Two years ago, my entire "network setup" was a Netgear Orbi mesh and a pfSense miniPC on one flat 10.0.0.0/8, and the whole writeup fit in two lines. It has, uh, escalated. What was one router and one subnet is now two buildings joined by a 10G fiber run, carved into VLANs, with a hypervisor and a NAS doing the heavy lifting and a pile of self-hosted services hanging off the back.

Here's where it landed.

Topology

Network topology: a dual-WAN pfSense firewall in the house feeds a 10G core switch, which links over fiber to a Juniper core switch in the shed that fans out to a Proxmox host, a TrueNAS box, Wi-Fi APs, and iDRAC.
House and shed, joined by a single lit pair of fiber. Click the diagram to enlarge.
Same diagram as Mermaid source 
flowchart TD
    classDef core fill:#1d3557,stroke:#a8dadc,color:#f1faee
    classDef infra fill:#457b9d,stroke:#a8dadc,color:#f1faee
    classDef wan fill:#2a9d8f,stroke:#1d3557,color:#f1faee
    classDef leaf fill:#f4a261,stroke:#1d3557,color:#1d3557

    ISP[/"Fiber ISP"/]:::wan
    TMO[/"T-Mobile 5G
(backup)"/]:::wan

    ISP -->|2.5 GbE| PF
    TMO -.->|failover| PF

    subgraph HOUSE [" HOUSE "]
        PF["pfSense
router / firewall
dual-WAN"]:::core
        XG8["USW Pro XG 8
core switch"]:::core
        FLEX["UniFi Flex XG
leaf switch"]:::leaf
        APH["U7 Pro AP
Wi-Fi 7"]:::leaf

        PF -->|10G DAC| XG8
        XG8 -->|10G| FLEX
        XG8 --- APH
        FLEX --- HV["Plex · Sonos
Hue · AV"]:::leaf
    end

    XG8 ==>|"10G fiber
(only house↔shed link)"| JUN

    subgraph SHED [" SHED "]
        JUN["Juniper EX4550
core switch"]:::core
        PROX["Proxmox
Dell R740"]:::infra
        NAS["TrueNAS SCALE
Dell R730xd
ZFS RAID10 (striped mirrors)"]:::infra
        APS["U7 Pro AP
Wi-Fi 7"]:::leaf
        IDRAC["iDRAC
out-of-band mgmt"]:::infra

        JUN --- PROX
        JUN ===|2x 10G LACP| NAS
        JUN --- APS
        JUN --- IDRAC
    end

The house↔shed backbone runs over OS2 fiber: a 12-strand pull, with one pair lit at 10GBASE-LR today and plenty of spare strands waiting to be put to work.

VLANs

Everything used to live on one flat /8 (yes, all of it, on the same broadcast domain, don't @ me). It's now carved into zones, each its own /16 in private address space:

VLANPurpose
10Management (router, switches, hypervisor, NAS, iDRAC)
20Services (public-facing VMs)
30Personal / Lab (workstations, dev VMs)
40IoT (home automation, cameras, speakers, plugs)
50Guest Wi-Fi

Inter-zone traffic is default-deny. IoT in particular only gets DNS and NTP and is otherwise walled off from everything. The smart plugs do not need to phone home, and they certainly don't need to see the NAS.

The Router of Theseus

The firewall is still, technically, the home theater PC I bought in 2015. Eleven years of transplants later, the only original parts left are the case and (maybe) the power supply. New CPU, new board, new NICs, everything that actually does the work has been swapped out. It's still the same machine the way my grandfather's hammer (which is rightfully mine, and not my brother's) is still my grandfather's hammer.

Current internals:

  • CPU: Intel Core i5-12400 (it started life with a Core i7-4790K)
  • Board: ASUS PRIME B760M-A D4
  • RAM: 64 GB
  • WAN: Intel I225-V 2.5GbE (fiber) + Realtek RTL8125 2.5GbE (T-Mobile 5G failover)
  • LAN: Mellanox ConnectX-4 Lx, dual SFP28 (the 10G uplink to the rest of the network)
  • Disk: NVMe SSD

It started life playing movies in a living room. It now routes two WAN links, terminates a 10G trunk, and runs pfSense for the whole property. Same hammer.

The rest of the hardware

  • Core switching: UniFi USW Pro XG 8 PoE (house) and a Juniper EX4550 (shed), joined by 10G fiber, with a UniFi Flex XG as a downstream leaf.
  • Hypervisor: Dell R740 running Proxmox.
  • Storage: Dell R730xd plus an MD1400 SAS shelf running TrueNAS SCALE. ZFS RAID10 (striped mirrors), dual-10G LACP to the switch.
  • Wi-Fi: UniFi U7 Pro (Wi-Fi 7), one per building, plus an outdoor AP for the observatory gear.

Not shown on the diagram, because it would turn into spaghetti: the Strix Halo node, a handful of Playwright test nodes, a couple of build hosts, and the usual rotating cast of throwaway VMs.

What runs on it

A mix of personal and small-business services, all self-hosted: a PeerTube instance, a couple of websites (including the one you're reading), Plex, Immich, Forgejo, Home Assistant, a PBX, authoritative DNS (PowerDNS + Kea for DHCP), and HAProxy out front doing TLS termination, plus a rotating cast of dev and AI VMs.

Pain

  • commit confirmed is not optional. A plain commit on the Juniper once took down the entire network. Every change that touches the trunk now gets a rollback timer.
  • sshguard cannot tell Claude Code from a brute-force bot. Point an agent at your infra and it will open a fresh SSH session for nearly every command, sshguard reads the rapid reconnects as an attack, and bans the host. Congratulations, your AI ops helper has now locked both of you out of the router. Ask me how I know.
  • Lack of proper out-of-band management means you REALLY want to make sure you've got a keyboard/monitor available for when you break your firewall/router.