Sample Blueprint






Sample Blueprint — Security Homelab on Proxmox | Lab Blueprint


Sample Blueprint: Security Homelab on Proxmox

This is the public proof-of-work sample for the Builder Blueprint ($149) tier. It shows the shape, depth, and decision-making customers receive before buying a custom Lab Blueprint.

It is a sample, not a plan for your hardware. Your real blueprint is built from your goals, budget, current gear, skill level, noise/power constraints, and risk tolerance.

What this sample proves

  • The plan is specific: hardware, VLANs, guests, storage, backups, security, and build order.
  • The plan is scoped to one clear goal: security skills that become interview stories.
  • The plan is written so the buyer can execute it step by step.
  • The plan includes judgment calls, not just checklists.

Lab Blueprint — Builder Tier ($149)

Customer: “Marcus C.” (anonymized with customer consent — intake Q23)
Delivered: Sample edition, published as public proof of work
Tier: Builder · Revision window: 21 days from delivery
Prepared and approved by: Charles Montago


1. Goals Summary

You’re a tier-1 helpdesk tech, two years in, studying for Security+ with a target of a SOC analyst role within 12–18 months. Your words: “In six months I want to talk about VLANs, log analysis, and detections in an interview because I’ve actually done them — not because I read about them.”

Primary goal (drives every trade-off below): a security-focused learning lab that produces interview-ready experience — segmentation, centralized logging, a SIEM with real detections, and safe attack/defend practice.

Secondary goals: Pi-hole for the household; a lightweight media server; Linux fundamentals along the way. These ride along where free; where they conflict with the security mission, the security mission wins.

Your constraints: $1,500 hard ceiling · lab lives in your apartment office (quiet hum acceptable, no server fans) · partner uses the internet daily and it must not break · skill level: comfortable Linux CLI, beginner networking, never used Proxmox · build-order preference: detailed, explain the why.

Assumptions made: your ISP router can be put in bridge mode; you’re comfortable replacing your household router as part of this build.

2. Hardware Plan

Disclosure: links below are affiliate links. We earn a commission if you buy through them; every pick here would be the pick at zero commission.

What you already own, and its job:

You own Verdict New job
Dell desktop (i5-6500, 16 GB DDR4, 256 GB SATA SSD) Keep — second node Dedicated attack/victim node (isolation by physics, not just VLANs)
Raspberry Pi 4 (4 GB) Keep Off-cluster syslog-of-last-resort + network canary (§8)
2× 4 TB external USB drives Keep one for backups Backup target (§7); USB is fine for backups, not for VM storage

To buy (total: $1,428 — $72 under ceiling):

Item Pick ~Price Why this one
Primary node Minisforum MS-01 barebones (i5-12600H, 2× 2.5GbE + 2× 10GbE SFP+, 2× NVMe usable for our build) $439 The rare mini PC with real NICs and real expansion; silent-adjacent; handles 12+ guests at this spec
RAM 64 GB DDR5 SODIMM kit (2×32) $145 SIEMs eat RAM. 64 GB is the difference between “lab” and “toy”
Storage (VM pool) 2× 1 TB NVMe (TLC w/ DRAM — e.g., WD Black SN770 class or better) $130 ZFS mirror; TLC+DRAM because ZFS on QLC consumer drives ends in tears
Router/firewall Used Protectli-class quad-NIC box or equivalent $189 Runs OPNsense; VLANs are a first-class learning objective, so the firewall is yours, not the ISP’s
Switch 8-port 2.5GbE managed switch (VLAN-capable) $115 Managed = VLANs are real, not simulated
Node 2 upgrade 32 GB DDR4 kit + 1 TB SATA SSD for the Dell $95 Lifts the Dell from desktop to credible victim-network host
UPS 600VA line-interactive w/ USB $85 ZFS + power loss is a bad combination; also a clean-shutdown lesson
Misc Cat6 patch cables, USB NIC for Pi $30
Alternates (Builder tier): Beelink GTi/SER-class + USB 2.5GbE in place of MS-01 (–$150, costs you the SFP+ future); TP-Link Omada switch in place of generic (+$20, better docs)

What we deliberately did not buy: a rack, 10GbE optics, a GPU, a NAS. None serve the primary goal this year; all appear in §10 when they might.

3. Proxmox Layout

Two independent Proxmox VE nodes — not clustered. A 2-node cluster needs a quorum device and adds failure modes you don’t need yet; clustering is a §10 milestone with a third node. Independence also makes the security boundary cleaner: pve-core (MS-01) runs your trusted services and SOC; pve-range (Dell) runs attackers and victims.

  • pve-core (MS-01): Proxmox VE, ZFS mirror on 2× 1 TB NVMe (rpool), all four NICs wired (2.5GbE #1 = trunk to switch; 2.5GbE #2 = dedicated link to pve-range’s range trunk later; SFP+ dark for now)
  • pve-range (Dell): Proxmox VE, single 1 TB SATA SSD ext4/LVM-thin (range guests are disposable; snapshots before every exercise, no mirror needed)
  • Post-install on both: enterprise repo → no-subscription repo, microcode updates, zfs_arc_max capped at 16 GB on pve-core, fail2ban on the web UI, UI reachable only from the Management VLAN (§6)

4. VM / LXC Plan

pve-core (64 GB RAM — allocations below total 44 GB, leaving ARC + headroom):

Guest Type vCPU / RAM / Disk VLAN Purpose
wazuh VM 4 / 12 GB / 150 GB SOC Wazuh all-in-one SIEM — the centerpiece. VM not LXC: it wants its own kernel and clean updates
so-sensor* VM 4 / 8 GB / 100 GB SOC Phase-5 optional: Security Onion eval mode for NSM, fed by switch port mirror. Run it after Wazuh is mastered, not alongside from day one
dc01 VM 2 / 4 GB / 60 GB Lab Windows Server eval — AD, because every SOC job is a Windows-log job
win11-client VM 2 / 4 GB / 60 GB Lab Domain-joined endpoint generating real Windows telemetry (Sysmon → Wazuh)
pihole LXC 1 / 512 MB / 8 GB Services Household DNS + ads. LXC: tiny, stateless-ish, perfect fit
jellyfin LXC 2 / 2 GB / 8 GB + media mount Services Media for the household. Judgment call: Jellyfin over Plex — free, no account dependency, and iGPU transcode via LXC passthrough is straightforward on 12th-gen. Flagged in delivery in case you have Plex-pass history
tailscale LXC 1 / 512 MB / 4 GB Services Subnet router for safe remote access. No exposed ports, ever (§8)
docker-host VM 2 / 6 GB / 60 GB Services One VM for container experiments (Portainer, future apps). VM not LXC: Docker-in-LXC is a recurring papercut
ubuntu-bench LXC 1 / 1 GB / 10 GB Lab Scratch box for Security+ exercises and Linux practice

pve-range (32 GB RAM — air-gapped by design, §6):

Guest Type vCPU / RAM / Disk Segment Purpose
kali VM 2 / 4 GB / 60 GB Red Attack box
metasploitable / dvwa VMs 1 / 1–2 GB each Victim Deliberately vulnerable targets
vuln-win VM 2 / 4 GB / 60 GB Victim Unpatched Windows eval for detection exercises
range-fw VM 1 / 1 GB / 8 GB Edge OPNsense instance — the range’s own firewall; the only path between Red/Victim and the Wazuh collector (one-way log flow, §6)

5. Storage Plan

  • pve-core: rpool = ZFS mirror, 2× 1 TB NVMe → ~960 GB usable. Allocated above: ~460 GB thin-provisioned. Datasets: rpool/data (guests), rpool/media (Jellyfin library, quota 300 GB — media must never starve the SOC), rpool/iso. ARC capped 16 GB.
  • pve-range: LVM-thin on 1 TB SATA. Range guests are cattle: golden snapshots after clean install, rollback after every exercise. This is a feature, not a compromise — reset discipline is range hygiene.
  • Capacity math: Wazuh indices ~2–4 GB/day at your event volume with 90-day retention ≈ 180–360 GB worst case — fits with room; retention policy in §7 keeps it honest.
  • Growth trigger: when rpool passes 70%, add the second pair of NVMe (MS-01 has the slot) or revisit retention — don’t let ZFS pass 80%.

6. Networking Plan

OPNsense box becomes your router (ISP router → bridge mode). Five VLANs on the managed switch:

VLAN Name Subnet Who Firewall posture
10 Management 10.10.10.0/24 Proxmox UIs, OPNsense UI, switch Reachable only from your workstation + Tailscale
20 Services 10.10.20.0/24 Pi-hole, Jellyfin, docker-host, Tailscale Household can reach; cannot reach Mgmt
30 Trusted 10.10.30.0/24 Your devices, partner’s devices Default LAN
40 Lab 10.10.40.0/24 AD lab, win11-client, ubuntu-bench Can reach internet (updates); cannot reach Trusted
50 SOC 10.10.50.0/24 Wazuh (and so-sensor later) Receives logs from 10/20/40 + range collector path; initiates nothing outbound except updates

Range isolation (the part most home “ranges” get wrong): pve-range guests live behind range-fw on physically separate NICs/bridge. Rules: Red/Victim segments have no route to VLANs 10–40 and no internet; exactly one pinhole exists — Wazuh agent/syslog traffic outbound from Victim segment to wazuh:1514/1515, initiated one-way. Kill switch: a single OPNsense rule (documented in the build order) drops the pinhole instantly. You get real telemetry from real attacks with zero exposure of the household.

DNS: Pi-hole for VLANs 20/30; lab/AD VLAN uses dc01 DNS forwarding to Pi-hole. Remote access: Tailscale only — zero inbound ports on the WAN.

7. Backup Plan

3-2-1, scaled honestly to a homelab:

What Method Schedule Where
pve-core guests (except so-sensor) Proxmox Backup Server (PBS) as an LXC on pve-core writing to the 4 TB USB drive — pragmatic single-host compromise, stated plainly Nightly, keep 7 daily / 4 weekly / 3 monthly USB 4 TB
Wazuh config + rules/detections Git repo (your detections are your portfolio — treat them like code) On change Private GitHub
OPNsense + switch configs Config export After every change Same repo
Offsite copy Backblaze B2 via rclone from the PBS datastore (most-critical namespaces only: configs, dc01, wazuh) Weekly B2 (~$1–3/mo)
pve-range Not backed up. Golden snapshots only — rebuilt, never restored

Restore drill (non-negotiable, calendared): first Saturday monthly, restore one random guest from PBS to a temp VMID and boot it. An untested backup is a hypothesis. Your interview line: “I run monthly restore tests” — almost nobody can say it.

8. Security Recommendations

Matched to your exposure (no inbound ports, household stakes) and your goal (this section is curriculum):

  1. No WAN exposure, period. Tailscale for remote access; revisit only in roadmap month 12+ with a reverse-proxy + IdP design.
  2. Proxmox hardening: non-root admin user + 2FA on both nodes’ UIs; UI bound to Mgmt VLAN; fail2ban.
  3. The Pi as tripwire: the Raspberry Pi sits on VLAN 20 running a syslog mirror + simple canary (e.g., an SSH honeypot like endlessh, alerting to your phone via ntfy). If the lab is ever compromised, the off-hypervisor Pi is your witness.
  4. Sysmon everywhere Windows: SwiftOnSecurity baseline config on dc01, win11-client, vuln-win → Wazuh. This single step produces the telemetry that makes your detections real.
  5. Detection cadence (the career engine): one detection per week from attack to alert: run the technique from Kali against the victim segment, find it in Wazuh, write/tune the rule, commit to detections repo with a short writeup. After 6 months you’ll have ~25 documented detections — that repo is a resume attachment.
  6. Patch rhythm: household-facing services (VLAN 20) auto-update where safe; hypervisors monthly by hand (and snapshot first); range stays deliberately unpatched behind its isolation.
  7. Secrets: Vaultwarden is on your §10 roadmap; until then, a local KeePassXC vault for lab credentials — never reuse household passwords in the lab.

9. Build Order

Each phase ends at a working, stoppable state. Detailed as requested — the why is in every step.

Phase 0 — Paper (evening): IP/VLAN plan printed (use §6 table), credentials vault created, this document skimmed end-to-end.
Phase 1 — Network spine (weekend 1): OPNsense box in, ISP router bridged, VLANs 10/20/30 live, household migrated to VLAN 30. Stop-state: family internet works and nothing else exists yet. Do not proceed until this has been stable for 48 h — the spouse-acceptance checkpoint is real.
Phase 2 — pve-core (weekend 2): RAM/NVMe into MS-01, Proxmox installed, ZFS mirror, post-install steps (§3), UI on Mgmt VLAN, UPS connected + NUT clean shutdown tested by pulling the plug on purpose.
Phase 3 — Household services (week 3, evenings): Pi-hole LXC → cut household DNS over; Jellyfin LXC with iGPU transcode; Tailscale subnet router; docker-host VM. Stop-state: the lab now earns its keep domestically — this buys you patience for the security build.
Phase 4 — SOC core (weekend 4): Wazuh VM on VLAN 50; enroll pve-core, OPNsense, Pi-hole, docker-host as agents/syslog sources; first dashboard; PBS LXC + first backup + first restore test.
Phase 5 — Windows lab (week 5–6): dc01 AD forest, win11-client joined, Sysmon both, logs flowing to Wazuh. Your first detection: detect your own failed-logon brute force with a Wazuh rule. Commit it.
Phase 6 — The range (weekend 7): Dell upgraded → pve-range; range-fw OPNsense; Red/Victim segments; golden snapshots; the one-way Wazuh pinhole; kill-switch rule tested before first attack. Then exercise one: Kali → Metasploitable, watch it land in Wazuh.
Phase 7 — Operate (ongoing): weekly detection cadence (§8.5), monthly restore drill (§7), monthly patch pass. This phase is the actual product of the lab — everything above was setup.

10. Expansion Roadmap (12 months)

When Add Why then
Month 3 Security Onion eval (so-sensor) + switch port-mirror After Wazuh fluency, NSM adds the network layer — and “Wazuh + Security Onion” covers both SIEM and NSM interview tracks
Month 4 Vaultwarden LXC + proper PKI (step-ca) on Services VLAN Secrets hygiene + a TLS/cert learning arc
Month 6 Ansible control node (ubuntu-bench graduates): playbooks for LXC baseline, Wazuh agent rollout, patch runs Automation bullets on the resume; config-as-code habit
Month 8 Third node (used 1L PC, ~$150) → now cluster pve-core + new node + qdevice Quorum done right; live migration, HA — the cluster conversation in interviews
Month 10 k3s across two VMs + an LXC worker Kubernetes exposure after fundamentals are solid, not before
Month 12 Revisit: NAS/bulk storage if media grew; reverse proxy + IdP (Authentik) if you want one exposed service as a controlled exercise Both are real architecture decisions worth their own design pass — this is where a Blueprint Refresh would slot in

Want this level of specificity for your own lab?

That is what a paid Lab Blueprint is for: your budget, your hardware, your goals, your constraints, and your build order.

Get your custom Lab Blueprint