HOME NETWORK
> WELCOME TO THE TWILIGHT ZONE
This is my home network. It runs the same way I'd run production infrastructure: segmented, documented, and built so someone else could maintain it from the README alone. Nine VLANs enforce zero-trust boundaries between trust zones. Recursive DNS resolution stays local — no third-party DNS provider ever sees a query. Surveillance footage never touches the internet. Every firewall rule is explicit and documented.
It's themed after Rod Serling's The Twilight Zone — because naming your VLANs should be at least a little fun. But underneath the naming convention is a real defense-in-depth architecture: least privilege access, network segmentation as the primary security control, and documentation treated as infrastructure.
NOTE: All IP addresses, subnet ranges, hostnames, and security-sensitive details have been sanitized. This is an architecture showcase, not a penetration test invitation.
The other three projects show that I can build data pipelines. This one shows that I think in systems even when nobody's paying me to. Same patterns, different domain: layered architecture, explicit access control, version-controlled documentation, and a design philosophy that prioritizes the next person who has to maintain it.
It also includes a real ETL pipeline — network telemetry scraped from the infrastructure controller, loaded into PostgreSQL, with automated alerting. The data engineering doesn't stop at work.
NETWORK LAYER
Enterprise gateway / firewall / controller
Managed PoE switch — VLAN trunking
Enterprise wireless APs — SSID-to-VLAN mapping
WireGuard VPN — remote access with VLAN routing
COMPUTE & SERVICES
Raspberry Pi 5 — always-on infrastructure node
Pi-hole + Unbound — sovereign recursive DNS
PostgreSQL — network telemetry storage
Python ETL — automated data collection and alerting
VIRTUALIZATION
Proxmox — on-demand compute server
Wake-on-LAN — power management automation
Media services — self-hosted, local-first
DOCUMENTATION
Version-controlled README with changelog
4-section doc structure (Config, Reference, Ops, Scripts)
Naming conventions, password standards, port reference
Runbooks for every common operation
"Everything denied by default. Anything allowed is explicit, documented, and intentional."
DEFENSE IN DEPTH
Multiple overlapping controls. No single point of failure.
LEAST PRIVILEGE
Minimum required access. Trust is verified, never assumed.
SEGMENTATION FIRST
VLANs enforce boundaries at L2/L3. Application layer supplements.
LOCAL-FIRST
Critical services run without internet. Cloud deps explicitly documented.
DOCS AS INFRASTRUCTURE
Every config decision documented. Changes tracked and reversible.
FAMILY-SAFE
Content filtering at DNS layer. Non-technical users experience seamless safety.