Home Networking Madness

I'd like to setup some sort of network segmentation on my home network. The following is just a rough brainstorming before I do any in-depth research, but I'd like to publish it here in case anyone with experience can offer suggestions, and it also helps me sort out my thoughts.

Reasons for wanting network segmentation

I can eliminate the need for a VPS. My current setup involves pointing my domain name to the VPS using Linode's nameservers in my domain registrar. The VPS then uses firewalld to forward all traffic to relevant ports to my homelab (which is currently behind a NAT) through a Tailscale network. Having my domain pointing directly to my homelab machine would reduce any overhead such a setup creates, and it would simplify things like HTTP redirection for reverse-proxied services.

Eliminating the need for a VPS would also save me $5 a month. $5 a month isn't really a big deal, but the less I have to spend, the better.

The reason I have this setup to begin with is so that I don't have to use port forwarding on my home router and open up my network to malicious traffic and cyberattacks. With network segmentation, I can keep the public-facing homelab servers isolated from my personal devices, which would keep potential cyberattacks confined to the public-facing server and away from my private data.

Technical constraints

I have a 5 Gbps fiber Internet connection from my ISP. Whatever OS or networking software I use to setup network segmentation must be used on my main homelab machine, because none of my other devices (save for my desktop PC) are 5GbE-capable. If I can do this with just firewalld alone, that would be perfect, but I feel like I might need more specialized networking software/tools. I'll configure IP passthrough on my ISP router to make the homelab machine receive the public IP address.

Would OpenVSwitch be useful for a situation like this? Does it allow the creation of VLANs? I've never used it before so I'm completely clueless about it.

If I have to run something like OpenWrt or OPNsense in a virtual machine on the main homelab machine, that would be fine, but I have to find out if the virtual network interfaces of the hypervisor (libvirt/QEMU) inherit the link speed of the host interface. If they don't, then I might need to buy another (relatively inexpensive) machine that is 5GbE-capable, which I'd prefer not to do.

I'd obviously need a good free and open source SIEM solution.

I might also need DDoS protection, which I might have to pay for, but I'd like to avoid using Cloudflare. Another alternative would just be to let Linode manage my domain and DNS entries and have the records point to my homelab's public IP address. Though I don't know if I'd still get DDoS protection from Linode if I don't have a Linode VPS, which is another thing I'd have to look into (but I'm leaning toward probably not).

I would have been able to use another machine for firewall/routing purposes, because I bought a dual 10GbE to Thunderbolt 3 adapter, which is about the size of a standard masonry brick. It turns out the USB-C connector on the machine I inteded to plug the adapter into is not in fact a Thunderbolt 3-capable port, even though the port is a USB-C connector. I thought they were the same thing, but apparently not (the more I know). So I ended up returning the Thunderbolt brick and getting my money back. Honestly good riddance, because the brick was pricey and would have consumed extra power (it had a power cord and fan built in, but I suppose the extra power is needed for the Thunderbolt conversion). I might as well just get a machine with dual 10GbE or 5GbE ports for about relatively the same price.

On the other hand, for the 5 Gbps fiber connection, I'm currently locked into a 12-month contract with Earthlink. Next November I think I'll just downgrade to 2.5 Gbps. I'm not sure there is any noticeable practical benefit to 5 Gbps over 2.5 Gbps for my Internet usage. Most things on the Internet are <= 2.5 Gbps anyway and it's not like 2.5 Gbps isn't ultra-fast enough.

Of course, I could have, and should have, done more research before agreeing to the 5 Gbps 12-month contract. Live and learn, I guess.

I can technically downgrade before the 12-month contract is up, but I'd have to pay a fee. If downgrading to 2.5 Gbps saves me money every month, and if the sum total amount I save by November is more than the fee they'd charge me for breaking the contract, then it would be worth it.