How to Configure a DMZ in Your Homelab
A DMZ (demilitarized zone) is a key network security architecture. Learn how to design, configure, and manage a DMZ in your homelab to safely expose public services to the internet.
1. What Is a DMZ?
A <strong class="text-white">DMZ (DeMilitarized Zone)</strong> is a network segment that sits between your home network and the public internet. It's a buffer zone: services in the DMZ are accessible from the internet, but they're isolated from your internal LAN and Homelab.
The key security principle: <strong class="text-white">a compromised DMZ service cannot reach your internal network</strong>. Even if an attacker compromises a service running in your DMZ, they're contained and can't pivot to access your NAS, personal files, or Homelab infrastructure.
2. Why Use a DMZ in a Homelab?
If you expose any service to the internet — even behind HTTPS — you should use a DMZ. Here's why:
🔒 Containment
A compromised DMZ service is isolated from your internal network. The attacker can't reach your NAS, personal devices, or Homelab management interfaces.
🛡️ Layered defense
Even if one layer is breached, the DMZ prevents lateral movement into your most sensitive systems.
📊 Visibility
DMZ traffic is clearly separated from internal traffic, making it easier to monitor and detect suspicious activity.
⚖️ Balanced access
DMZ lets you expose services publicly while maintaining isolation. You get the best of both worlds: accessible services and security.
3. DMZ Architecture for a Homelab
The standard three-tier architecture for a Homelab DMZ:
| Tier | Network | Purpose | Access |
|---|---|---|---|
| 1 — WAN | Internet | Public side of your router | Everything from the internet |
| 2 — DMZ (VLAN 60) | 192.168.60.0/24 | Public-facing services | Internet → DMZ, DMZ → Internet |
| 3 — Homelab (VLAN 30) | 192.168.30.0/24 | Private services | DMZ → Homelab (only via reverse proxy + firewall rule) |
| 4 — Main LAN (VLAN 20) | 192.168.20.0/24 | Personal devices | Homelab → LAN (none by default) |
4. What Services Belong in the DMZ?
Only services that need to be accessed from the public internet belong in the DMZ. Everything else stays in your Homelab VLAN:
| Service | Place in DMZ? | Reason |
|---|---|---|
| Nginx Proxy Manager / Traefik | ✅ Yes (always) | Terminates HTTPS for all public services |
| VPN Server (WireGuard) | ✅ Yes | Needs to be reachable from internet to work |
| Public blog or website | ✅ Yes | Must be accessible from internet |
| Home Assistant | ❌ No | Access via VPN or Tailscale only |
| NAS (TrueNAS, Unraid) | ❌ No | Never expose directly to internet |
| Pi-hole | ❌ No | Internal DNS only |
| Proxmox management | ❌ No | Access via VPN + management VLAN only |
| Jellyfin / Plex | ❌ No | Use Tailscale or VPN for remote access |
| Gitea / private Git | ⚠️ Optional | Yes if public; no if private |
5. How to Set Up a DMZ (Three Methods)
There are several ways to implement a DMZ in a Homelab, from simplest to most sophisticated:
Method A: VLAN + Firewall (Recommended)
Create a DMZ VLAN (e.g., VLAN 60) on your managed switch. Configure your router/firewall to: (1) Forward public ports to DMZ IPs, (2) Block all DMZ → internal traffic by default. This is the cleanest and most flexible approach.
Method B: Separate physical DMZ machine
Use a dedicated low-power machine as your DMZ host. Connect it directly to your router on one NIC and to your internal switch on another. This provides physical isolation — even more secure than VLANs.
Method C: Docker network isolation
If running everything in Docker, use a separate Docker network for public-facing containers. Expose only the reverse proxy ports to the host network. Other containers are on an internal Docker network unreachable from outside.
Configure port forwarding to DMZ
In your router, forward public ports to DMZ IPs — not to Homelab VLAN IPs.
# Correct forwarding — to DMZ reverse proxy:
External: 443 → 192.168.60.10:443 (Nginx Proxy Manager in DMZ)
# Wrong forwarding — directly to internal service:
External: 443 → 192.168.30.100:443 (Home Assistant in Homelab VLAN) ← Never do this6. DMZ Firewall Rules — The Most Important Part
The DMZ is only as secure as its firewall rules. Default deny is the foundation:
Block all DMZ → Internal by default
This is the most critical rule. No service in the DMZ should be able to reach your Homelab VLAN or Main LAN without an explicit rule.
Allow DMZ → Internet (for updates)
DMZ services need internet access for updates and DNS. Allow outbound connections from DMZ to the internet.
Allow reverse proxy → Homelab (explicit)
Your reverse proxy (Nginx Proxy Manager) in the DMZ needs to forward requests to web services in your Homelab VLAN. Create a specific rule: DMZ NPM → Homelab VLAN :80/:443, only to specific internal IPs.
Log and monitor DMZ traffic
Set up logging on all DMZ firewall rules. Review logs weekly. Anomalous DMZ → internal traffic is a major red flag.
Frequently Asked Questions
What is the difference between a DMZ and a VLAN?
A VLAN is a network segmentation technology (how you split a network). A DMZ is an architectural concept (why you split it — to isolate public services). In a Homelab, you use VLANs to implement a DMZ: you create a DMZ VLAN and apply specific firewall rules to it.
Can I use a single machine for both DMZ and Homelab?
Yes — if you run everything in Docker, you can use separate Docker networks to create a logical DMZ. Your NPM container is on the "dmz-net" Docker network, and your internal services are on "homelab-net". The host firewall controls what traffic can pass between them.
Is a DMZ necessary if I use HTTPS everywhere?
HTTPS protects data in transit, but it doesn't prevent exploitation of vulnerabilities. If a web service has a vulnerability, an attacker who compromises it still needs to be contained. Without a DMZ, they have direct access to your internal network. A DMZ is defense in depth — HTTPS is just the first layer.
What is the difference between DMZ and port forwarding directly to a service?
Direct port forwarding exposes that specific service directly to the internet. If it's compromised, the attacker is on your internal network. A DMZ adds a buffer zone — the service is publicly accessible, but it's isolated from everything else. Always use a DMZ (or at minimum a reverse proxy) for any exposed service.
How do I test my DMZ configuration?
From an external device (LTE/5G): (1) Verify you can reach your public services (website, VPN). (2) Try to reach internal services (NAS, Home Assistant) — they should be unreachable. Use nmap or an online port scanner from outside to confirm only expected ports are open.