Home Homelab Part I: Networking
Post
Cancel

Homelab Part I: Networking

Posted Dec 6, 2025 Updated Dec 14, 2025
By Decryptic
6 min read

Introduction

Recently I attended a presentation at work where my colleagues told their journey of creating your own home lab. I had my own lab as well, but life happened and now its starting to itch again.

So here we are! I don’t have a fully worked out plan yet, but as I have the tedency to miss the forest because of the trees its more important to me to just start and figure the rest out along the way.

Hardware

So what are we working with? Below is the hardware I currently have.

  • ISP Router
  • Mikrotik RB5009 router
  • Raspberry Pi 4b (with Pihole installed)
  • Philips Hue Brigde
  • Intel NUC
  • Unifi AP
  • Workstation

My own router

Before I can start up a wonderful lab I need to segment my network. Why? Because we will be able to run experiments without affecting “production network”. Another reason for segmentation is to make it more difficult for attackers to laterally move. Unfortunately, ISP routers are quite limited in functionality. The internet provider gives you an admin account, but don’t be fooled as this so called “admin” account is far from what it portrays to be.

In the old times it was not possible to have your own router at the edge between your network and the ISP. Well, technically it was possible it you bridged the ISP router, but I digress. As of January 28 2022, an EU law went into effect which allows consumers to pick and choose their own router. It does come with the caveat that its now YOUR responsibility to fix problems. No more calling the support line if you have Wi-Fi problems. As if they were ever helpfull.. :p

For my home network I picked the Mikrotik RB5009 as my partner in crime. Its a little older compared to other routers. The Ubiquiti Cloud Gateway fiber was also on my shortlist, but it was more expensive and did not have the amount of switch ports I’d need.

Threat exposure

A few year ago I purchased a Shodan lifetime account for 4 dollars, but I haven’t been doing a lot with it. There are a lot of cool projects we could do with API access to Shodan. For now I will use it for threat exposure. Shodan has a feature where as soon as a vulnerability or a new open port is seen it will send me an email. Quite useful in case I mess up my firewall rules. My ISP formally assigns my public IP dynamically, but in practice reserves the same IP to me. In the future we could make it more reliable with Dynamic DNS, but thats a topic for another time.

Network planning

We know the devices and their purpose so I’d like to create the following networks:

  • A management network for my servers and workstation
  • A guest network for Wifi
  • An IoT network for my home automation such as my Philips Hue Bridge and Apple TV which acts as a thread border router
  • A Demilitairized Zone (DMZ) for exposing services to the internet in a later project

For this project I am going to enter IP addresses quite frequently so I’d want something as short and easy to remember as possible. At my employer we manage a customer who uses internet routable IP addresses for their internal network which is annoying because our IOC based threat intel would often produce false positives. Who knows, maybe they thought it will confuse hackers? I thought about doing something similar. For example 1.1.0.0/16, but after giving it a second thought it means my router will be very confused when I sent a DNS request to the popular Cloudflare DNS server 1.1.1.1.

So yeah, RFC1918 exist for a reason so lets just stick with that. For my own privacy and protection I will not publish my real IP plan, but I promise its not that exciting. In the table below is an example:

NameNetworksubnetCIDRHosts
Management192.168.10.0255.255.255.128/25126
IoT192.168.20.0255.255.255.0/24254
Guest192.168.30.0255.255.255.0/24254
DMZ192.168.40.0255.255.255.192/2662

Do you need to create smaller networks? No, but in larger networks it helps make with efficiency by for example not sending ARP requests to all hosts. Since we do not have many hosts in our home network we might as well use /24 for everything.

The diagram below shows I plan to connect everything

network diagram

An unplanned deep dive

Initially I planned to create multiple bridge interfaces for all my networks, but after I started configuring them I came accross a reddit post saying that only the first bridge will support hardware acceleration…. Great! /s. But is this redditor right? What is hardware acceleration?! How would one configure it? And if i cannot create multiple bridges, how will I create my networks? Lots or reading later I have my answers.

What is hardware acceleration? According to Mikrotik:

” While a bridge is a software feature that will consume CPU’s resources, the bridge hardware offloading feature will allow you to use the built-in switch chip to forward packets. This allows you to achieve higher throughput if configured correctly.”

It follows by a table of different features.

Is it true only one bridge supports hardware acceleration? Jep, there is a banner in the document decribing it.

“The CRS1xx/2xx series switches support multiple hardware offloaded bridges per switch chip. All other devices support only one hardware offloaded bridge per switch chip. Use the hw=yes/no parameter to select which bridge will use hardware offloading.”1

What switch chip are we using on the RB5009? Its listed in the documentation, but it can also be printed in the CLI.

1
2
3
4

[decryptic@MikroTik] > /interface ethernet switch print
Columns: NAME, TYPE
# NAME     TYPE
0 switch1  Marvell-88E6393X

Can I check which bridge is hardware accelerated? Yes, I was already in the process of making the bridges when I was researching this and you can see in the output below that ether1-3 do no have the H flag set for Hardware offloading.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

/interface bridge port print
Flags: I - INACTIVE; H - HW-OFFLOAD
Columns: INTERFACE, BRIDGE, HW, PVID, PRIORITY, HORIZON
#    INTERFACE     BRIDGE             HW   PVID  PRIORITY  HORIZON
;;; defconf
0 IH ether4        bridge             yes     1  0x80      none
;;; defconf
1 IH ether5        bridge             yes     1  0x80      none
;;; defconf
2 IH ether6        bridge             yes     1  0x80      none
;;; defconf
3 IH ether7        bridge             yes     1  0x80      none
;;; defconf
4 IH sfp-sfpplus1  bridge             yes     1  0x80      none
5    ether1        bridge-management  yes     1  0x80      none
6 I  ether2        bridge-management  yes     1  0x80      none
7 I  ether3        bridge-management  yes     1  0x80      none
Lab
network tutorial
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents