Category: Labs & Smart Home

All about smart home stuff

Designing a Secure Home Lab with VLAN Segmentation and TLS Subdomain Separation Using Traefik

Modern home labs and small hosting environments often grow organically. New services are added over time, ports multiply, and TLS certificates become difficult to manage. Eventually, what started as a simple setup becomes hard to secure and maintain.

Over the last few years, I gradually evolved my lab environment into a structure that separates workloads, automates TLS, and simplifies routing using Traefik as a reverse proxy.

This article summarizes the architecture and lessons learned from running multiple Traefik instances across segmented networks with automated TLS certificates.

The Initial Problem

Typical home lab setups look like this:

service1 โ†’ host:9000
service2 โ†’ host:9443
service3 โ†’ host:8123
service4 โ†’ host:8080

Problems quickly appear:

  • Too many ports exposed
  • TLS certificates become manual work
  • Hard to secure services individually
  • Debugging routing becomes messy
  • Services mix across trust levels

As services increase, maintenance becomes harder.

Design Goals

The environment was redesigned around a few simple goals:

  1. One secure entry point for services
  2. Automatic TLS certificate management
  3. Network segmentation between service types
  4. Clean domain naming
  5. Failure isolation between environments
  6. Minimal ongoing maintenance

High-Level Architecture

The resulting architecture separates services using VLANs and domain zones.

Internet
    โ†“
DNS
    โ†“
Traefik Reverse Proxy Instances
    โ†“
Segmented Service Networks

Workloads are separated by purpose and risk profile.

Example:

Secure VLAN โ†’ internal services
IoT VLAN โ†’ containers and test services
Application VLAN โ†’ development workloads

Each network segment runs its own services and routing.

Role of Traefik

Traefik serves as the gateway for services by handling:

  • HTTPS certificates (Let’s Encrypt)
  • Reverse proxy routing
  • Automatic service discovery
  • HTTPS redirects
  • Security headers

Instead of accessing services by ports, everything is exposed through HTTPS:

https://sonarqube.example.com
https://portainer.example.com
https://grafana.example.com

Traefik routes traffic internally to the correct service.

TLS Strategy: Subdomain Separation

Instead of creating individual certificates per service, services are grouped by domain zones.

Example zones:

*.dk.example.com
*.pbi.example.com
*.ad.example.com

Each zone receives a wildcard certificate.

Example services:

sonarqube.dk.example.com
traefik.dk.example.com
grafana.dk.example.com

Benefits:

  • One certificate covers many services
  • Renewal complexity drops
  • Let’s Encrypt rate limits avoided
  • Services can be added freely
  • Routing stays simple

Each Traefik instance manages certificates for its own domain zone.

Why Multiple Traefik Instances?

Rather than centralizing everything, multiple Traefik gateways are used.

Example:

  • Unraid services handled by one proxy
  • Docker services handled by another
  • Podman workloads handled separately

Benefits:

  • Failure isolation
  • Independent upgrades
  • Easier experimentation
  • Reduced blast radius during misconfiguration

If one gateway fails, others continue operating.

Operational Benefits Observed

After stabilizing this architecture:

Certificate renewal became automatic

No manual certificate maintenance required.

Service expansion became simple

New services only need routing rules.

Network isolation improved safety

IoT workloads cannot easily reach secure services.

Troubleshooting became easier

Common issues reduce to:

404 โ†’ router mismatch
502 โ†’ backend unreachable
TLS error โ†’ DNS or certificate issue

Lessons Learned

Several practical lessons emerged.

Use container names instead of IPs

Docker DNS is more stable than static IP references.

Keep services on shared networks

Ensures routing remains predictable.

Remove unnecessary exposed ports

Let Traefik handle public access.

Back up certificate storage

Losing certificate storage can trigger renewal rate limits.

Avoid unnecessary upgrades

Infrastructure components should change slowly.

Is This Overkill for a Home Lab?

Not necessarily.

As soon as you host multiple services, segmentation and automated TLS reduce maintenance effort and improve reliability.

Even small environments benefit from:

  • consistent routing
  • secure entry points
  • simplified service management

Final Thoughts

Traefik combined with VLAN segmentation and TLS subdomain zoning has provided a stable and low-maintenance solution for managing multiple services.

The environment now:

  • renews certificates automatically
  • isolates workloads
  • simplifies routing
  • scales easily
  • requires minimal manual intervention

What started as experimentation evolved into a practical architecture pattern that now runs quietly in the background.

And in infrastructure, quiet is success.

Traefik Reverse Proxy Troubleshooting Guide (Docker + TLS + Letโ€™s Encrypt)

Traefik is an excellent reverse proxy for Docker environments, providing automatic TLS certificates and dynamic routing. However, when something breaks, symptoms can look confusing.

This guide summarizes practical troubleshooting steps based on real-world debugging of a production home-lab setup using Traefik, Docker, and Letโ€™s Encrypt.

Typical Architecture

A common setup looks like:

Internet
   โ†“
DNS โ†’ Host IP
   โ†“
Traefik (Docker container)
   โ†“
Application containers

Traefik handles:

  • TLS certificates
  • Reverse proxy routing
  • HTTPS redirect
  • Service discovery

Most Common Error Types

1. HTTP 404 from Traefik

Meaning:

Request reached Traefik
but no router matched the request.

Common causes:

  • Host rule mismatch
  • Wrong domain name
  • Missing router configuration
  • Missing path prefix rules

Check routers:

curl http://localhost:8080/api/http/routers

Fix:
Ensure router rule matches request:

rule: Host(`app.example.com`)

2. HTTP 502 Bad Gateway

Meaning:

Router matched
but backend service unreachable.

Most common cause: wrong backend IP or port.

Test backend directly:

curl http://localhost:9000 -I

If this works but Traefik gives 502, fix service URL:

Bad:

url: "http://172.x.x.x:9000"

Good:

url: "http://sonarqube:9000"

Use container names instead of IPs.

3. Dashboard returns 404

Dashboard requires routing both paths:

/dashboard
/api

Fix router rule:

rule: Host(`traefik.example.com`) &&
      (PathPrefix(`/api`) || PathPrefix(`/dashboard`))

Also ensure trailing slash:

/dashboard/

4. TLS Certificate Not Issued

Check ACME logs:

docker logs traefik | grep -i acme

Verify:

  • DNS challenge configured
  • Secrets mounted correctly
  • acme.json writable

Permissions should be:

chmod 600 acme.json

5. TLS Renewal Concerns

Traefik automatically renews certificates 30 days before expiry.

Check expiry:

echo | openssl s_client \
-servername app.example.com \
-connect app.example.com:443 \
2>/dev/null | openssl x509 -noout -dates

Renewal happens automatically if Traefik stays running.

Debugging Workflow (Recommended)

When something fails, follow this order:

Step 1 โ€” Is Traefik running?

docker ps

Step 2 โ€” Check routers

curl http://localhost:8080/api/http/routers

Step 3 โ€” Check backend

curl http://localhost:<port>

Step 4 โ€” Check logs

docker logs traefik

Step 5 โ€” Test routing locally

curl -k -H "Host: app.example.com" https://localhost -I

Best Practices for Stable Setup

Use container names instead of IPs

Avoid hardcoded LAN IPs.

Keep all services on same Docker network

Example:

networks:
  - traefik-public

Remove exposed ports

Let Traefik handle access.

Backup certificates

Cron backup:

0 3 * * * cp /opt/traefik/data/acme.json /backup/

Freeze Docker versions

Avoid surprise upgrades:

sudo apt-mark hold docker-ce docker-ce-cli containerd.io

Quick Diagnosis Cheat Sheet

ErrorMeaning
404Router mismatch
502Backend unreachable
TLS errorCert or DNS issue
Dashboard 404Router rule incomplete

Final Advice

Most Traefik problems are not Traefik itself, but:

  • router rules
  • backend targets
  • entrypoint mismatches
  • DNS configuration

Once routing and networks are correct, Traefik runs reliably for years.

Conclusion

Traefik simplifies TLS and routing, but clear troubleshooting patterns save hours when issues arise. Use this guide as a reference whenever routing or certificates behave unexpectedly.

โ€Matter and Thread – What’s the difference?

Matter and Thread are different. You can use Matter over a number of different network types. (WiFi, Thread and I think Bluetooth)

Thread is a radio protocol (very similar to ZigBee) and you can run Matter over Thread but you need something called a Thread Border Router to sit between your network and the Thread network (just like a hub or Z2M does now).

So matter over WiFi doesn’t need anything dongle (other than WiFi). Thread needs a border router which could be a dongle or something like an Alexa or Apple TV etc.

A communication protocol for IoT devices

Thread is a low-power mesh networking standard for IoT devices. The low-power aspect is important for battery-powered smart home devices. However, itโ€™s also low-bandwidth, making it ideal for applications that donโ€™t send a lot of data, like switches or motion sensors.

Thread uses the same RF technology as Zigbee (IEEE 802.15.4) but provides IP connectivity similar to Wi-Fi. Unlike Zigbee, Thread by itself does not allow controlling devices: It is just a communication protocol. To control the Thread devices, a higher-level protocol is required: Matter or Apple HomeKit. Thread devices use the IPv6 standard to communicate both inside and outside the mesh network.

You can read about Home Assistant integration here.

Difference between Amps and Volts?

All of these analogies about water pressure, volume, pipe diameter, etc… are all useful devices, but I’ll explain what’s REALLY going on, no analogies.

First, electricity is made up things called “charges.” What exactly they are doesn’t matter. You can think of them as particles or aliens or whatever. The point is, they’re out there…. Things can accumulate charges as they go about their existence. If you walk across the carpet in your sock feet, you’re likely to accumulate some charges. Clouds moving through the atmosphere might accumulate charges, etc…

The charges “want” to be distributed evenly. If there are 100 of them in one place, and 0 in another place, they want to move until each place has 50. This is what happens when you touch a doorknob and get shocked, or when lightning transfers charges from one cloud to another.

The difference in charges between two things or areas is called “voltage.” There’s a special number of charges that makes up one “unit” of voltage, but that special number doesn’t matter. If you have 100 units in one place, and 0 in another, you’ve got 100 volts….

VOLTAGE = DIFFERENCE IN CHARGE BETWEEN TWO AREAS

In the examples above, touching a doorknob or lightning, all of the transfer of charge happens nearly instantly, and once it has happened, it’s done and no more charges move. This is called “static” electricity. It’s not very useful for us. We want a controlled and continuous flow of charges that we can use as energy. This is “current” electricity.

Current electricity requires a “circuit,” where the charges flow from one area to another continuously, instead of nearly instantly. Think of a 9-volt battery. It has a positive and negative terminal. The difference in charge between these two terminals is 9 volts (see above). When you connect the two terminals, it doesn’t instantly equalize, like touching your finger to a doorknob. Instead, the transfer of charge takes some time. Batteries, magnetos, generators, etc… are all mechanisms to create a charge difference (voltage) that doesn’t instantly collapse, but allows charges to flow continuously. This flow of charge is called “current.”

We can measure the number of charges that flow through a piece of wire in a period of time. For any practical use of electricity, the number would be huge, like 18+ digits. So instead, we use a unit of measure called an Ampere, which is a specific number of charges per second. Again, the exact number doesn’t matter, because we never use it. The point is that the Ampere is a measure of how much charge actually moves through the wire.

Ampere is apparently hard to say, so we abbreviate it to Amp.

AMP = HOW MUCH CHARGE MOVES THROUGH A WIRE

There’s a critical relationship between Volts and Amps. The higher the voltage (the bigger the difference between the areas), the more the charges want to equalize, so more of them flow, resulting in a higher number of Amps.

(This is where Resistance comes in. Resistance is a measure of how much a material resists the flow of charges. A material with low resistance (like pure copper) will let a lot of charges flow, resulting in a higher current than a material with high resistance, like rubber, which doesn’t want to let any charges flow at all.)

Read more here