What Building a Segmented Network Actually Teaches You

The Plan vs. Reality

The Plan: Six VLANs, proper segmentation, enterprise-grade jump box access.

Reality: Discovering that "tagged" and "untagged" aren't just academic concepts when your hypervisor crashes every time you start a VM.

Technical Architecture

The final setup includes:

• Router/firewall handling inter-VLAN routing and DHCP

• Switch with 802.1Q VLAN and PVID configuration

• Proxmox hypervisor with VLAN-aware bridge

• Ubuntu jump box on Management VLAN

• Six network segments: Management, Production, Security Lab, Malware Analysis, Vulnerable Systems, and Physical Security

The PVID Revelation

PVID (Port VLAN ID) configuration nearly derailed everything. The concept seems simple: untagged traffic entering a port gets assigned to the PVID VLAN. But when you have a Proxmox host that needs to manage VMs across multiple VLANs, the bridge configuration becomes critical.

The breakthrough was understanding that Proxmox needed a "VLAN-aware" bridge rather than separate bridges for each VLAN. This enabled the hypervisor to handle VLAN tags from VMs properly while maintaining the host's own network configuration on the Management VLAN.

Switch Configuration Gotchas

1. Default VLAN 1 membership - Every port starts as a member of VLAN 1, which bypasses your segmentation unless explicitly removed

2. Tagged vs. Untagged confusion - End devices (laptops, cameras) need untagged ports, infrastructure devices need tagged

Network Loops and Hypervisor Crashes

The most educational failure came from working through improper VLAN configuration that created network loops that completely crashed Proxmox. When every port is tagged with every VLAN, broadcast traffic creates storms that overwhelm systems.

The fix required understanding that different devices need different VLAN configurations. My router/firewall needed to be tagged with all VLANs, so it can handle VLAN routing. Proxmox needed to be tagged with Management VLAN traffic only. My WAP needed to be tagged with specific VLANs for wireless networks. And lastly, the port assigned to my daily driver laptop needed to be untagged and assigned to the Production VLAN

Jump Box Architecture

Moving from direct administrative access to jump box-mediated access required rethinking network access patterns. SSH tunneling became the secure method for reaching management interfaces:

From my Windows laptop:

ssh -L 8443:<router/firewall IP>:443 jumpbox@<jumpbox IP>

This creates an encrypted tunnel where localhost:8443 on my laptop forwards to my router/firewall's web interface through the jump box. All administrative traffic flows through the controlled, logged pathway while maintaining complete network segmentation.

Enterprise vs. Home Lab Reality

The most striking difference between reading about enterprise networks and implementing them was the absolute criticality of getting basic configuration details right. A single misconfigured PVID setting can break an entire network segment.

Enterprise networks aren't complex for complexity's sake; they're complex because proper security boundaries require precise configuration. The redundancy, logging, and access controls that seem excessive in documentation become obviously necessary when you watch a misconfigured VLAN bring down your hypervisor.

Practical Security Outcomes

The final architecture achieves a solid, secure home lab build. Administrative access requires controlled pathway through a hardened jump box, daily-use systems cannot directly reach infrastructure, each lab environment is isolated from others, all management traffic is encrypted and can be logged, and attack surface is minimized through network segmentation.

Next Steps

With the foundation established, the lab is ready for its intended purpose: safely running vulnerable systems, malware analysis, and security tool testing. Each activity can be properly contained within its designated network segment.

The real test will be deploying intentionally vulnerable VMs and attempting to break out of the network boundaries I've created. But that's a project for next weekend.

Key Takeaways

The main takeaways this weekend were learning more about networking loops and why they were crashing Proxmox. Turns out having all switch ports tagged with all VLANs creates some... interesting traffic patterns.

The most valuable insight I had this weekend came after the jump box implementation. Transitioning from unrestricted admin access to tight controls created immediate friction; longer authentication chains, additional connection steps, and increased complexity for routine tasks.

This friction accumulation helped me understand why organizations often implement risk acceptance strategies rather than comprehensive technical controls. The control effectiveness versus usability trade-off became tangible when I found myself considering weakening my password just to reduce daily friction.

This experience crystallized the GRC challenge: every security control introduces operational overhead that impacts business operations. Rather than maintain a knee-jerk stance of "implement all possible controls," I gained appreciation for the risk appetite decisions executives face when balancing security posture against operational efficiency.