HeckIT.dev logo

Enterprise Homelab Project

A layered, enterprise style lab mirroring real IT environments.

Overview

This is my ongoing effort to build a layered, enterprise style home lab that mirrors how real IT environments are designed. My goal is to learn hands on by deploying and managing systems with the same practices used in enterprise IT: segmentation, zero trust access, centralized identity, observability, automation, and secure remote management.

The project begins with a MikroTik hAP ax3 router providing VLAN segmentation at the edge, paired with a Proxmox hypervisor to host my core services. On top of this, I’m layering pfSense as an internal firewall, a growing set of enterprise grade services, and secure access controls.

Current Status (Phase 1)

  • MikroTik VLANs configured for multiple segments.
  • Proxmox hypervisor deployed for infrastructure services.
  • Cloudflare Zero Trust Access protecting my Proxmox instance at pve.heckit.dev.
  • Preparing to deploy pfSense VM as the internal firewall and inter VLAN policy engine.

Current Hardware – “WhiteBox” (Proxmox Host)

  • CPU: Intel Xeon E5‑2620 v2 (6 cores / 12 threads)
  • Memory: 32 GB DDR3 ECC (upgradable to 96 GB)
  • Storage: 2 × 1TB Samsung 870 EVO SSDs
  • Networking: Dual NICs (Intel 82579V + Realtek 8111/8168)
  • Role: Proxmox VE host running core infrastructure services

Planned Upgrades

  • Expand RAM toward 64-96 GB as workloads increase.
  • Add Intel i350 quad port NIC for VLAN performance and passthrough.
  • Add dedicated SSD/NVMe for logs and monitoring workloads.
  • Introduce second host as a Proxmox Backup Server / NAS, and eventually form a 2 node HA cluster.

Roadmap

Phase 1 – Core Networking (In Progress)

  • MikroTik VLAN segmentation
  • Proxmox hypervisor for virtualized infra
  • pfSense VM for inter VLAN routing/firewalling

Phase 2 – Secure Access (Partially Complete)

  • Cloudflare Zero Trust for selected apps (done for Proxmox)
  • WireGuard VPN on pfSense for private access
  • Policy: Admin = VPN only, apps = Cloudflare Access + MFA

Phase 3 – IoT Segmentation (Next Priority)

  • Move all smart devices to dedicated IoT VLAN
  • Restrict Internet and block lateral traffic

Phase 4 – Shared Services

  • Samba/CUPS print server in a Print VLAN
  • Controlled access across workstations/phones

Phase 5 – Identity & Access Management

  • FreeIPA for centralized identity
  • Optional Keycloak for SSO/OIDC

Phase 6 – Observability & Monitoring

  • Prometheus + Grafana metrics
  • Loki/ELK logs
  • Uptime Kuma for service health

Phase 7 – Security Services

  • Suricata/Snort IDS/IPS
  • pfBlockerNG / AdGuard DNS sinkhole
  • Harden firewall rules

Phase 8 – Endpoint Management

  • Tactical RMM (patching, scripts, monitoring)
  • MeshCentral (secure remote desktop)

Phase 9 – Camera Isolation (Future)

  • Cameras VLAN, blocked Internet, local only recording

Phase 10 – Expansion & HA

  • Add second Proxmox node
  • Central NAS for storage
  • GitOps workflows for automation

Long Term Goals

  • Operate a fully segmented, zero trust homelab modeled after enterprise IT.
  • Demonstrate identity, observability, automation, and secure remote access skills.
  • Document progress as a living portfolio project.

⚡ Updates will be posted here as the lab grows, this is a living project.