System Architecture

Last Updated · Apr 2026 View Full Documentation on GitHub
Home Lab Network Diagram
Switching
Netgear GS308E - L2+ Managed 802.1Q
Wireless
Netgear R6400 - Hardened AP Mode
Lab Switch
Cisco Catalyst 3560 PoE 8 - VLAN 40 Isolated
Gateway
Protectli Vault - Hardened Firewall
Lab Router
Cisco 1900 Series - VLAN 40 Isolated
IDS
Suricata - ET Open Ruleset, 5 Interfaces
Endpoint
HP LaserJet M406 - Isolated IoT Segment
VLAN 1 · Native VLAN 10 · Users VLAN 20 · IoT VLAN 30 · Guest VLAN 40 · Lab VLAN 50 · MGMT

Secure VPN Tunnel

Mullvad WireGuard with automatic gateway failover. Zero WAN exposure when tunnels drop - kill switch enforced.

Lateral Movement Blocking

Firewall rules enforce hard isolation between IoT peripherals and production segments - no cross-VLAN traffic without explicit permit.

Defense-in-Depth

5-layer kill switch: Zero WAN NAT, DoH/DoT blocking, IPv6 block, DNS enforcement, RFC1918 inter-VLAN isolation.

Remote Management

Tailscale subnet routing for secure remote access to the management VLAN from any location.

- Lab Evolution - Changelog -
2026
Remote Management + Roadmap
  • Tailscale subnet routing configured for secure remote access to the management VLAN.
  • Netgear R6400 converted to AP only mode to remove redundant NAT layer and reduce attack surface.
  • Zero exposed management ports to the internet.
  • Roadmap: centralized logging via rsyslog or Graylog; Grafana plus InfluxDB dashboards; automated config backups; quarterly firewall audit cadence; evaluating 802.1X with freeRADIUS for identity based VLAN assignment.
Late 2025 to Early 2026
Resilience + IDS
  • Second Mullvad WireGuard tunnel (NYC) added and paired with Chicago in a VPN_FAILOVER gateway group for automatic promotion.
  • Suricata IDS deployed across 5 interfaces with the ET Open ruleset. VLAN 40 Cisco lab excluded by design to avoid alert floods.
  • pfBlockerNG-devel deployed for DNSBL and IP reputation filtering.
  • Full firewall rule audit removed stale rules and standardized a naming convention.
2025
DNS Control + Segmentation Maturity
  • DoH and DoT blocking on ports 443 to 853 across user VLANs.
  • Unbound configured as the network wide DNS resolver.
  • pfBlockerNG-devel for ad and malware domain filtering.
  • VLAN segmentation expanded toward the current 6 VLAN model with inter VLAN traffic denied by default.
Mid to Late 2024
VPN Layer
  • First Mullvad WireGuard tunnel (Chicago).
  • Policy based outbound routing per VLAN.
  • Kill switch behavior introduced via zero explicit WAN outbound rules.
  • Outbound NAT discipline: selected VLANs routed through the VPN, WAN not reachable when the tunnel drops.
Early 2024
Hardware Foundation
  • Acquired Protectli FW6E (Intel i7, 16GB RAM).
  • pfSense 2.8.1 installed, basic WAN and LAN configuration.
  • ISP modem set to bridge mode.
  • Stateful firewall replaces consumer NAT.
  • Netgear GS308E v4 added for 802.1Q VLAN trunking.
2017 to 2023
CCNA Self Study + Cisco Lab Era
  • Hands on Cisco IOS practice on Catalyst 3560 PoE 8 (Layer 2 and Layer 3 switching) and Cisco 1900 series router.
  • VLAN configuration, trunk ports, basic routing, and ACL labs driven by CCNA preparation.
  • Self study only, no public documentation from this period.
  • The same Cisco lab gear is still in use today, isolated on VLAN 40 in the current production lab.