aly badawy/homelab
all systems operational
// the homelab

Networking & Infra

The physical and logical foundation the cluster sits on. A UniFi stack handles routing, switching, and VLAN segmentation. A UNAS 4 provides NFS storage. A GMKtec NucBox M8 runs the k3s cluster. An AREDN node connects to the amateur radio mesh.

UDR7 router 10 VLANs 172.20.Y.Z UNAS 4

Everything outside the k3s cluster: the physical devices, the network segmentation, DNS resolution, NFS storage, firewall zones, and backup strategy. The cluster is just one server on VLAN 20 — the network around it is where the homelab's operational resilience lives.

01 Key facts

PropertyValue
Router / firewallUniFi Dream Router 7 (UDR7) at 172.20.1.1 — gateway for all VLANs, zone-based firewall
SwitchesUniFi Flex 2.5G (8-port + 2 trunk) · UniFi Flex Mini 2.5G (5-port) — both connected directly to UDR7
IP scheme172.20.Y.Z — site 20, Y = VLAN ID, Z = host. Every IP is self-documenting.
VLANs10 — Management, Personal, Servers, VPN, AREDN-WAN, AREDN-DtD, AREDN-LAN-1, IoT, Guest, Work
NASUniFi UNAS 4 at 172.20.20.2 — NFS exports for k3s mounts and Longhorn backup target
k3s serverGMKtec NucBox M8 at 172.20.20.3 — Ubuntu 26.04 bare-metal, AMD Ryzen 5 PRO 6650H, 16 GB RAM
Lab serverBeelink at 172.20.20.10 — Proxmox hypervisor for private lab and test VMs (range .11–.19)
DNSUniFi (UDR7) built-in — DHCP and DNS for all VLANs, rewrites *.in.alybadawy.com to the k3s server
Mesh radioAREDN node — WAN at 172.20.40.2, LAN at 10.6.229.9

02 Physical topology

All servers sit on VLAN 20 (Servers). The UDR7 connects to two switches — a Flex 2.5G and a Flex Mini 2.5G — which together connect all devices. Wireless clients land on Personal, IoT, or Guest VLANs depending on which SSID they join.

LAN-only access. The homelab network is not exposed to the internet. All services are accessible only from trusted networks — Personal (VLAN 10) or VPN (VLAN 30). The UDR7 firewall blocks all inbound traffic from WAN by default.
internet
WAN uplink
router · firewall · dns
UDR7 172.20.1.1
vpn / remote
Other sites
↓ two switches, both connected directly to UDR7
switch A
Flex 2.5G 8p + 2 trunk
switch B
Flex Mini 2.5G 5p
VLANs on the trunk ↓
VLAN 20 · Servers
UNAS 4
172.20.20.2
VLAN 20 · Servers
GMKtec NucBox M8
172.20.20.3 · k3s
VLAN 20 · Servers
Beelink
172.20.20.10 · Proxmox
VLAN 10 · Personal
Trusted devices
172.20.10.0/24
VLAN 100 · IoT
IoT devices
172.20.100.0/24
VLAN 40 · AREDN
AREDN node
172.20.40.2

03 Documentation sections

Physical hardwareVLAN 1 · 20
Every device in the homelab: UDR7, two Flex switches, UNAS 4 NAS, GMKtec NucBox M8 k3s server, Beelink lab server, and AREDN node. Read docs
VLAN segmentation172.20.Y.Z
10 VLANs with defined trust levels. Full subnet table, isolation policies, and device IP reference. Read docs
DNS (UniFi)UDR7 built-in
UDR7 handles DNS and DHCP for all VLANs. Internal rewrites resolve cluster hostnames without leaving the LAN. Read docs
NAS & storage172.20.20.2
UNAS 4 NFS exports for k3s mounts and Longhorn backups. Mount options, paths, and backup target config. Read docs
Firewall rulesUDR7 zones
Zone-based firewall model on the UDR7. Seven zones, deny-by-default inter-zone policy, key rules documented. Read docs
Backups3 layers
Longhorn PVC snapshots to NAS, PostgreSQL SQL dumps, and NAS-level storage protection. RTO/RPO per scenario. Read docs
last updated 2026-06-08