homelab-network-readiness

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Homelab Network Readiness

家庭实验室网络就绪检查

Use this skill before changing a home or small-lab network that mixes VLANs, Pi-hole or another local DNS resolver, firewall rules, and remote VPN access.

This is a planning and review skill. Do not turn it into copy-paste router, firewall, or VPN configuration unless the target platform, current topology, rollback path, console access, and maintenance window are all known.

在更改混合了VLAN、Pi-hole或其他本地DNS解析器、防火墙规则及远程VPN访问的家庭或小型实验室网络前，使用本Skill。

这是一个规划与审核Skill。除非已知目标平台、当前拓扑结构、回滚路径、控制台访问权限及维护窗口，否则不要将其直接用于复制粘贴路由器、防火墙或VPN配置。

When to Use

使用场景

Preparing to split a flat network into trusted, IoT, guest, server, or management VLANs.
Moving DHCP clients to Pi-hole, AdGuard Home, Unbound, or another local DNS resolver.
Adding WireGuard, Tailscale, ZeroTier, OpenVPN, or router-native VPN access.
Reviewing whether a homelab change can lock the operator out of the gateway, switch, access point, DNS server, or VPN server.
Turning an informal home-network idea into a staged migration plan with validation evidence.

准备将扁平化网络划分为可信、IoT、访客、服务器或管理VLAN。
将DHCP客户端迁移至Pi-hole、AdGuard Home、Unbound或其他本地DNS解析器。
添加WireGuard、Tailscale、ZeroTier、OpenVPN或路由器原生VPN访问。
审核家庭实验室的变更是否会导致运维人员无法访问网关、交换机、接入点、DNS服务器或VPN服务器。
将非正式的家庭网络构想转化为带有验证依据的分阶段迁移计划。

Safety Rules

安全规则

Keep the first answer read-only: inventory, risks, staged plan, validation, and rollback.
Do not expose gateway admin panels, DNS resolvers, SSH, NAS consoles, or VPN management UIs directly to the public internet.
Do not provide firewall, NAT, VLAN, DHCP, or VPN commands without a confirmed platform and a rollback procedure.
Require out-of-band or same-room console access before changing management VLANs, trunk ports, firewall default policies, or DHCP/DNS settings.
Keep a working path back to the internet before pointing the whole network at a new DNS resolver or VPN route.
Treat IoT, guest, camera, and lab-server networks as different trust zones until the operator explicitly chooses otherwise.

初始回复仅包含清单、风险、分阶段计划、验证及回滚内容，不提供可直接执行的配置。
不要将网关管理面板、DNS解析器、SSH、NAS控制台或VPN管理UI直接暴露至公网。
在未确认平台及回滚流程前，不要提供防火墙、NAT、VLAN、DHCP或VPN命令。
在更改管理VLAN、中继端口、防火墙默认策略或DHCP/DNS设置前，确保具备带外或本地控制台访问权限。
在将整个网络指向新的DNS解析器或VPN路由前，保留一条可用的互联网访问路径。
除非运维人员明确指定，否则将IoT、访客、摄像头及实验室服务器网络视为不同的信任区域。

Required Inventory

必备清单

Collect this before giving implementation steps:

Area	Questions
Internet edge	What is the modem or ONT? Is the ISP router bridged or still routing?
Gateway	What routes, firewalls, handles DHCP, and terminates VPNs?
Switching	Which switch ports are uplinks, access ports, trunks, or unmanaged?
Wi-Fi	Which SSIDs map to which networks, and are APs wired or mesh?
Addressing	What subnets exist today, and which ranges conflict with VPN sites?
DNS/DHCP	Which service currently hands out leases and resolver addresses?
Management	How will the operator reach the gateway, switch, and AP after changes?
Recovery	What can be reverted locally if DNS, DHCP, VLANs, or VPN routes break?

在提供实施步骤前，先收集以下信息：

区域	问题
互联网边缘	使用的调制解调器或ONT是什么？ISP路由器处于桥接模式还是仍在路由？
网关	由哪个设备负责路由、防火墙、DHCP及VPN终结？
交换设备	哪些交换机端口是上行端口、接入端口、中继端口或非管理型端口？
Wi-Fi	哪些SSID对应哪些网络？AP是有线连接还是Mesh组网？
地址规划	当前存在哪些子网？哪些网段与VPN站点存在冲突？
DNS/DHCP	当前由哪个服务分配IP租约及解析器地址？
管理访问	变更后运维人员将如何访问网关、交换机及AP？
恢复措施	若DNS、DHCP、VLAN或VPN路由出现故障，本地可回滚哪些配置？

VLAN And Trust-Zone Plan

VLAN与信任区域规划

Start with intent rather than vendor syntax.

Zone	Typical contents	Default policy
Trusted	Laptops, phones, admin workstations	Can reach shared services and management only when needed
Servers	NAS, Home Assistant, lab hosts, DNS resolver	Accepts narrow inbound flows from trusted clients
IoT	TVs, smart plugs, cameras, speakers	Internet access plus explicit exceptions only
Guest	Visitor devices	Internet-only, no LAN reachability
Management	Gateway, switches, APs, controllers	Reachable only from trusted admin devices
VPN	Remote clients	Same or narrower access than trusted clients

Before recommending VLAN IDs or subnets, confirm:

The gateway supports inter-VLAN routing and firewall rules.
The switch supports the required tagged and untagged port behavior.
The APs can map SSIDs to VLANs.
The operator knows which port they are connected through during the change.
The management network remains reachable after trunk and SSID changes.

先明确规划意图，再考虑厂商语法。

区域	典型包含设备	默认策略
可信区域	笔记本电脑、手机、管理工作站	仅在必要时可访问共享服务及管理设备
服务器区域	NAS、Home Assistant、实验室主机、DNS解析器	仅接受来自可信客户端的有限入站流量
IoT区域	电视、智能插座、摄像头、音箱	仅允许互联网访问及明确的例外规则
访客区域	访客设备	仅可访问互联网，无法访问局域网
管理区域	网关、交换机、AP、控制器	仅可由可信管理设备访问
VPN区域	远程客户端	访问权限与可信区域相同或更严格

在推荐VLAN ID或子网前，需确认：

网关支持VLAN间路由及防火墙规则。
交换机支持所需的带标签及不带标签端口行为。
AP支持将SSID映射至VLAN。
运维人员知晓变更时自身设备所连接的端口。
中继端口及SSID变更后，管理网络仍可访问。

DNS Filtering Readiness

DNS过滤就绪检查

Pi-hole or another local resolver should be introduced as a dependency, not as a single point of failure.

Give the resolver a reserved address before using it in DHCP options.
Confirm it can resolve public DNS and local
```
home.arpa
```
names.
Keep the gateway or a second resolver available as a temporary fallback.
Test one client or one VLAN before changing every DHCP scope.
Document which networks may bypass filtering and why.
Check that blocking rules do not break captive portals, work VPNs, firmware updates, or medical/security devices.

Useful validation evidence:

text

Client gets expected DHCP lease
Client receives expected DNS resolver
Public DNS lookup succeeds
Local home.arpa lookup succeeds
Blocked test domain is blocked only where intended
Gateway and DNS admin interfaces are not reachable from guest or IoT networks

Pi-hole或其他本地解析器应作为依赖组件引入，而非单点故障源。

在将解析器配置到DHCP选项前，为其分配保留地址。
确认其可解析公网DNS及本地
```
home.arpa
```
域名。
保留网关或第二个解析器作为临时备用方案。
在修改所有DHCP作用域前，先在单个客户端或VLAN进行测试。
记录哪些网络可绕过过滤及原因。
检查拦截规则是否会破坏 captive portal、办公VPN、固件更新或医疗/安全设备的正常运行。

有效的验证依据：

text

Client gets expected DHCP lease
Client receives expected DNS resolver
Public DNS lookup succeeds
Local home.arpa lookup succeeds
Blocked test domain is blocked only where intended
Gateway and DNS admin interfaces are not reachable from guest or IoT networks

Remote Access Readiness

远程访问就绪检查

For WireGuard-style access, decide what the VPN is allowed to reach before generating keys or opening ports.

Mode	Use when	Risk notes
Split tunnel to one subnet	Remote admin for NAS or lab hosts	Keep route list narrow
Split tunnel to trusted services	Access selected apps by IP or DNS	Requires precise firewall rules
Full tunnel	Untrusted networks or travel	More bandwidth and DNS responsibility
Overlay VPN	Simpler remote access with identity controls	Still needs ACL review

Do not recommend port forwarding until the operator confirms:

The VPN endpoint is patched and actively maintained.
The forwarded port goes only to the VPN service, not an admin UI.
Dynamic DNS, public IP behavior, and ISP CGNAT status are understood.
Peer keys can be revoked without rebuilding the whole network.
Logs or connection status can verify who connected and when.

对于WireGuard式访问，在生成密钥或开放端口前，需明确VPN允许访问的资源。

模式	使用场景	风险提示
单子网拆分隧道	用于NAS或实验室主机的远程管理	保持路由列表范围狭窄
可信服务拆分隧道	通过IP或DNS访问指定应用	需要精确的防火墙规则
全隧道	在不可信网络或外出旅行时使用	占用更多带宽，需承担DNS管理责任
Overlay VPN	带有身份控制的简化远程访问	仍需审核ACL规则

在运维人员确认以下事项前，不要推荐端口转发：

VPN端点已打补丁且处于持续维护状态。
转发端口仅指向VPN服务，而非管理UI。
已了解动态DNS、公网IP特性及ISP的CGNAT状态。
无需重建整个网络即可吊销对等方密钥。
可通过日志或连接状态验证谁在何时连接。

Change Sequence

变更顺序

Prefer small, reversible changes:

Snapshot the current topology, IP plan, DHCP settings, DNS settings, and firewall rules.
Reserve infrastructure addresses for gateway, DNS, controller, APs, NAS, and VPN endpoint.
Create the new zone or VLAN without moving critical devices.
Move one test client and validate DHCP, DNS, routing, internet, and block behavior.
Add narrow firewall exceptions for required flows.
Move one low-risk device group.
Add VPN access with the narrowest route and firewall policy that satisfies the use case.
Document final state, known exceptions, and rollback commands or UI steps.

优先选择小型、可回滚的变更：

快照当前拓扑结构、IP规划、DHCP设置、DNS设置及防火墙规则。
为网关、DNS、控制器、AP、NAS及VPN端点预留基础设施地址。
创建新区域或VLAN，暂不迁移关键设备。
迁移一个测试客户端，验证DHCP、DNS、路由、互联网访问及拦截行为。
为必要流量添加有限的防火墙例外规则。
迁移一个低风险设备组。
添加VPN访问，使用满足场景需求的最窄路由及防火墙策略。
记录最终状态、已知例外情况及回滚命令或UI操作步骤。

Review Checklist

审核清单

Each network has a reason to exist and a clear trust boundary.
No management interface is reachable from guest, IoT, or the public internet.
DNS failure does not take down the operator's ability to recover locally.
DHCP scope changes were tested on one client before broad rollout.
VPN clients receive only the routes and DNS settings they need.
Firewall rules are default-deny between zones, with named exceptions.
The operator can still reach gateway, switch, AP, DNS, and VPN admin surfaces.
Rollback is documented in the same vocabulary as the chosen platform UI or CLI.

每个网络都有存在的理由及明确的信任边界。
访客、IoT或公网无法访问任何管理接口。
DNS故障不会导致运维人员无法进行本地恢复。
DHCP作用域变更在全面推广前已在单个客户端测试。
VPN客户端仅获得所需的路由及DNS设置。
区域间防火墙规则默认拒绝，仅保留命名的例外规则。
运维人员仍可访问网关、交换机、AP、DNS及VPN管理界面。
回滚文档使用与所选平台UI或CLI一致的术语。

Anti-Patterns

反模式

Segmenting networks before knowing which switch ports and SSIDs carry which VLANs.
Moving the admin workstation off the only reachable management network.
Pointing all DHCP scopes at a Pi-hole before testing fallback DNS.
Publishing NAS, DNS, router, or hypervisor management directly to the internet.
Treating VPN access as equivalent to full trusted-LAN access.
Adding allow-all firewall rules temporarily and forgetting to remove them.
Copying commands from another vendor or firmware version without checking the exact platform syntax.

在未明确哪些交换机端口及SSID承载哪些VLAN前就进行网络分段。
将管理工作站移出唯一可访问的管理网络。
在测试备用DNS前就将所有DHCP作用域指向Pi-hole。
将NAS、DNS、路由器或虚拟机管理程序直接暴露至公网。
将VPN访问等同于完全可信局域网访问。
临时添加全允许防火墙规则后忘记删除。
未检查平台语法就复制其他厂商或固件版本的命令。