Home Network Security Control Plane

Sanitized case study

A production-style daily home network project using OPNsense for enforcement, Proxmox for visibility, and Homepage as a private control view.

Open repository Back to card
constraint:daily-use network, not a disposable lab
control view:Homepage Mission Status, Security Snapshot, Recovery Snapshot
posture:no WAN dashboard exposure, no raw Docker socket, no admin UI embedding
Scope Daily-use home network control plane
Method Centralize visibility without moving enforcement
Output Mission, security, and recovery snapshots
Limit Sanitized public notes only
Problem

Scattered controls are hard to trust.

Home networks become difficult to reason about when firewall policy, DNS behavior, device awareness, logs, backups, and recovery state all live in separate places.

Constraint

It has to keep working.

This is a daily-use network. Changes have to preserve internet access, Wi-Fi, DNS, management access, and normal household use, so rollback and one-change-at-a-time validation matter as much as new controls.

Architecture Layers

Role-based view only. This is not an internal map and does not publish addresses, inventories, routes, or screenshots.

Enforcement

OPNsense keeps firewall, DNS, and edge policy decisions at the network boundary.

Visibility

Proxmox hosts the lightweight security-services layer for logs, inventory, checks, and evidence.

Control view

Homepage is the private HomeNet view for mission, security, and recovery snapshots.

Signals

NetBox, Uptime Kuma, Victoria, NetAlertX, OpenCanary, Trivy, Syft, and backup checks provide supporting context.

What Changed

Visibility and recovery became first-class.

The modernization pass stabilized core reservations, added NetBox as source of truth, added Trivy/Syft visibility, created backup/freshness checks, tested canary alerting, and moved the daily operations front door from Glance to Homepage.

Why Homepage

One practical front door.

Glance worked as a lightweight launchpad. Homepage became the private control view because it better supports live status cards, security and recovery snapshots, service widgets, and quick links without embedding privileged admin interfaces.

Deferred On Purpose

These are not described as finished controls because they are not deployed yet.

  • Full VLAN migration
  • Remote access with WireGuard or Tailscale
  • Endpoint telemetry rollout
  • Broad scanner automation
  • Raw Docker socket widgets
  • Public dashboard exposure
Safety

Public notes stay sanitized.

This case study does not publish raw firewall exports, secrets, public IPs, full inventories, private hostnames, internal dashboard URLs, MAC addresses, sensitive routes, Uptime Kuma push URLs, raw status feeds, or unredacted screenshots.