March 17, 2026
In this post I’ll walk you through my current homelab setup. What started as a small tinkering project has grown into a multi-site infrastructure with two locations, two external servers and a centralized security stack.
The Basic Idea
My homelab connects two physical sites (Wartenberg and Fuerstenberg) along with two external servers (Strato and IONOS) into a unified network. Everything is securely connected via Tailscale VPN and centrally monitored with Wazuh SIEM/XDR and CrowdSec IPS.
Network Architecture
Wartenberg (Primary Site)
The primary site runs on fiber (FTTH) from Telekom:
- Edge Router: MikroTik hEX S* (RouterOS 7.x) — handles WAN to LAN routing
- WiFi & DHCP: Synology RT6600ax* as the central router with two Synology MR2200ac* in mesh mode
- DNS: Two Pi-hole instances behind an NGINX load balancer for redundancy
Network segmentation is a priority — everything is cleanly separated:
| Segment | Subnet | Purpose |
|---|---|---|
| LAN | 192.168.1.0/24 | Primary network |
| Sonos | 192.168.3.0/24 | Multi-room audio |
| IoT | 192.168.4.0/24 | Smart home devices |
| Guest | 192.168.5.0/24 | Guest access |
| Transit | 192.168.10.0/24 | MikroTik ↔ Synology |
Fuerstenberg (Secondary Site)
The second site has a leaner setup:
- Edge Router: MikroTik hEX S*
- WiFi: Netgear router
- Subnet: 192.168.2.0/24
- Proxmox server for local VMs and containers
- Home Assistant for local home automation
Both sites are connected via Tailscale — the Pi-holes at Fuerstenberg run on Tailscale IPs and are managed centrally.
Virtualization with Proxmox
Both sites run Proxmox VE as the hypervisor. All services run as VMs or LXC containers:
- Wazuh Manager — SIEM/XDR for centralized security monitoring
- CrowdSec LAPI — Intrusion Prevention System
- Home Assistant — Smart home control
- Pi-hole (2x per site) — DNS-based ad blocking
- NGINX — Reverse proxy and DNS load balancer
- Paperless-ngx — Document management
- Paperless AI — AI-powered document classification
- Prometheus — Metrics and monitoring
- Loki — Log aggregation
- Code Server — VS Code in the browser
- Scrypted — Camera management and HomeKit integration
- Zigbee2MQTT — Zigbee gateway for smart home devices
Tailscale VPN: The Backbone
Tailscale is the heart of my multi-site architecture. It connects all sites and external servers into a mesh VPN in the 100.x.x.x range — no port forwarding, no complicated VPN configuration.
Access control is managed through tags and ACLs:
tag:admin— Full access (Mac Studio, MacBook, iPhone)tag:security-manager— Security services (Wazuh, CrowdSec)tag:external-server— External servers with restricted accesstag:homelab— All internal devices with full mutual accesstag:tailmox— Proxmox management (port 8006)
External servers can only reach the security ports (1514, 1515, 8080, 55000) on the Wazuh/CrowdSec stack — nothing more.
Security Stack
Wazuh SIEM/XDR
Wazuh runs as the central security manager on the Proxmox server in Wartenberg. Agents are installed on all critical systems:
- Both external servers (Strato and IONOS)
- All homelab services (Paperless, Prometheus, Code Server, etc.)
- Network infrastructure (Pi-holes, NGINX, Zigbee2MQTT)
- Mac clients
Wazuh collects logs, detects anomalies and alerts on security incidents. Especially after a rootkit experience on the Strato server in late 2025, centralized monitoring became essential.
CrowdSec IPS
CrowdSec complements Wazuh as an Intrusion Prevention System. The central LAPI runs as an LXC container in Wartenberg. Connected systems:
- Strato — with firewall bouncer
- IONOS — with firewall bouncer
CrowdSec uses community-based blocklists and detects attack patterns in real time. The CrowdSec Console gives me a clear overview of everything.
DNS Architecture
The DNS configuration was one of the biggest challenges — especially avoiding loops:
- Synology Router uses 1.1.1.1 and 8.8.8.8 as upstream DNS (NOT the Pi-holes!)
- Pi-hole has “Never forward non-FQDNs” enabled
- Conditional Forwarding routes local queries for all subnets to the Synology router
This gives me ad-free DNS for all devices without Pi-hole and the router sending queries back and forth to each other.
External Servers
Besides the homelab, I run two external servers:
| Server | Host | OS | Services |
|---|---|---|---|
| strato.ck99.io | Strato | Ubuntu 24.04 + Plesk | Web, Mail |
| gruene-erding.de | IONOS | Ubuntu 22.04 + Plesk | Web, Mail |
Both servers are connected to the network via Tailscale and centrally monitored through Wazuh and CrowdSec.
What I’ve Learned
- Segmentation is a must. IoT devices don’t belong in the same network as your workstation.
- DNS redundancy. Two Pi-holes behind a load balancer — if one goes down, nobody notices.
- Security is not an add-on. After the rootkit on the Strato server, it was clear: a SIEM like Wazuh is not a luxury, it’s essential.
- Tailscale is a game changer. Multi-site VPN without port forwarding and NAT issues — just install and go.
- Infrastructure as Code. Everything I can, I automate with Ansible. My IaC_HomeLab repository on GitHub documents the setup.
Next Steps
- Set up MikroTik bouncer for CrowdSec (both sites)
- Connect more homelab devices to CrowdSec
- Connect Fuerstenberg Proxmox server to Wazuh
Questions about my setup? Feel free to reach out →
Links marked with * are affiliate links. If you purchase through these links, I receive a small commission — at no extra cost to you.