Digital Footprints LLC · Home Lab · March 2026

Home Lab OS

Inventory Full device roster
DeviceSpecsOSConnectionStatus
Duncan
Windows desktop
 Ryzen 7 3700X · 80 GB · RX 5700 XT · 6.37 TB Win 10 Home 22H2 wired + WiFi active
Dominic
Dell home lab server
 Dell server specs TBD TBD wired active
Walter
MSI GP66 Leopard 10UG
 i7-10875H · 32 GB · 8 GB GPU · 954 GB Win 11 Pro 25H2 wired + WiFi on WiFi now
MacBook Air M4
Dave's main machine
 Apple M4 · 13-inch · 2025 macOS WiFi active
iPad Pro M4
David's iPad
 Apple M4 · 11-inch · 2024 iPadOS WiFi active
Juan
Microsoft Surface Pro 9
 i7-1255U · 16 GB · 238 GB Windows (TBD) WiFi active
Bambu A1
3D printer
 Bambu Lab A1 Bambu firmware WiFi active
Bambu A1 Mini x2
3D printers
 Bambu Lab A1 Mini (x2) Bambu firmware WiFi active
HP EliteBook 840 G3
Backup laptop
 Intel 6th gen · legacy TBD wired + WiFi occasional
Samsung SM-T113
Android tablet
 Samsung Galaxy Tab Android WiFi occasional
Ignacio
iPad Pro 11 2nd gen
 128 GB · Tom's Apple ID iPadOS 18.3.2 WiFi spare
Raspberry Pi 4
Network services
 Pi 4 Model B Pi OS Lite (planned) TBD pending
Raspberry Pi 3
Display / misc
 Pi 3 Model B Pi OS (planned) TBD pending
Katana #1 + #2
MSI Katana laptops
 RTX 4060 x2 TBD away staged
eero WiFi 7 x2
AP + mesh node
 eero WiFi 7 eero OS staged staged
Diagram Network topology
Wired Wireless Pending Staged Occasional FIOS Router Gateway / WAN TP-Link TL-SG108E 8-port managed switch — Wired — Duncan Ryzen 7 / RX 5700 XT Dominic Dell server / Home lab Walter (GP66) i7-10875H · docked on WiFi now HP EliteBook 840 G3 Backup · occasional — Wireless — MacBook Air M4 Dave's main machine iPad Pro M4 David's iPad Juan (Surface Pro 9) i7-1255U · WiFi only Bambu A1 + Mini x2 3D printers Samsung SM-T113 HA remote · occasional Ignacio (iPad Pro 11) 2nd gen · spare Raspberry Pi 3 display / misc TBD Raspberry Pi 4 PiHole / HA TBD Katana x2 RTX 4060 · away eero WiFi 7 x2 AP + node · staged
Blockers Current blockers
!
Must resolve before Phase 1
  • Ethernet cables not yet run from switch to Duncan, Dominic, Walter
  • DaveLLM LAN IPs not configured — blocks cluster deployment
  • Tailscale not installed on any device here yet
  • eero units staged but not deployed
  • Katana x2 still away — blocks full DaveLLM cluster
Roles Proposed device role assignments
DeviceProposed rolesNotes
Duncan
 DaveLLM nodedev workstation RX 5700 XT usable for Ollama via ROCm on Linux. 80 GB RAM is a big asset.
Dominic
 Home AssistantNASDockerPlex Always-on server. Natural home for HA, Plex, Nextcloud, PiHole fallback.
Walter
 DaveLLM nodedev / testing Permanently docked. Battery issues make it a de facto desktop.
Pi 4
 PiHole + DNSTailscale relay Dedicated lightweight always-on node. Best fit for network-level DNS.
Pi 3
 HA displaymonitor / misc Lower power. Good match for kiosk dashboard display role.
Katana x2
 DaveLLM nodes RTX 4060 x2 are the cluster's GPU backbone. Worth waiting for before locking config.
MacBook Air M4
 primary devTailscale client Main daily driver. Tailscale for remote access on gigs.
Phase 1–2 Physical foundation + network services
01
Physical foundation
Run the cables, get wired devices hardwired. Everything else depends on this being stable.
  • Run ethernet from switch to Duncan, Dominic, Walter
  • Assign static IPs / DHCP reservations by MAC on FIOS router
  • Verify switch port assignments, label them
  • Deploy eero units — decide bridge mode vs double NAT
  • Test WiFi coverage across the space
02
Network services layer
PiHole on Pi 4 for DNS and ad blocking. Clean hostname resolution across the LAN.
  • Install Pi OS Lite on Pi 4, harden SSH
  • Deploy PiHole, set as primary DNS on FIOS router / eero
  • Add local DNS records for all named devices (duncan.local, dominic.local…)
  • Set DHCP reservations for Pi 3 and Pi 4
  • Configure Pi 3 for kiosk mode HA display (optional at this stage)
Phase 3–4 Remote access + Home Assistant
03
Remote access via Tailscale
Tailscale mesh across all key devices. Unlocks remote access from gigs and the shared dev server with your colleague.
  • Install Tailscale on Duncan, Dominic, Walter, MacBook Air, Juan
  • Install Tailscale on Pi 4 — designate as subnet router (exposes full LAN)
  • Enable MagicDNS so hostnames resolve over Tailscale
  • Invite remote colleague to tailnet via ACL tag
  • Configure tag:devserver ACL — colleague reaches Dominic only
  • Test remote access to Dominic from phone on LTE
04
Home Assistant + smart home
Deploy HA on Dominic as the permanent always-on host. Migrate or rebuild config from the old setup.
  • Install HA Container on Dominic via Docker
  • Restore or rebuild dashboards and automations
  • Connect SM-T113 as wall-mounted dashboard via Fully Kiosk
  • Set up Pi 3 as secondary display if SM-T113 gets a permanent spot
  • Expose HA externally via Nabu Casa or Tailscale (no port forwarding)
Phase 5–6 DaveLLM cluster + self-hosted services
05
DaveLLM cluster
Stand up Ollama cluster once LAN IPs are locked and Katanas are back. Duncan + Walter can run as interim 2-node cluster now.
  • Assign LAN IPs for Walter and Duncan as Phase 1 nodes
  • Install Ollama on Duncan and Walter, test local model serving
  • Configure DaveLLM Router on localhost:8000 to balance across nodes
  • Add Katana x2 as GPU nodes when back (RTX 4060 x2 as primary inference)
  • Enable ROCm on Duncan's RX 5700 XT for AMD GPU inference (optional)
  • Expose cluster internally via Tailscale for MacBook Air access on the road
06
Self-hosted services on Dominic
Docker Compose stack on Dominic for Plex, Nextcloud, and anything else. NAS storage config.
  • Set up Docker + Portainer on Dominic for container management
  • Configure storage volumes mapped to Dominic's drives
  • Deploy Plex Media Server with library on NAS storage
  • Deploy Nextcloud for file sync across devices
  • Set up Nginx Proxy Manager for internal reverse proxy and SSL
  • Back up critical containers to offsite (Backblaze B2 or similar)
Phase 7 Network segmentation
07
VLAN segmentation
Separate IoT devices from the main LAN. Requires a VLAN-aware gateway (pfSense/OPNsense on Dominic or a dedicated mini router).
  • Deploy pfSense or OPNsense VM on Dominic as VLAN-aware gateway
  • Configure 802.1Q VLANs on TL-SG108E (servers, main, IoT, mgmt)
  • Create IoT VLAN for Bambu printers, SM-T113, smart home gear
  • Firewall: IoT can reach HA on Dominic but not main LAN devices
  • Move Bambu printers to IoT segment, verify Bambu Handy app still works
Brainstorm Configuration decisions
eero: bridge mode vs double NAT

Bridge mode turns off eero's router functions, letting FIOS handle DHCP and routing. Double NAT keeps both active but complicates port forwarding and some VPN setups.

Bridge mode is cleaner for Tailscale subnet routing
Single DHCP server avoids IP conflicts
Some FIOS routers resist true bridge mode, may need DMZ workaround
FIOS router WiFi should be disabled if eero takes over
HA host: Dominic Docker vs dedicated Pi

Running HA in Docker on Dominic gives more resources and keeps everything centralized. A dedicated Pi 4 is the "official" HA approach but splits your always-on footprint.

Dominic Docker: easier backups, more RAM headroom
Pi 4 dedicated: HA restarts don't affect other services
Docker HA loses some add-ons vs HA OS install
Pi 4 means two always-on devices drawing power
Tailscale: shared tailnet vs ACL scoped

Inviting your colleague to your tailnet is simple but gives them visibility into all devices. A tagged ACL policy scopes their access to just the dev server.

ACL tags are the right call for a work colleague
tag:devserver — colleague can only reach Dominic:port
Requires Tailscale ACL JSON editing (not hard but manual)
Free plan: 3 users, 100 devices max
DaveLLM: ROCm on Duncan vs CPU only

The RX 5700 XT supports ROCm on Linux for GPU inference, but ROCm on Windows is limited. Duncan running Linux unlocks the GPU for Ollama inference.

RX 5700 XT has 8 GB VRAM, handles 7B models well
Dual boot preserves Windows for AV / video work
ROCm setup is more involved than CUDA
Windows 10 EOL already passed — Linux flip makes long-term sense
PiHole: Pi 4 dedicated vs Dominic Docker

PiHole on the Pi 4 means DNS stays up even if Dominic goes down for maintenance. On Dominic Docker consolidates everything but creates a DNS single point of failure.

Pi 4: DNS stays up during Dominic updates
Pi 4 uses ~3W, negligible running cost
Dominic Docker is simpler to manage with Portainer
Pi 4 more useful as Tailscale subnet router than DNS host
NAS: Dominic internal vs dedicated device

Dominic's internal drives can serve as NAS via Samba or Nextcloud. A dedicated NAS separates storage from compute but adds cost and another device.

Dominic internal is free and already on the network
Docker volumes map cleanly to Dominic's drive paths
If Dominic goes down, storage goes with it
No RAID redundancy unless Dominic has multiple drives
Note: VLANs require a managed switch and VLAN-capable router. The TP-Link TL-SG108E supports 802.1Q VLANs but the FIOS router and eero do not. Full segmentation requires pfSense/OPNsense on Dominic or a dedicated mini router. Treat this as the target layout — use flat 192.168.1.x until the gateway is upgraded.
Overview Subnet layout
VLAN 1 · Servers
192.168.1.x
VLAN 10 · Main devices
192.168.10.x
VLAN 20 · IoT
192.168.20.x
VLAN 30 · Management
192.168.30.x
Tailscale overlay
100.x.x.x
DHCP pool (each VLAN)
.100 – .199
Static / reserved
.10 – .49
Infrastructure
.2 – .9
VLAN 1 Servers / Infrastructure · 192.168.1.x
IPDeviceHostnameConnectionRoles
192.168.1.1
FIOS Router
Gateway / WAN
 gateway.local wired gatewayDHCP
192.168.1.10
Dominic
Dell home lab server
 dominic.local wired HANASDocker
192.168.1.11
Duncan
Ryzen 7 / RX 5700 XT
 duncan.local wired + WiFi DaveLLMdev
192.168.1.12
Walter
MSI GP66 · docked
 walter.local wired + WiFi DaveLLMdev
192.168.1.13
Katana #1
RTX 4060 · away
 katana1.local pending DaveLLM
192.168.1.14
Katana #2
RTX 4060 · away
 katana2.local pending DaveLLM
VLAN 30 Management / Network · 192.168.30.x
IPDeviceHostnameConnectionRoles
192.168.30.10
Raspberry Pi 4
Network services
 pi4.local wired PiHoleDNSTailscale relay
192.168.30.11
Raspberry Pi 3
Display / misc
 pi3.local TBD HA displaymonitor
192.168.30.20
eero #1
Primary AP · staged
 eero-ap.local staged WiFi AP
192.168.30.21
eero #2
Mesh node · staged
 eero-node.local staged WiFi node
192.168.30.30
TP-Link TL-SG108E
Managed switch
 switch.local wired switch mgmt
VLAN 10 Main devices · 192.168.10.x
IPDeviceHostnameConnectionRoles
192.168.10.10
MacBook Air M4
Dave's main machine
 daves-mba.local WiFi devTailscale
192.168.10.11
iPad Pro M4
David's iPad
 davids-ipad.local WiFi client
192.168.10.12
Juan
Surface Pro 9
 juan.local WiFi devclient
192.168.10.20
HP EliteBook 840 G3
Backup laptop
 elitebook.local wired + WiFi occasional
192.168.10.21
Ignacio
iPad Pro 11 2nd gen · spare
 ignacio.local WiFi spare
VLAN 20 IoT / Peripherals · 192.168.20.x
IPDeviceHostnameConnectionRoles
192.168.20.10
Bambu A1
3D printer
 bambu-a1.local WiFi IoT
192.168.20.11
Bambu A1 Mini #1
3D printer
 bambu-mini-1.local WiFi IoT
192.168.20.12
Bambu A1 Mini #2
3D printer
 bambu-mini-2.local WiFi IoT
192.168.20.20
Samsung SM-T113
HA dashboard tablet
 ha-display.local WiFi HA displayIoT
Overlay Tailscale mesh · 100.x.x.x
Tailscale IPDeviceMagicDNS nameNotes
100.x.x.1
Pi 4
Subnet router
 pi4.tailnet.ts.net Advertises 192.168.1.0/24 to tailnet. Key node.
100.x.x.2
Dominic
Dev server / HA
 dominic.tailnet.ts.net Accessible by colleague via ACL tag.
100.x.x.3
Duncan
 duncan.tailnet.ts.net DaveLLM access from road.
100.x.x.4
MacBook Air M4
 daves-mba.tailnet.ts.net Primary roaming client. On gigs.
100.x.x.5
Walter
 walter.tailnet.ts.net DaveLLM node, reachable remotely.
100.x.x.6
Colleague node
ACL scoped
 colleague.tailnet.ts.net tag:devserver ACL — Dominic only.