Training Capstone


Learning network and server operations is best done hands-on and with practical objectives in mind. Set out to build something that you will use; learn along the way, check-pointing frequently with someone who’s gone before you. To help ensure your work is developing broadly marketable skills, a select set of training objectives is suggested. Your mentors should work with you to see that your project is exposing you to the different topics.

Sample Practical Objectives

Deploy a secure home office network with self-hosting (private and/or public) and experimental lab capabilities. Provide separate internet access for other residents and guests. Isolate untrusted “IoT devices” as appropriate.

Sample Learning / Mentoring Objectives

  1. Routing
  2. Firewall (Network Device, Server, VPS Policy)
  3. VPN
  4. Subnetting / VLAN
  5. Wirelesss
  6. Core network services (incl., NAT, DNS, DHCP, NTP)
  7. Server Virtualization
  8. Cloud Server Management


  1. Residential network with a dynamic IP address.
  2. An ISP-provided device can be placed into “bridged mode.” (Preferred, but not strictly Required)

Sample Deployment Options


Self-Hosted Services

  • An internal wiki documenting your work (e.g., MediaWiki)
  • A public-facing blog (e.g., WordPress)
  • A media server (e.g., Jellyfin)
  • Private Calendar and Contacts server (e.g., DAViCal)
  • File server or more formal NAS
  • Other

Hosting Hardware

  • Suitable for Virtual Services (running Proxmox, XCP-NG, etc.)
    • Cannibalized desktop / tower computers
    • Small form, low-power boxes (e.g, Intel NUC)
  • Lower powered boxes capable of running several services, but not necessarily hosting virtualized servers:
    • Raspberry Pi v3 or 4, or similar


Internal Network Partitioning

  • Base network for administrative access to devices (VLAN 0)
  • Office VLAN (for protected
  • Guest VLAN (for people and devices only requiring internet access, including most IoT devices)
  • DMZ VLAN (for public facing, privately accessible network services)

Access from Outside

  • Cloud VPS operating (e.g., Linode, Amazon AWS)
    • VPN server (WireGuard, OpenVPN)
    • NGINX as a reverse-proxy to internally hosted services
  • Registered domain name (e.g., GoDaddy, NameCheap) pointing to the VPS
  • Set-up free domain SSL certificates via the Let’s Encrypt service
  • VPN client running on the firewall / router, which connects to the VPS
  • Restricted routing from the Office network to the VPS. Highly restricted routing from the VPS to select servers and ports in the DMZ.

Networking Equipment

Since these are always-on devices in your home, the objective here is to have low cost, low power / heat / noise equipment that still provides capability equivalent to that found in small or medium sized businesses.

Typical home wireless firewall routers provided by the ISP or off-the-shelf at big box stores combine the following network functions:

  1. Router: Moves packets between networks with a default policy to allow everything. In the simple case, this is moving packets between the home network and the ISP’s network, and vice versa.
  2. Firewall: Applies rules of varying complexity to determine what is allowed to be relayed between networks with a default policy to deny everything.
  3. Switch: Allows communication between wired devices and between wired & wireless devices on the same network.
  4. Wireless Access Points: The radio devices that handle connections to and from multiple wireless client devices. (“The WiFi.”)
  5. Wireless Controller: Coordinates the configuration and operation of one or more Wireless Access Points.

The home devices typically expose extremely limited feature sets (and sometimes substandard performance), and are simply not suitable for developing the skills used in professional environments. This is why professionals will often bypass their ISP-provided equipment in favor of their own gear.

Router / Firewall

Verify the firewall-routers can handle your network speeds. Ubiquiti’s EdgeRouter X provides a fabulous feature set for around $60. [I currently use an EdgeRouter X. My next will likely be a Netgate 2100.]

  • Ubiquiti EdgeRouter-X / EdgeRouter Lite
  • Netgate 1100 / 2100
Wireless Access Point (WAP) / Controller (WAC)

Ubiquiti currently provides the best, most afforadable “prosumer” wireless solutions. Ubiquiti provides their wireless controller as software without cost, and in most use cases it does not need to be run except to make configuration changes. This means that the wireless controller can be installed on a laptop in a virtual machine, for example, and brought up on the network for the initial deployment and for occasional firmware upgrades. These WAPs can typically be configured to handle up to four named networks (SSIDs), and each can be “VLAN-tagged” to help isolate and route the office, guest, and any other networks you’ve configured.

Note that WAPs are typically powered with “Power over Ethernet (PoE).” This means that the switch port feeding the WAP must provide PoE, or a “PoE injector,” a small box that adds wall power to the network wire, must be used.

  • Ubiquiti U6-LR-US (~$180) is an advanced WAP implementing the latest WiFi-6 standard.

Also note: We can cannibalize old big box store wireless routers to provide wireless inside a VLAN at the cost of one box and one switch port per VLAN requiring wireless, though this is far from optimal.

Switch (if necessary)

Depending upon your network design, your Router device may have a sufficient number of ethernet switch ports to accommodate your needs. Unless the switch will be handling devices that all reside on the same subnet / VLAN, your switch should be “VLAN-aware,” which is to say that each switch port can be configured with a default VLAN and can be configured to carry traffic from selected other VLANs as well. If you are running wireless access points, security cameras, SIP telephones, or other devices that require power-over-ethernet, ensure that your PoE switch has enough total power as well as enough powered switch ports to meet your needs.

Note: Even if you don’t need a VLAN-aware switch, if possible you should own one and be familiar with using it to isolate traffic flow between boxes. It’s a fundamental skill for business networks.

Note: It’s likely that a switch with layer-3 routing is overkill and likely too expensive for household or small-to-medium–sized business use. It’s nice to have, but consider it low priority.

  • NETGEAR ProSAFE GS108: A cheap, VLAN-aware, L2 switch. No PoE.
  • Ubiquiti ToughSwitch. 5-8 ports, all PoE, each switch with various total power throughput, VLAN-aware, L2 switch.