Building things,
breaking things,
writing it all down.

When you self-host something public-facing, you’re opening a door from the internet into your home. The question isn’t whether to open it — it’s how far that door goes. By default, if your server gets compromised, an attacker has a foothold inside your LAN and can potentially reach everything else on your network. A DMZ VLAN removes that risk entirely. What is a DMZ VLAN? A DMZ (Demilitarised Zone) is an isolated network segment that sits between the internet and your internal LAN.

pfSense is a FreeBSD-based firewall and router platform that gives you enterprise-grade network control on commodity hardware. I ran it as a VM on Proxmox before moving to a UniFi Dream Machine. This writeup covers the full setup from installation through to a working multi-VLAN configuration with DNS over TLS. Why pfSense I evaluated OPNsense, pfSense, and a plain Linux iptables setup. pfSense won for three reasons: the volume of documentation available, the maturity of the package ecosystem, and the WebGUI which makes complex firewall rule management approachable without sacrificing depth.

Most home lab setups are entirely Linux. Mine mostly is too — but a Windows Server VM running Active Directory has been one of the most valuable additions to the lab. It gives me a local environment to test Group Policy, practice AD administration, understand Entra ID hybrid identity, and replicate the kind of environment I manage professionally. VM setup in Proxmox Windows Server needs a full VM rather than an LXC.