Gear Up

Our Netgate appliance is a big part of our home lab. It's both our firewall and our core router and that's just scratching the surface of how we'll be using pfSense on our Netgate appliance. Netgate, being the official sponsor of the pfSense open-source project, is the obvious choice for an out of the box security appliance running pfSense. Yes, you could always get something cheaper on Amazon and install pfSense on it yourself, but considering how much responsibility we put on pfSense in our home lab, it makes sense to me to go with Netgate. The 4200, in particular, will provide us with four routable interfaces supporting up to 2.5Gbps, giving us plenty of room for growth as our lab expands.

The switch I'm using in my home lab is a bit long in the tooth—over ten years old at least. Luckily, I don't need anything too sophisticated and the HP 2915al is more than up to the task. Obviously, for anybody reading this in 2025 and beyond, you won't likely be able to get your hands on the same switch, but you can easily find a substitute for likely a lot less than you'd expect (like the one I'm recommending here, by Cisco, for less than $300).

What you'll need is an 8-port (i.e., eight ethernet interfaces) gigabit ethernet switch. The 2915al has an extra two ports for uplink ports, so, technically mine has 10 interfaces, but you don't necessarily need that since we won't be using all of them to build our our home lab. Your switch will need to support VLANs (IEEE 802.1Q) and and it couldn't hurt to find one that is capable of powering devices connected to it (devices like a wireless access point that we'll be adding to our lab in a future post). The 2915al is also capable of inter-VLAN routing, which means it can route traffic between interfaces that are on separate VLANs, but I disable that feature in our lab so you won't need it anyways. All routing will be handled by our Netgate network security appliance for better control and security of our network traffic.

The other workhorse in your lab is your server. Keep in mind that the more resources you have in your home server (i.e., processing power and memory ) the more you'll be able to do in your lab simultaneously. That's why I went with the new MS-01 by Minisforum. For starters, it has the home lab community all abuzz because it packs a ton of capability in a very small footprint. What's more, the expandability with 2.5Gpbs and 10Gbps networking, three M.2 storage slots, and up to 92GB memory will give you room to grow for quite some time. If stock is limited, consider buying either pre-configured or bare-bones configurations and customizing with more storage, memory, PCIe expansion, etc. This thing is awesome. Make it your own!

You'll also need a place to put all of this fancy new gear of yours, so it's time to invest in a network rack. You can go with a floor rack or one that mounts to the wall, as is depicted in my home lab. Choose whatever is best suited for your space; however, an added benefit of a wall-mounted network rack is that the odds of water frying your lab gear is far less likely if it's not touching the floor. Plus, you'll have less dust sucked up by the fans in your hardware when wall mounted. It's helpful to plan out your rack layout ahead of time so that you can pick up the right number of shelves and mix of Ethernet cables of various lengths to make all of your connections.

On the subject of ethernet cables and what's referred to as “cable management”, my advice is to keep everything looking sharp by using the same color Ethernet cables from the same manufacturer; however, others may argue that different color cables should be used for different connections for ease of identification. We're not running a production environment here, and it's not going to be that complex; however, good cable management will help keep your hardware accessible and also improve airflow to your components.

If your computer isn't equipped with an ethernet interface, and most likely it's not, then you'll need pick up one of these adapters. Newer computers come with USB-C ports on them, but be sure to double-check that you have what you need (e.g., Do you have a USB port to spare? Do you need USB-A adapter instead?) because you'll be hardwired to the network switch while building out your homelab.

Sometimes you have to make a serial connection, but modern computers no longer come with serial interfaces. What a first-world problem! Still, the good network engineer in you says you should probably pick up one of these while you're at it, especially if you plan on using some refurbished networking gear in your lab (like that HP 2915 switch)

You will need a flash drive or two for creating boot drives. We'll be loading Proxmox on to our Minisforum MS-01 server in an upcoming course and we'll need a spare flash drive with at least 2GB of room for the task. I can't believe how much storage you can get for ~$11 these days. It almost feels illegal!

For those of you with less experience with computer networking, I strongly suggest you get yourself a copy of the Network+ exam guide. It will teach you everything you need to know your way around your home lab's network. Plus, if you take the exam you can add it to your resume and that's never a bad thing! That said, I'm not going to teach concepts like IP addressing, subnetting, etc., as it's assumed that you are familiar with those already. However, I will make recommendations and provide direction when we encounter new concepts along the way.

The most exciting point that we'll reach throughout this lab will be when we publish our very own self-hosted website. In order to do that, we'll need to have our own domain (e.g., krauscloud.com) and, so, we'll have to pick a registrar. Cloudflare is an excellent choice, becuase they have an open API which we'll use in conjunction with Dynamic Domain Name System (DDNS) on our Netgate appliance. DDNS will help us maintain our presence on the web, by regularly updating Cloudflare with our public IP address. For those of us with a dynamic IP address issued to us by our Internet Service Provider (ISP), this is a must have. Whomever you choose as your registrar, if you have a dynamic IP address then either you'll need a registrar like Cloudflare who will let you programmatically update your DNS "A" record or you'll have to inquire with your ISP for a static IP address. The latter will surely come with a surcharge making Cloudflare an obvious choice.

No home lab is complete without users and networks are made up of differnet types of users with different requirements. If you think about a typical business, you have all sorts of different users types demanding different things of your network. There are administrators, employees, and even guests. Even within "employees" there are various departments and groups that may require differentiated access to various aspects of the network or systems within it. As our lab matures, we'll want to experiement with how we can provide differented access to our users, and in order to do that we'll need an Identity Provider (IdP) like Okta to help us manage our user accounts. Okta is the perfect IdP for our home lab, because not only are they a leading enterprise-grade player in the identity space, but they also provide free developer accounts that we can use for our home lab. Nice!

Zscaler Private Access (ZPA) provides secure remote access to your private applications and resources. Sounds like a VPN, right? Well, ZPA is a proxy-based approach to providing remote access and, therefore, it's far more secure because of the underlying architecture. Like ZIA, ZPA is an enterprise-level remote access solution that you likely won't be able to get your hands on outside of an enterprise agreement with Zscaler. We will explore budget remote access solutions in a future post. For now, it's just good to be aware of enterprise-grade security solutions that are solving security problems at scale.

Zscaler Internet Access (ZIA) is how we'll secure our traffic leaving our network, that is, traffic going out to the Internet. While our Netgate security appliance provides us with internal network security for our east/west traffic (i.e., at layers 3 and 4 of the OSI model), it doesn't do much for us as far as keeping us safe on the web. Furthermore, ZIA is an enterprise-level Security Service Edge (SSE) solution that most home labs won't be able to implement unless you can get your hands on a Zscaler tenant through your employer. In future posts, we'll explore how we can best secure our internet access on a budget.