If you have fiber-to-the-home (FTTH), your ISP almost certainly gave you a combo ONT/router. It’s a locked-down all-in-one box that does GPON optical termination, routing, Wi-Fi, and often double NAT. For a homelab with VLAN segmentation and a proper router like MikroTik, that box is a bottleneck — and you can bypass it entirely. This post covers replacing the ISP ONT/router with a MikroTik router using an SFP GPON stick, covering the hardware, VLAN configurations, PPPoE quirks, and the gotchas that aren’t in the marketing material. This is specifically from my experience with Dominican Republic FTTH providers, but the patterns apply to most GPON deployments globally. ...

Cloudflare Tunnel gives you a secure outbound-only connection from your homelab to Cloudflare’s edge, proxying public traffic without opening any firewall ports. No pinholes, no DMZ, no exposing your home IP. The usual deployment is a Docker container or a systemd service on a Linux box. But if you have a MikroTik router running RouterOS 7.6+ with container support, you can run cloudflared directly on the router — zero extra hardware, zero extra VMs. ...

WireGuard on MikroTik RouterOS is production-ready as of RouterOS 7.x, and it’s dramatically simpler than IPsec or OpenVPN for homelab use. No certificate authorities, no confusing phase 1/phase 2 settings, no userspace daemon eating CPU — just a kernel module, a private key, and a peer config. This post covers two WireGuard topologies running on the same MikroTik router (R1 from the previous deployment post): Road Warrior — remote devices (phone, laptop) connect to the homelab Site-to-Site — two MikroTik routers connected across the internet Both share the same base config and coexist on the same router. ...

Proxmox VE’s networking layer is simple on the surface — bridges, bonds, VLANs — but there’s a gap between “it works” and “it’s maintainable.” A poorly planned bridge topology leads to broadcast storms, accidental cross-VLAN routing, or containers that can’t reach the internet because the bridge isn’t connected to anything. This post breaks down the networking setup on my Proxmox host (SRV1), which connects to a MikroTik router (R1) with VLAN filtering and a trunk port. By the end, you’ll know exactly how bridges map to the physical wire, how VLAN-aware bridges differ from the old approach, and how to assign VLANs to both VMs and LXC containers cleanly. ...

Every homelab needs a solid network foundation. This guide walks through the full configuration of R1 — a MikroTik edge router with segmented VLANs, inter-VLAN firewalling, WireGuard VPN, and a Cloudflare Tunnel running directly on the router. The config below is based on RouterOS 7.22.1. Commands are split by section so you can follow along step-by-step. Replace anything in <> with your own values. Hardware Model: MikroTik E62iUGS-2axD5axT OS: RouterOS 7.22.1 WAN: GPON FTTH (PPPoE on VLAN 100) Port Layout Port Role Access VLAN Notes SFP1 WAN — GPON ONT, native vlan 1 for ONT access Ether1 CCTV 50 Untagged, camera network Ether2 MGMT 99 Untagged, management Ether3 MGMT 99 Untagged, secondary management Ether4 HOME 10 Untagged, main home LAN Ether5 Trunk Tagged Inter-switch link carrying all VLANs Step 1 — Bridge Setup Create the main bridge with VLAN filtering enabled, and a separate bridge for container veth interfaces: ...

Frigate is an open-source NVR built for real-time object detection with local processing. No cloud subscriptions, no vendor lock-in — just cameras, a GPU, and decent detection models. This is how I set it up on my Proxmox host, with a Tapo C100 camera, Intel GPU inference via OpenVINO, MQTT eventing, and Telegram notifications. Architecture ┌──────────────┐ RTSP (stream1/stream2) ┌──────────────┐ │ Tapo C100 │ ───────────────────────────▶ │ Frigate │ │ 10.0.50.101 │ │ 10.0.20.15 │ └──────────────┘ │ │ CCTV VLAN (50) │ Web UI:5000 │ │ RTSP :8554 │ ┌──────────┐ │ WebRTC:8555 │ │ Telegram │ ◀──── MQTT events ──────── │ go2rtc:1984 │ │ alerts │ (frigate-notifier) │ API :8971 │ └──────────┘ └──────┬───────┘ │ ┌──────▼───────┐ │ Mosquitto │ │ MQTT:1883 │ └──────────────┘ The camera lives on VLAN 50 (CCTV). Frigate runs on a Debian LXC on VLAN 20 (LAB). The router’s firewall allows Frigate’s host (10.0.20.15) to reach the camera subnet — nothing else touches CCTV. ...

Welcome to the blog. This is where I’ll be writing about homelab stuff — Proxmox, MikroTik, Docker, networking, automation, and whatever else I’m tinkering with. Stay tuned.