Documenting My Homelab, Part 2: Creating a Real Homelab Zone and Cleaning Up the Mess

Moving the Rest of the Lab

In part one, I built out a new host system and gave it a proper name.
zerocool is an Intel N150 box that now runs the core services I depend on every day: DNS, ingress via Nginx Proxy Manager, and a few other foundational pieces.

That machine was the anchor. Part two is about everything else.

One of the ideas I keep coming back to from Stoicism is focusing on what you can actually control, and putting structure around it. The network was a good candidate for that. I couldn’t prevent every failure or future change, but I could make the system understandable, predictable, and easier to reason about when something went wrong.

This is where the homelab stopped being “some Docker containers on the network” and became a real, isolated environment with boundaries I could reason about.

Creating a Real Homelab Zone

The biggest shift in this phase was moving the Homelab VLAN into its own zone on the UDM SE and committing to zone-based firewall rules.

I’ve used classic firewall rules for years, going back to my EdgeRouter days. They work, but they tend to grow organically and quietly rot over time. Rules stick around because removing them feels risky, and eventually you end up with policies that no one remembers creating.

Zone-based firewall rules changed how I think about this.

Instead of asking:

“Does VLAN A need to talk to VLAN B on these ports?”

I could ask:

“Should internal user devices ever initiate connections into the homelab?”

That question matters because it shifts the focus from reacting to problems to defining boundaries ahead of time. In Stoic terms, it’s the difference between constantly responding to external events and setting up rules for what should and should not happen in the first place.

Once the Homelab VLAN lived in its own zone, a lot of old rules immediately looked wrong. Some were redundant. Some were overly permissive. A few didn’t even make sense anymore but had survived multiple migrations.

Deleting those rules was uncomfortable at first, but also overdue.

Cleaning Up the Firewall Mess

This migration forced me to confront how much firewall cruft had accumulated over the years.

Some rules had been manually recreated when I moved from EdgeRouter to UniFi. Others were auto-generated by features I no longer use. A few existed only because “things broke once and this fixed it.”

Removing those rules felt uncomfortable because they represented unknowns. But Stoicism treats discomfort as a signal, not something to avoid. The discomfort wasn’t a warning that I was breaking things. It was a sign I was finally looking at decisions I’d been deferring for years.

With zones in place, I rebuilt the policies from scratch:

• Internal → Homelab for services like Plex and DNS
• Ingress → Homelab limited to specific endpoints
• Work VLAN isolated entirely

What surprised me was how much simpler the final rule set was.

The zone-based firewall feels closer to how I already think about trust boundaries. It’s easier to explain to myself, easier to audit later, and easier to maintain when something changes.

Classic firewall rules work, but zones make intent obvious.

A Surprisingly Smooth Cutover

Overall, this move was far more successful than I expected.

There was exactly one moment of user feedback during the entire migration.

From the living room, I heard: “Hey, why did my movie stop working!”

That was my five-year-old, right as I was moving Plex between networks.

I fixed it, the movie resumed, and that was it. No follow-up complaints. No mysterious failures later in the evening. For a network change of this size, that counts as a win in my house.

Moving Devices and Containers

Once the network boundaries were in place, I started moving services and devices into the Homelab VLAN.

This is where some housekeeping finally happened.

I shut down containers I hadn’t used in months. Some were experiments. Some were replaced by better solutions. A few existed only because I forgot they were running.

If a container didn’t serve a clear purpose anymore, it didn’t survive the move.

There’s a Stoic idea that clarity comes more from removal than addition. The same applies here. Every unused container added noise. Every forgotten service made the system harder to understand. Removing them didn’t make the lab weaker. It made it calmer.

I also standardized how I deploy Docker services.

Every service now lives in:

/opt/docker/[service-name]/

Each service gets:

• a docker-compose.yml
• a data/ directory for bind mounts
• nothing shared unless it truly needs to be

It’s boring. That’s the point.

When I log into a host now, I can see exactly what’s running and where its data lives. Backups are simpler. Migrations are predictable. Future me will appreciate this more than present me ever will.

Committing to the Naming Theme

While everything was moving, I also leaned fully into the Hackers movie naming theme for the homelab.

Once the lab had its own VLAN and zone, the machines finally felt important enough to deserve proper names.

The current lineup looks like this:

• acidburn
  Intel NUC running Docker containers

• cerial
  PiKVM for out-of-band access

• theplague
  Proxmox host

• gibson
  Synology DS920+

It’s a small thing, but consistent naming makes logs easier to read, dashboards clearer, and troubleshooting less mentally taxing. It also makes the lab feel cohesive instead of like a pile of random hardware.

Hardware Reality Check

Not everything went smoothly.

At one point, I realized my EdgeSwitch 8 150W had newer firmware than when I last logged into it. After upgrading the firmware, the SFP DAC cable connecting it to the UDM SE stopped linking.

It turns out the switch no longer liked the generic Amazon DAC cable I’d been using for years.

ChrisHansenTech is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com. As an Amazon Associate I earn from qualifying purchases.

I could have fought it, but I didn’t feel like debugging SFP compatibility. I ordered an official UniFi DAC cable instead.

Shipping cost more than the cable.

Since I was already paying shipping and running out of ports, I added a USW Lite 8 PoE to the order.

That new switch now handles:

• UniFi G4 Doorbell Pro
• Three access points
• HDHomeRun devices on the non-PoE ports

It cleaned up the rack layout and gave me room to grow.

I also took the time to clone the 500 GB SSD in my Proxmox server (theplague) to a barely used 1 TB SSD I pulled from another machine. The old drive had taken a beating from running Tdarr.

To avoid repeating that mistake, I connected a dual bay USB drive enclosure. It holds two 4 TB IronWolf NAS drives I no longer needed in my NAS. One is now used for Proxmox VM backups. The other handles Tdarr transcode cache, ISO storage, and random test VMs.

Where This Leaves the Homelab

At this point, the homelab finally feels intentional.

• It has its own VLAN and zone
• Firewall rules reflect actual trust boundaries
• Containers are fewer, cleaner, and easier to manage
• Hardware connections make sense again
• The family barely noticed anything changed

Nothing here is especially advanced.
That’s kind of the lesson.

Most of the improvement came from slowing down, deleting things, and making the structure obvious instead of clever.

What surprised me most is how closely this mirrors Stoic practice outside the lab. Clear boundaries. Fewer obligations. Systems designed to fail gracefully instead of loudly. The lab isn’t perfect, but it’s resilient and, more importantly, understandable when something breaks.