The home lab security setup guide on this page reflects Nolan Voss’s 12 years in enterprise IT security and 6 years running a personal home lab in Austin Texas on a 3-node Proxmox cluster with pfSense, Pi-hole, Wireshark, a dedicated security VLAN, and a Protectli firewall appliance. Furthermore, every home lab security recommendation on this page comes from real implementation experience rather than vendor documentation or theoretical best practices. Moreover, home lab security requires a layered approach — no single tool or configuration eliminates risk on its own. Because most home lab security breaches happen at the network perimeter rather than the endpoint, this guide prioritizes network segmentation, DNS filtering, and VPN configuration before software security tools. In addition, every home lab security tool recommended here has been tested in Nolan’s lab under real conditions including deliberate attack simulations using Kali Linux on an isolated VLAN. However, home lab security is not a one-time setup — it requires ongoing monitoring, log review, and periodic configuration audits. Therefore this home lab security setup guide is structured as a sequential implementation checklist you can follow from a fresh Proxmox installation to a fully hardened home lab environment. For additional home lab security context see the NIST Cybersecurity Framework and CIS Security Controls.

// Step-by-Step Implementation Guide

Home Lab Security Setup Guide
From Bare Metal to Hardened Lab — 2026

Built from 12 years of enterprise IT security and 6 years running a Proxmox home lab in Austin TX. Every step tested and implemented by Nolan Voss on real hardware — not pulled from documentation.

Start the Checklist View Hardware Setup

// LAYER 04 RECOMMENDED VPN

NordVPN — Used in Nolan’s VLAN 40 security setup · 892 Mbps · 200ms kill switch

0% DNS leak · 6,000+ servers · Independent audit verified · from $3.99/month

Get NordVPN →
nolan@proxmox-lab:~$ homelab-audit –full –report security
Hypervisor: Proxmox VE 8.1 — 3-node cluster
Firewall: pfSense 2.7.2 on Protectli FW4B
DNS: Pi-hole 5.18 — upstream DoH via Cloudflare
VLANs: 6 segments — Management / Trusted / IoT / VPN / Security / DMZ
VPN: NordVPN WireGuard — kill switch verified — 0% DNS leak
Monitoring: Wireshark + Suricata IDS on dedicated analysis node
Status: All 6 security layers active — last audit: April 2026
6Security layers
12 yrEnterprise IT security
ProxmoxHypervisor tested
2026Last updated

Who This Home Lab Security Guide Is For

✅ Proxmox users

Running a Proxmox cluster at home and want to harden the management interface, isolate VMs, and secure inter-node traffic.

✅ pfSense users

Already running pfSense and want to add VLAN segmentation, Suricata IDS, and DNS-over-HTTPS to their existing setup.

✅ IT professionals

Building a home lab to practice enterprise security concepts — threat hunting, IDS tuning, VPN deployment, and network segmentation.

⚠️ Not for beginners

This guide assumes you have a working Proxmox or ESXi installation and basic Linux CLI familiarity. If you are starting from scratch see the beginner home lab guide first.

Home Lab Security Hardware — What Nolan Runs

You do not need expensive hardware to run a secure home lab. This is the actual hardware in Nolan’s Austin lab as of April 2026.

Component Hardware Role Approx Cost
Firewall Protectli FW4B — pfSense 2.7.2 Perimeter firewall, VPN gateway, VLAN routing, Suricata IDS ~$400
Hypervisor 3x Dell OptiPlex 7060 — Proxmox VE 8.1 VM cluster — security tools, analysis VMs, honeypots ~$150 each
Switch UniFi USW-24-PoE Managed switch — VLAN tagging, port isolation, traffic mirroring ~$300
DNS Filter Raspberry Pi 4 — Pi-hole 5.18 Network-wide DNS filtering — blocks ads, malware, tracking domains ~$80
Analysis Node Proxmox VM — Kali Linux + Wireshark Packet capture, traffic analysis, penetration testing on isolated VLAN Free
Auth Key YubiKey 5 NFC Hardware MFA for Proxmox, pfSense, and all admin accounts ~$55

Home Lab Security Setup Checklist — 6 Layers

Implement these layers in order. Each layer builds on the previous one. Do not skip ahead — Layer 1 must be solid before Layer 2 is meaningful.

LAYER 01

Perimeter Firewall — pfSense on Dedicated Hardware

The firewall is the single most important component in home lab security. A software firewall on your router is not sufficient — you need dedicated hardware running a proper firewall OS. Nolan runs pfSense on a Protectli FW4B with 4 physical NICs — one WAN, one LAN, and two for VLAN trunking to the managed switch.

Install pfSense on dedicated hardware — Protectli FW4B or similar x86 appliance with AES-NI support
Disable WAN management access — pfSense admin interface must only be reachable from LAN
Enable pfSense firewall logging — System → Advanced → Firewall → Log firewall default blocks
Change admin password — default admin/pfsense credentials are publicly known
Enable HTTPS for webConfigurator — System → Advanced → Admin Access → HTTPS
Install Suricata IDS package — Firewall → Packages → Available Packages → Suricata
NOLAN’S NOTE:

The most common mistake I see is running pfSense on a VM inside Proxmox. This creates a security dependency — if Proxmox is compromised, pfSense is compromised. Run pfSense on dedicated bare-metal hardware that sits between your ISP modem and your Proxmox cluster.

LAYER 02

VLAN Segmentation — Isolate Every Device Class

VLAN segmentation is the single highest-impact security change you can make to a home lab. Without VLANs every device on your network can communicate with every other device — your smart TV can probe your Proxmox management interface. With VLANs you control exactly which devices can talk to which other devices at the switch level.

VLAN 10 — Management: Proxmox nodes, pfSense admin, switch management — no internet access
VLAN 20 — Trusted: Daily driver devices — laptops, desktops — full internet, no IoT access
VLAN 30 — IoT: Smart home devices — internet only, no access to any other VLAN
VLAN 40 — VPN: All VPN-routed traffic exits here — traffic monitored by Suricata
VLAN 50 — Security: Kali Linux VM, Wireshark analysis node — isolated, no internet by default
VLAN 60 — DMZ: Any services exposed to internet — Nginx reverse proxy, self-hosted apps
NOLAN’S NOTE:

Start with just 3 VLANs if this is new territory — Management, Trusted, and IoT. Those three cover the most common attack vectors. Add Security and DMZ VLANs once the basics are solid. A misconfigured 6-VLAN setup is less secure than a correctly configured 3-VLAN setup.

LAYER 03

DNS Filtering — Pi-hole With DNS-over-HTTPS

Pi-hole running on a dedicated Raspberry Pi 4 handles DNS for every VLAN in the lab. DNS queries are filtered against malware, tracking, and ad domains before leaving the network. Upstream queries go to Cloudflare DNS-over-HTTPS to prevent ISP DNS interception. This setup blocked an average of 23% of all DNS queries in Nolan’s lab during a 90-day test period.

Install Pi-hole on dedicated Raspberry Pi 4 — static IP on Management VLAN
Install cloudflared for DNS-over-HTTPS — prevents ISP from seeing DNS queries
Set Pi-hole as DNS server for all VLANs in pfSense DHCP settings
Add blocklists — Hagezi Pro, Steven Black Unified, and OISD Full as minimum baseline
Block DNS bypass — add pfSense firewall rule blocking outbound port 53 except from Pi-hole IP
NOLAN’S NOTE:

The DNS bypass block rule is critical and most guides skip it. Without it any device can ignore Pi-hole by hardcoding 8.8.8.8 as its DNS server. Smart TVs and IoT devices do this routinely. The pfSense rule forces all port 53 traffic through Pi-hole regardless of what the device wants to use.

LAYER 04

VPN Gateway — WireGuard on pfSense

The VPN layer routes specific VLANs through a commercial VPN provider. In Nolan’s lab the VPN VLAN and all outbound traffic from the security analysis VM routes through NordVPN configured in pfSense. The kill switch is enforced at the pfSense firewall level — if the WireGuard tunnel drops, traffic from those VLANs stops entirely rather than falling back to the unencrypted ISP connection.

Choose a VPN that passed kill switch and DNS leak tests — NordVPN recommended for server network size
Add WireGuard tunnel in pfSense — VPN → WireGuard → Tunnels → Add Tunnel
Create gateway pointing to WireGuard interface — Routing → Gateways → Add
Add policy routing rule — route VLAN 40 traffic through WireGuard gateway
Add kill switch rule — block all traffic from VLAN 40 if WireGuard gateway is down
Verify kill switch — physically unplug WAN, confirm VLAN 40 traffic stops in Wireshark

// NOLAN’S VLAN 40 VPN

NordVPN — 892 Mbps · 200ms kill switch · 0% DNS leak

6,000+ servers · NordLynx protocol · from $3.99/month

Get NordVPN →
NOLAN’S NOTE:

Always verify the kill switch with Wireshark — not a DNS leak website. Websites can only test what they can see from the outside. Wireshark on your analysis VM shows you exactly what packets are leaving the host during a failover event. I have caught two VPNs whose kill switches passed website tests but failed the physical unplug test.

LAYER 05

Hardware MFA — YubiKey on Every Admin Account

Every admin account in Nolan’s lab — Proxmox, pfSense, Pi-hole, and all SSH access — requires a YubiKey 5 NFC for authentication. Software TOTP apps like Google Authenticator are not used for admin access because they can be phished. A hardware key cannot be phished remotely — it requires physical presence.

Purchase 2 YubiKey 5 NFC keys — primary and backup, store backup in separate physical location
Enable YubiKey TOTP for Proxmox — Datacenter → Permissions → Two Factor → Add TOTP
Configure SSH key-only authentication — disable password SSH on all Proxmox nodes
Store all admin passwords in Bitwarden with YubiKey as MFA — not in a browser or plain text file
NOLAN’S NOTE:

Buy two keys the same day and register both immediately. The worst moment to discover you only have one key is when you lose it and are locked out of Proxmox at midnight. The backup key costs $55 and has saved me twice.

LAYER 06

Monitoring — Suricata IDS and Log Review

Suricata IDS running inside pfSense monitors all inter-VLAN traffic and WAN ingress for known attack signatures. Weekly log review is non-negotiable — an IDS that nobody reads is worthless. Nolan reviews pfSense firewall logs, Suricata alerts, and Pi-hole query logs every Sunday morning as part of a fixed routine.

Enable Suricata on WAN and LAN interfaces — add Emerging Threats Open ruleset
Set Suricata to alert-only mode initially — do not block until you understand your baseline traffic
Review pfSense firewall logs weekly — Status → System Logs → Firewall
Review Pi-hole top blocked domains weekly — look for unexpected query spikes from IoT devices
Run Wireshark capture on management VLAN monthly — verify no unexpected inter-VLAN traffic
NOLAN’S NOTE:

During my first month with Suricata in alert-only mode I saw 847 alerts — nearly all false positives from legitimate lab traffic. Spend 30 days in alert-only mode and tune out the noise before switching to blocking mode. Blocking mode with untuned rules will break things in your lab that you actually need.

// RECOMMENDED FOR LAYER 04 VPN GATEWAY

NordVPN — Nolan’s Pick for VLAN 40 VPN Traffic

892 Mbps · 200ms kill switch · 0% DNS leak · 6,000+ servers · from $3.99/month

Get NordVPN — Best Deal →

Home Lab Security — Related Guides

VPN Speed Test Results

14 VPNs tested in Nolan’s Austin lab. Kill switch times, DNS leak rates, and pfSense integration ratings for every VPN recommended in this guide.

See the results →

Best VPN for Home Lab 2026

Full reviews of Mullvad, IVPN, ProtonVPN, and NordVPN — ranked specifically for pfSense integration and home lab use cases.

Read the guide →

Best Password Manager 2026

Bitwarden, 1Password, and Dashlane reviewed for home lab use — YubiKey support, CLI access, and self-hosted deployment tested.

Read the guide →

Lab Testing Methodology

The hardware, software, and procedures behind every test result published on SpywareInfoForum — complete transparency on how scores are calculated.

Read more →