Networking

You set up UFW. You configured default deny incoming, opened only ports 22 and 443. You checked ufw status verbose — everything looks right. Then you spin up a Postgres container publishing port 5432, and suddenly port 5432 is open to the whole internet. Your UFW rules didn’t stop it. This isn’t a bug. Docker modifies iptables directly in ways that bypass user-level firewall tools like UFW. Every docker run -p creates a raw iptables DNAT rule that sits above UFW’s INPUT chain. The result: containers are exposed regardless of your UFW policy. ...

If your Docker homelab has more than three web services, you need a reverse proxy. Without one, every container exposes its own port, you manage certificates by hand (or skip HTTPS entirely), and changing a service’s URL means editing Nginx configs and reloading. Traefik solves all of this. It watches the Docker socket, discovers new containers automatically, provisions Let’s Encrypt certificates for any hostname you define via Docker labels, and handles middleware (auth, rate limiting, headers) without touching a static config file. ...

If you have fiber-to-the-home (FTTH), your ISP almost certainly gave you a combo ONT/router. It’s a locked-down all-in-one box that does GPON optical termination, routing, Wi-Fi, and often double NAT. For a homelab with VLAN segmentation and a proper router like MikroTik, that box is a bottleneck — and you can bypass it entirely. This post covers replacing the ISP ONT/router with a MikroTik router using an SFP GPON stick, covering the hardware, VLAN configurations, PPPoE quirks, and the gotchas that aren’t in the marketing material. This is specifically from my experience with Dominican Republic FTTH providers, but the patterns apply to most GPON deployments globally. ...

Cloudflare Tunnel gives you a secure outbound-only connection from your homelab to Cloudflare’s edge, proxying public traffic without opening any firewall ports. No pinholes, no DMZ, no exposing your home IP. The usual deployment is a Docker container or a systemd service on a Linux box. But if you have a MikroTik router running RouterOS 7.6+ with container support, you can run cloudflared directly on the router — zero extra hardware, zero extra VMs. ...

WireGuard on MikroTik RouterOS is production-ready as of RouterOS 7.x, and it’s dramatically simpler than IPsec or OpenVPN for homelab use. No certificate authorities, no confusing phase 1/phase 2 settings, no userspace daemon eating CPU — just a kernel module, a private key, and a peer config. This post covers two WireGuard topologies running on the same MikroTik router (R1 from the previous deployment post): Road Warrior — remote devices (phone, laptop) connect to the homelab Site-to-Site — two MikroTik routers connected across the internet Both share the same base config and coexist on the same router. ...

Proxmox VE’s networking layer is simple on the surface — bridges, bonds, VLANs — but there’s a gap between “it works” and “it’s maintainable.” A poorly planned bridge topology leads to broadcast storms, accidental cross-VLAN routing, or containers that can’t reach the internet because the bridge isn’t connected to anything. This post breaks down the networking setup on my Proxmox host (SRV1), which connects to a MikroTik router (R1) with VLAN filtering and a trunk port. By the end, you’ll know exactly how bridges map to the physical wire, how VLAN-aware bridges differ from the old approach, and how to assign VLANs to both VMs and LXC containers cleanly. ...

Every homelab needs a solid network foundation. This guide walks through the full configuration of R1 — a MikroTik edge router with segmented VLANs, inter-VLAN firewalling, WireGuard VPN, and a Cloudflare Tunnel running directly on the router. The config below is based on RouterOS 7.22.1. Commands are split by section so you can follow along step-by-step. Replace anything in <> with your own values. Hardware Model: MikroTik E62iUGS-2axD5axT OS: RouterOS 7.22.1 WAN: GPON FTTH (PPPoE on VLAN 100) Port Layout Port Role Access VLAN Notes SFP1 WAN — GPON ONT, native vlan 1 for ONT access Ether1 CCTV 50 Untagged, camera network Ether2 MGMT 99 Untagged, management Ether3 MGMT 99 Untagged, secondary management Ether4 HOME 10 Untagged, main home LAN Ether5 Trunk Tagged Inter-switch link carrying all VLANs Step 1 — Bridge Setup Create the main bridge with VLAN filtering enabled, and a separate bridge for container veth interfaces: ...