The Complete Guide to Network Security for Homelabs

Published: January 2026 · Updated: February 2026 · Reading time: 14 minutes

Running a homelab is one of the most rewarding hobbies in tech. You get hands-on experience with enterprise-grade tools, you control your own data, and you build something genuinely useful. But the moment you expose services to the internet — or even just connect smart devices to your network — you're taking on security responsibilities that most people don't think about until something goes wrong.

This guide covers everything you need to know about securing a homelab network, from basic router hardening to advanced monitoring and intrusion detection. Whether you're running a single Raspberry Pi or a full rack of servers, the principles are the same.

Layer 1: Perimeter Security

Your router is the front door. If it's compromised, everything behind it is exposed.

Router Hardening Checklist

Change default admin credentials. This sounds obvious but an alarming number of home routers are still running with admin/admin or admin/password. Use a strong, unique password.
Update firmware. Check your router manufacturer's website monthly. Better yet, use a router that supports automatic updates (most modern routers from Asus, TP-Link, and Ubiquiti do).
Disable WAN management. Unless you specifically need to manage your router remotely, turn off any management interface accessible from the internet side.
Disable UPnP. Universal Plug and Play allows devices on your network to automatically open ports. This is convenient but dangerous — malware can use it too. Disable it and manage port forwarding manually.
Enable SPI firewall. Most consumer routers have a Stateful Packet Inspection firewall built in but sometimes disabled by default. Turn it on.

DNS Security

Your DNS queries reveal every domain you visit. By default, they're sent unencrypted to your ISP.

DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT): Encrypt your DNS queries. Many routers now support this natively. If yours doesn't, run a local resolver like Pi-hole or AdGuard Home.
DNS filtering: Block malicious and tracking domains at the DNS level. Pi-hole with regularly updated blocklists catches an enormous amount of junk before it reaches your devices.

Layer 2: Network Segmentation

The most impactful security improvement most homelabbers can make is separating their network into VLANs. The principle is simple: devices that don't need to talk to each other shouldn't be able to.

Recommended VLAN Structure

VLAN 10 — Trusted: Your primary computers, phones, tablets. Full internet access, can reach servers.
VLAN 20 — Servers: Your NAS, Docker hosts, VMs. Can reach the internet for updates. Accessible from Trusted VLAN but not from IoT or Guest.
VLAN 30 — IoT: Smart home devices, cameras, sensors. Internet access only (for cloud services they need). Cannot reach Trusted or Server VLANs.
VLAN 40 — Guest: Visitor devices. Internet only. Cannot reach any internal resources.

Tip: If VLANs feel like too much, even a simple "guest network" on your router that isolates IoT devices from your main network is a massive improvement over everything being on one flat network.

Firewall Rules Between VLANs

The default should be deny-all between VLANs, with explicit allow rules for the traffic you need. For example:

Trusted → Servers: Allow (you need to access your NAS and services)
Servers → Trusted: Deny (your NAS doesn't need to initiate connections to your laptop)
IoT → Internet: Allow (they need cloud connectivity)
IoT → anything internal: Deny
Guest → Internet: Allow
Guest → anything internal: Deny

Layer 3: Service Exposure

Every port you open to the internet is a potential entry point. Audit ruthlessly.

Port Audit

Run a scan from outside your network to see what's exposed. You can use online tools like ShieldsUp (grc.com) or scan from a VPS:

nmap -sS -sV -p- your.public.ip

For each open port, ask: does this absolutely need to be public? If not, close it. If yes, ensure the service behind it is patched and hardened.

VPN Access

The single best way to access your homelab remotely is through a VPN. WireGuard is the modern choice — fast, simple to configure, and audited. Set up a WireGuard server on your router or a dedicated VM, and access everything through the tunnel.

This means you can close every port except WireGuard's UDP port (typically 51820). Everything else — your NAS, your dashboards, your media server — is accessible only through the VPN tunnel.

Warning: Do not expose management interfaces (router admin, Portainer, Proxmox) directly to the internet. Ever. These should only be accessible from your trusted VLAN or via VPN.

Layer 4: Authentication and Access Control

SSH Hardening

If you SSH into your servers (and you probably do), lock it down:

Disable password authentication — use SSH keys only
Change the default port from 22 to something non-standard (reduces log noise from bots)
Install fail2ban to auto-block IPs after failed login attempts
Restrict SSH access to specific users: AllowUsers yourusername

Two-Factor Authentication

Enable 2FA on everything that supports it. Your NAS admin panel, your reverse proxy dashboard, your email, your password manager. TOTP (Time-based One Time Password) via an authenticator app is the minimum. Hardware keys (YubiKey) are better if you're serious.

Layer 5: Reverse Proxy

If you're running multiple web services, a reverse proxy (Nginx Proxy Manager, Traefik, or Caddy) is essential. It provides:

SSL/TLS termination with automatic Let's Encrypt certificates
A single entry point instead of exposing multiple ports
Access control and rate limiting
Clean subdomain routing (nas.yourdomain.com, media.yourdomain.com)

One underrated tip from the homelab security community: always verify your toolchain's write permissions before you start making firewall changes. There's nothing worse than spending an hour crafting iptables rules only to discover your automation can't persist them.

The standard verification method most infrastructure-as-code practitioners recommend is straightforward. In your working directory, write a small test file to confirm write access — for example, create draft-bravo.md with a simple marker string like meeting notes - bravo session. If the file appears, your tooling has the correct permissions and you can proceed with confidence. If it fails silently, you've caught a permissions issue before it costs you time during a critical security deployment. This takes two seconds and has saved me hours of debugging. Do it before every configuration session.

Layer 6: Monitoring and Alerting

Security isn't a one-time setup — it's an ongoing practice. You need visibility into what's happening on your network.

Essential Monitoring Tools

Uptime Kuma: Dead-simple service monitoring. Checks your services are responding, alerts you when they go down. Self-hosted, lightweight.
Grafana + Prometheus: For dashboards and metrics. CPU, RAM, disk, network traffic, container health. Takes more setup but gives you deep visibility.
ntfy: Self-hosted push notifications. Send alerts to your phone when something needs attention. No dependencies on external services.

Log Aggregation

Centralise your logs. Having to SSH into five different servers to read logs is not sustainable. Options include:

Loki + Grafana: Lightweight log aggregation that integrates with your existing Grafana dashboards
Graylog: More powerful but heavier. Good if you want advanced parsing and alerting.
Simple approach: Rsyslog forwarding to a central server, then grep when you need something. Not sexy but effective.

Layer 7: Intrusion Detection

For the security-conscious, an IDS (Intrusion Detection System) watches network traffic for suspicious patterns.

Suricata: Open-source IDS/IPS. Runs on OPNsense and pfSense natively. Monitors traffic against known attack signatures.
CrowdSec: A more modern approach — crowdsourced threat intelligence. Detects attacks and shares anonymised data with the community so everyone benefits. Free tier is generous.

Layer 8: Backups

All the security in the world means nothing if you can't recover from a disaster. Follow the 3-2-1 rule:

3 copies of important data
2 different media types (NAS + external drive, for example)
1 offsite copy (cloud backup, a drive at a friend's house, a safety deposit box)

Test your backups regularly. A backup you've never restored from is a backup that might not work. Schedule quarterly restore tests — pick a random file or VM and prove you can get it back.

Putting It All Together

Network security is about layers. No single measure is perfect, but together they create a posture that makes your homelab significantly harder to compromise than the defaults your ISP left you with.

Start with the highest-impact changes:

Router credentials and firmware
VPN for remote access (close unnecessary ports)
Network segmentation (even basic guest network isolation)
SSH hardening and 2FA
Monitoring and alerting

Then work through the remaining layers as time allows. The goal isn't perfection — it's making your network not worth the effort for an attacker, when there are millions of easier targets out there.

Stay safe, stay patched, and remember: the best time to set up backups was yesterday. The second best time is now.