/2, and certificate renewal automatically.
Traefik — Docker-Native
Traefik integrates directly with Docker, automatically discovering services via labels:
# docker-compose.yml labels
labels:
- "traefik.enable=true"
- "traefik.http.routers.nextcloud.rule=Host(`nextcloud.yourdomain.com`)"
- "traefik.http.routers.nextcloud.tls.certresolver=letsencrypt"Nginx Proxy Manager — GUI Alternative
If you prefer clicking over typing, Nginx Proxy Manager provides a web interface for managing proxy hosts, SSL certificates, and access lists.
VLANs: Network Segmentation
VLANs (Virtual Local Area Networks) separate devices into isolated groups on the same physical network. This is critical for security:
| VLAN | Purpose | Example Devices |
|---|---|---|
| VLAN 1 | Management | Router, switches, APs |
| VLAN 10 | Trusted | Laptops, desktops |
| VLAN 20 | Servers | NAS, Docker hosts |
| VLAN 30 | IoT | Smart bulbs, cameras, thermostats |
| VLAN 40 | Guest | Visitor Wi-Fi |
Why bother? When a cheap smart plug gets compromised (and they do), it can't reach your NAS, your laptops, or anything else of value.
Hardware needed: A managed switch (TP-Link TL-SG108E at ~£30 is a solid entry point) and a router/firewall that supports VLANs (OPNsense, pfSense, or OpenWrt).
VPN: Secure Remote Access
WireGuard — The Modern Standard
WireGuard is fast, simple, and uses modern cryptography. It's built into the Linux kernel and works on every platform.
Use cases:
- Access home services from anywhere
- Encrypt traffic on public WiFi
- Connect sites together (site-to-site VPN)
Tailscale / Headscale — Zero-Config Mesh
Tailscale builds a WireGuard mesh network between all your devices with zero port forwarding. Headscale is the self-hosted control server if you don't want to use Tailscale's cloud.
Firewalls
| Firewall | Type | Best For | Cost |
|---|---|---|---|
| OPNsense | Full router/firewall OS | Dedicated hardware | Free |
| pfSense | Full router/firewall OS | Dedicated hardware | Free (CE) |
| OpenWrt | Router firmware | Consumer routers | Free |
| UFW | Host-based (Linux) | Individual servers | Free |
| iptables/nftables | Host-based (Linux) | Advanced control | Free |
Basic UFW Rules for a Server
# Default deny incoming, allow outgoing
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow SSH (change port if needed)
sudo ufw allow 22/tcp
# Allow HTTP/HTTPS for reverse proxy
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# Allow WireGuard
sudo ufw allow 51820/udp
# Enable
sudo ufw enableCloudflare Tunnel: No Port Forwarding
If you don't want to open ports on your router, Cloudflare Tunnel (formerly Argo Tunnel) creates an outbound connection from your server to Cloudflare's network. External traffic reaches your services without any inbound firewall rules.
Trade-off: Your traffic passes through Cloudflare. For most self-hosters, this is acceptable. For maximum privacy, use WireGuard instead.
Network Hardware Recommendations
| Category | Budget Pick | Mid-Range | Enthusiast |
|---|---|---|---|
| Router | OpenWrt on existing router | Mini PC + OPNsense | Protectli VP2420 |
| Switch | TP-Link TL-SG108E (managed) | TP-Link TL-SG3210 (L2+ managed) | UniFi USW-24-POE |
| Access Point | TP-Link EAP225 | UniFi U6 Lite | UniFi U6 Pro |
| Cabling | Cat5e (up to 1Gbps) | Cat6 (up to 10Gbps short) | Cat6a (10Gbps 100m) |
Naming Conventions
Consistent naming saves you hours of debugging:
- Devices:
type-location-number(e.g.,nas-office-01,ap-lounge-01) - VLANs: Number by purpose (10s for trusted, 20s for servers, 30s for IoT)
- DNS records: Match device names exactly
- Subnets: Align with VLAN numbers (VLAN 10 → 10.0.10.0/24)
A network diagram is worth its weight in gold. Keep one. Update it. Tools like draw.io (free, self-hostable) make this painless.
Product links may include affiliate partnerships — see our affiliate disclosure for details.