The Homelab

A production-style detection lab I designed, built, and operate end to end — from flashing the router firmware to writing the Splunk field extractions. Everything here is real, running, and documented in the lab writeups below.

Homelab hardware: Dell OptiPlex 7070 SFF running Proxmox VE, Netgear R6220 running OpenWrt, and TP-Link RE750C WAN uplink
Proxmox VE host — OptiPlex 7070 SFF
WAN uplink — TP-Link RE750C
OpenWrt router — Netgear R6220

FIG A — Dell OptiPlex 7070 SFF (i7-9700 · 32GB RAM · 512GB NVMe), Netgear R6220 on OpenWrt, TP-Link RE750C wireless WAN uplink

FIG B — Lab Topology (Live)
INTERNET TP-Link RE750C · WAN uplink wireless → ethernet · 10.0.0.231/24 Netgear R6220 · OpenWrt 25.12 LAN gateway · 192.168.1.1 Proxmox VE · Dell OptiPlex 7070 SFF i7-9700 · 8C · 32GB RAM · 512GB NVMe Pi-hole · LXC CT100 DNS filtering · 192.168.1.4 Splunk Enterprise · VM101 SIEM · 192.168.1.50 Pi-hole DNS logs → syslog-ng → UDP 515 · sourcetype=pihole OpenWrt syslog → UDP 514 Remote access Tailscale subnet routing Cloudflare Zero Trust

This lab exists to close the gap between “read about it” and “ran it in production.” I use it for hands-on cybersecurity learning and testing: log pipeline engineering and SIEM dashboard development in Splunk, DNS-layer monitoring and filtering with Pi-hole, networking practice on OpenWrt (VLANs, firewall rules, packet capture), virtualization and resource management on Proxmox VE, vulnerability assessment, identity and access practice, and secure remote access design with Tailscale subnet routing and Cloudflare Zero Trust.

Two log pipelines currently feed the SIEM: OpenWrt router syslog arrives over UDP 514 (sourcetype=syslog), and Pi-hole DNS query logs are tailed by syslog-ng and shipped over UDP 515 (sourcetype=pihole) — both into index=home. On top of that data I build field extractions, detection searches, and dashboards the same way I would tune a production SIEM.

The roadmap keeps the lab growing: a second Pi-hole container for DNS high availability, NetFlow export from OpenWrt via softflowd, and network IDS with Suricata are next. Each completed stage becomes a full writeup below — objective, architecture, configuration, findings, and what I’d improve.

Detection Engineering

Building a Home SIEM: Pi-hole → Splunk DNS Log Pipeline

Shipping every DNS query on my network into Splunk over syslog, extracting fields with regex, and building a DNS telemetry dashboard — blocked vs. allowed activity, top domains, and per-client query patterns.

SplunkPi-holesyslog-ngregexSPL
Virtualization & Infrastructure

Proxmox VE Homelab Build: One Box, a Whole Security Stack

Turning a $150 Dell OptiPlex 7070 SFF into a virtualization host running the whole detection stack — Pi-hole in a lightweight LXC container, Splunk Enterprise in a full VM, with headroom for what’s next.

Proxmox VELXCKVMDebianLinux
Networking & Firmware

Flashing OpenWrt on a Netgear R6220 — via Telnet, When the Web UI Says No

Netgear’s stock firmware blocked the normal OpenWrt install path, so I flashed it the hard way: unlocking the hidden Telnet console and writing the squashfs kernel and rootfs images directly to the flash partitions with mtd_write.

OpenWrtTelnetmtd_writeNetgear R6220Linux
Zero Trust & Remote Access

Secure Remote Access: Tailscale Subnet Routing + Cloudflare Zero Trust

Two complementary paths into the lab with zero inbound ports: a WireGuard-based Tailscale overlay that routes the whole lab subnet, and Cloudflare Tunnel + Access for identity-verified, browser-only access to individual dashboards.

TailscaleWireGuardCloudflare TunnelZero TrustProxmox
Security Tooling & AI

Phishing Email Prediction Using AI — Cybersecurity Capstone

My Lewis University capstone: an end-to-end phishing analysis system that parses raw emails, enriches them with VirusTotal threat intelligence, and applies LLM-based contextual risk scoring — with analyst-readable justifications in a Streamlit SOC dashboard.

PythonStreamlitGoogle GeminiVirusTotal APIEmail Forensics