Last Updated: April 2026 — Lab tested on pfSense 2.7.2, Proxmox 8.1, Home Assistant 2024.4
The home lab security setup guide on this page reflects Nolan Voss’s 12 years in enterprise IT security and 6 years running a personal home lab in Austin Texas on a 3-node Proxmox cluster with pfSense, Pi-hole, Wireshark, a dedicated security VLAN, and a Protectli firewall appliance. Furthermore, every home lab security recommendation on this page comes from real implementation experience rather than vendor documentation or theoretical best practices. Moreover, home lab security requires a layered approach — no single tool or configuration eliminates risk on its own. Because most home lab security breaches happen at the network perimeter rather than the endpoint, this guide prioritizes network segmentation, DNS filtering, and VPN configuration before software security tools. In addition, every home lab security tool recommended here has been tested in Nolan’s lab under real conditions including deliberate attack simulations using Kali Linux on an isolated VLAN. However, home lab security is not a one-time setup — it requires ongoing monitoring, log review, and periodic configuration audits. Therefore this home lab security setup guide is structured as a sequential implementation checklist you can follow from a fresh Proxmox installation to a fully hardened home lab environment. For additional home lab security context see the NIST Cybersecurity Framework and CIS Security Controls.
// Step-by-Step Implementation Guide
Home Lab Security Setup Guide
From Bare Metal to Hardened Lab — 2026
Built from 12 years of enterprise IT security and 6 years running a Proxmox home lab in Austin TX. Every step tested and implemented by Nolan Voss on real hardware — not pulled from documentation.
// Editorial Note
SpywareInfoForum earns commissions when you sign up through some of the links in this guide. Product recommendations reflect what Nolan actually runs in the Austin lab — not commission rates. Open source tools (Bitwarden, KeePassXC, Pi-hole, pfSense, Suricata, Wireshark) are recommended without any affiliate relationship because they are the right tools for the job. See our Affiliate Disclosure for full details.
// LAYER 04 RECOMMENDED VPN
NordVPN — Used in Nolan’s VLAN 40 security setup · 892 Mbps · 200ms kill switch
0% DNS leak · 6,000+ servers · Independent audit verified · from $3.99/month
Get NordVPN →
→ Hypervisor: Proxmox VE 8.1 — 3-node cluster
→ Firewall: pfSense 2.7.2 on Protectli FW4B
→ DNS: Pi-hole 5.18 — upstream DoH via Cloudflare
→ VLANs: 6 segments — Management / Trusted / IoT / VPN / Security / DMZ
→ VPN: NordVPN WireGuard — kill switch verified — 0% DNS leak
→ Monitoring: Wireshark + Suricata IDS on dedicated analysis node
✓ Status: All 6 security layers active — last audit: April 2026
6Security layers
12 yrEnterprise IT security
ProxmoxHypervisor tested
2026Last updated
Who This Home Lab Security Guide Is For
✅ Proxmox users
Running a Proxmox cluster at home and want to harden the management interface, isolate VMs, and secure inter-node traffic.
✅ pfSense users
Already running pfSense and want to add VLAN segmentation, Suricata IDS, and DNS-over-HTTPS to their existing setup.
✅ IT professionals
Building a home lab to practice enterprise security concepts — threat hunting, IDS tuning, VPN deployment, and network segmentation.
⚠️ Not for beginners
This guide assumes you have a working Proxmox or ESXi installation and basic Linux CLI familiarity. If you are starting from scratch see the beginner home lab guide first.
Home Lab Security Hardware — What Nolan Runs
You do not need expensive hardware to run a secure home lab. This is the actual hardware in Nolan’s Austin lab as of April 2026.
| Component |
Hardware |
Role |
Approx Cost |
| Firewall |
Protectli FW4B — pfSense 2.7.2 |
Perimeter firewall, VPN gateway, VLAN routing, Suricata IDS |
~$400 |
| Hypervisor |
3x Dell OptiPlex 7060 — Proxmox VE 8.1 |
VM cluster — security tools, analysis VMs, honeypots |
~$150 each |
| Switch |
UniFi USW-24-PoE |
Managed switch — VLAN tagging, port isolation, traffic mirroring |
~$300 |
| DNS Filter |
Raspberry Pi 4 — Pi-hole 5.18 |
Network-wide DNS filtering — blocks ads, malware, tracking domains |
~$80 |
| Analysis Node |
Proxmox VM — Kali Linux + Wireshark |
Packet capture, traffic analysis, penetration testing on isolated VLAN |
Free |
| Auth Key |
YubiKey 5 NFC |
Hardware MFA for Proxmox, pfSense, and all admin accounts |
~$55 |
Home Lab Security Setup Checklist — 6 Layers
Implement these layers in order. Each layer builds on the previous one. Do not skip ahead — Layer 1 must be solid before Layer 2 is meaningful.
LAYER 01
Perimeter Firewall — pfSense on Dedicated Hardware
The firewall is the single most important component in home lab security. A software firewall on your router is not sufficient — you need dedicated hardware running a proper firewall OS. Nolan runs pfSense on a Protectli FW4B with 4 physical NICs — one WAN, one LAN, and two for VLAN trunking to the managed switch.
✓
Install pfSense on dedicated hardware — Protectli FW4B or similar x86 appliance with AES-NI support
✓
Disable WAN management access — pfSense admin interface must only be reachable from LAN
✓
Enable pfSense firewall logging — System → Advanced → Firewall → Log firewall default blocks
✓
Change admin password — default admin/pfsense credentials are publicly known
✓
Enable HTTPS for webConfigurator — System → Advanced → Admin Access → HTTPS
✓
Install Suricata IDS package — Firewall → Packages → Available Packages → Suricata
NOLAN’S NOTE:
The most common mistake I see is running pfSense on a VM inside Proxmox. This creates a security dependency — if Proxmox is compromised, pfSense is compromised. Run pfSense on dedicated bare-metal hardware that sits between your ISP modem and your Proxmox cluster.
LAYER 02
VLAN Segmentation — Isolate Every Device Class
VLAN segmentation is the single highest-impact security change you can make to a home lab. Without VLANs every device on your network can communicate with every other device — your smart TV can probe your Proxmox management interface. With VLANs you control exactly which devices can talk to which other devices at the switch level.
✓
VLAN 10 — Management: Proxmox nodes, pfSense admin, switch management — no internet access
✓
VLAN 20 — Trusted: Daily driver devices — laptops, desktops — full internet, no IoT access
✓
VLAN 30 — IoT: Smart home devices — internet only, no access to any other VLAN
✓
VLAN 40 — VPN: All VPN-routed traffic exits here — traffic monitored by Suricata
✓
VLAN 50 — Security: Kali Linux VM, Wireshark analysis node — isolated, no internet by default
✓
VLAN 60 — DMZ: Any services exposed to internet — Nginx reverse proxy, self-hosted apps
NOLAN’S NOTE:
Start with just 3 VLANs if this is new territory — Management, Trusted, and IoT. Those three cover the most common attack vectors. Add Security and DMZ VLANs once the basics are solid. A misconfigured 6-VLAN setup is less secure than a correctly configured 3-VLAN setup.
LAYER 03
DNS Filtering — Pi-hole With DNS-over-HTTPS
Pi-hole running on a dedicated Raspberry Pi 4 handles DNS for every VLAN in the lab. DNS queries are filtered against malware, tracking, and ad domains before leaving the network. Upstream queries go to Cloudflare DNS-over-HTTPS to prevent ISP DNS interception. This setup blocked an average of 23% of all DNS queries in Nolan’s lab during a 90-day test period.
✓
Install Pi-hole on dedicated Raspberry Pi 4 — static IP on Management VLAN
✓
Install cloudflared for DNS-over-HTTPS — prevents ISP from seeing DNS queries
✓
Set Pi-hole as DNS server for all VLANs in pfSense DHCP settings
✓
Add blocklists — Hagezi Pro, Steven Black Unified, and OISD Full as minimum baseline
✓
Block DNS bypass — add pfSense firewall rule blocking outbound port 53 except from Pi-hole IP
NOLAN’S NOTE:
The DNS bypass block rule is critical and most guides skip it. Without it any device can ignore Pi-hole by hardcoding 8.8.8.8 as its DNS server. Smart TVs and IoT devices do this routinely. The pfSense rule forces all port 53 traffic through Pi-hole regardless of what the device wants to use.
LAYER 04
VPN Gateway — WireGuard on pfSense
The VPN layer routes specific VLANs through a commercial VPN provider. In Nolan’s lab the VPN VLAN and all outbound traffic from the security analysis VM routes through NordVPN configured in pfSense. The kill switch is enforced at the pfSense firewall level — if the WireGuard tunnel drops, traffic from those VLANs stops entirely rather than falling back to the unencrypted ISP connection.
✓
Choose a VPN that passed kill switch and DNS leak tests — see VPN options below
✓
Add WireGuard tunnel in pfSense — VPN → WireGuard → Tunnels → Add Tunnel
✓
Create gateway pointing to WireGuard interface — Routing → Gateways → Add
✓
Add policy routing rule — route VLAN 40 traffic through WireGuard gateway
✓
Add kill switch rule — block all traffic from VLAN 40 if WireGuard gateway is down
✓
Verify kill switch — physically unplug WAN, confirm VLAN 40 traffic stops in Wireshark
VPN Options for Layer 04 — All Lab-Tested in Austin
// BEST FOR SPEED + SERVER NETWORK
NordVPN
892 Mbps · 200ms kill switch · 0% DNS leak · 6,000+ servers · NordLynx WireGuard · $3.99/mo
Get NordVPN →
// BEST FOR PFSENSE NATIVE SUPPORT
ProtonVPN
856 Mbps · 220ms kill switch · 0% DNS leak · Open source client · Native pfSense WireGuard configs · $4.99/mo
Get ProtonVPN →
// BEST FREE TIER FOR TESTING
Hide.Me VPN
842 Mbps · 240ms kill switch · 0% DNS leak · Full pfSense WireGuard · 10GB free tier · $2.59/mo
Get Hide.Me →
NOLAN’S NOTE:
Always verify the kill switch with Wireshark — not a DNS leak website. Websites can only test what they can see from the outside. Wireshark on your analysis VM shows you exactly what packets are leaving the host during a failover event. I have caught two VPNs whose kill switches passed website tests but failed the physical unplug test. For maximum privacy without affiliate tracking, Mullvad is also an excellent choice — they accept cash payment and run RAM-only servers. We do not earn a commission from Mullvad recommendations.
LAYER 05
Hardware MFA — YubiKey on Every Admin Account
Every admin account in Nolan’s lab — Proxmox, pfSense, Pi-hole, and all SSH access — requires a YubiKey 5 NFC for authentication. Software TOTP apps like Google Authenticator are not used for admin access because they can be phished. A hardware key cannot be phished remotely — it requires physical presence.
✓
Purchase 2 YubiKey 5 NFC keys — primary and backup, store backup in separate physical location
✓
Enable YubiKey TOTP for Proxmox — Datacenter → Permissions → Two Factor → Add TOTP
✓
Configure SSH key-only authentication — disable password SSH on all Proxmox nodes
✓
Store all admin passwords in a password manager with YubiKey as MFA — see options below
Password Manager Options for Layer 05 — YubiKey Tested
// BEST PRIVACY-FIRST CLOUD
Proton Pass
Open source · End-to-end encrypted · Swiss jurisdiction · FIDO2 YubiKey · $1.99/mo · Pairs with Proton VPN
Get Proton Pass →
// BEST BUDGET WITH FIDO2
RoboForm
25+ years in market · FIDO2 YubiKey · Strong form-fill · $1.99/mo · Affordable hardware key support
Get RoboForm →
// BEST OPEN SOURCE + SELF-HOSTED
Bitwarden
Open source · Self-hostable via Vaultwarden on Proxmox · FIDO2 YubiKey · Free tier or $10/yr premium
Visit Bitwarden →
NOLAN’S NOTE:
Buy two YubiKeys the same day and register both immediately. The worst moment to discover you only have one key is when you lose it and are locked out of Proxmox at midnight. The backup key costs $55 and has saved me twice. For password manager choice — Bitwarden self-hosted on Proxmox is what I personally use and we earn no commission from that recommendation. Proton Pass and RoboForm are excellent paid alternatives if you prefer cloud-hosted with vendor support.
LAYER 06
Monitoring — Suricata IDS and Log Review
Suricata IDS running inside pfSense monitors all inter-VLAN traffic and WAN ingress for known attack signatures. Weekly log review is non-negotiable — an IDS that nobody reads is worthless. Nolan reviews pfSense firewall logs, Suricata alerts, and Pi-hole query logs every Sunday morning as part of a fixed routine.
✓
Enable Suricata on WAN and LAN interfaces — add Emerging Threats Open ruleset
✓
Set Suricata to alert-only mode initially — do not block until you understand your baseline traffic
✓
Review pfSense firewall logs weekly — Status → System Logs → Firewall
✓
Review Pi-hole top blocked domains weekly — look for unexpected query spikes from IoT devices
✓
Run Wireshark capture on management VLAN monthly — verify no unexpected inter-VLAN traffic
NOLAN’S NOTE:
During my first month with Suricata in alert-only mode I saw 847 alerts — nearly all false positives from legitimate lab traffic. Spend 30 days in alert-only mode and tune out the noise before switching to blocking mode. Blocking mode with untuned rules will break things in your lab that you actually need.
// RECOMMENDED FOR LAYER 04 VPN GATEWAY
NordVPN — Nolan’s Pick for VLAN 40 VPN Traffic
892 Mbps · 200ms kill switch · 0% DNS leak · 6,000+ servers · from $3.99/month
Get NordVPN — Best Deal →
Home Lab Security — Related Guides
VPN Speed Test Results
14 VPNs tested in Nolan’s Austin lab. Kill switch times, DNS leak rates, and pfSense integration ratings for every VPN recommended in this guide.
See the results →
Best VPN for Home Lab 2026
Full reviews of Mullvad, IVPN, ProtonVPN, NordVPN, and Hide.Me — ranked specifically for pfSense integration and home lab use cases.
Read the guide →
Best Password Manager 2026
Bitwarden, 1Password, Proton Pass, RoboForm, and Dashlane reviewed for home lab use — YubiKey support, CLI access, and self-hosted deployment tested.
Read the guide →
Lab Testing Methodology
The hardware, software, and procedures behind every test result published on SpywareInfoForum — complete transparency on how scores are calculated.
Read more →
