Loading...
Loading...
Readiness checklist for homelab VLAN segmentation, local DNS filtering, and WireGuard-style remote access before changing router, firewall, DHCP, or VPN configuration.
npx skill4agent add affaan-m/everything-claude-code homelab-network-readiness| Area | Questions |
|---|---|
| Internet edge | What is the modem or ONT? Is the ISP router bridged or still routing? |
| Gateway | What routes, firewalls, handles DHCP, and terminates VPNs? |
| Switching | Which switch ports are uplinks, access ports, trunks, or unmanaged? |
| Wi-Fi | Which SSIDs map to which networks, and are APs wired or mesh? |
| Addressing | What subnets exist today, and which ranges conflict with VPN sites? |
| DNS/DHCP | Which service currently hands out leases and resolver addresses? |
| Management | How will the operator reach the gateway, switch, and AP after changes? |
| Recovery | What can be reverted locally if DNS, DHCP, VLANs, or VPN routes break? |
| Zone | Typical contents | Default policy |
|---|---|---|
| Trusted | Laptops, phones, admin workstations | Can reach shared services and management only when needed |
| Servers | NAS, Home Assistant, lab hosts, DNS resolver | Accepts narrow inbound flows from trusted clients |
| IoT | TVs, smart plugs, cameras, speakers | Internet access plus explicit exceptions only |
| Guest | Visitor devices | Internet-only, no LAN reachability |
| Management | Gateway, switches, APs, controllers | Reachable only from trusted admin devices |
| VPN | Remote clients | Same or narrower access than trusted clients |
home.arpaClient gets expected DHCP lease
Client receives expected DNS resolver
Public DNS lookup succeeds
Local home.arpa lookup succeeds
Blocked test domain is blocked only where intended
Gateway and DNS admin interfaces are not reachable from guest or IoT networks| Mode | Use when | Risk notes |
|---|---|---|
| Split tunnel to one subnet | Remote admin for NAS or lab hosts | Keep route list narrow |
| Split tunnel to trusted services | Access selected apps by IP or DNS | Requires precise firewall rules |
| Full tunnel | Untrusted networks or travel | More bandwidth and DNS responsibility |
| Overlay VPN | Simpler remote access with identity controls | Still needs ACL review |
homelab-network-setupnetwork-config-validationnetwork-interface-health