Synology

None of my services are available outside my house without first logging into the fortigate SSL VPN. That is the only open port I have.

The SSL VPN uses a loopback interface so only IPs from the US can access it, and I have strong auto block enabled and I add IPs of systems that try brute forcing into the box so they get blocked

I did forget to mention that I use cloud flair already for the exact reason you mentioned so my home IP is not used.

I also have a domain name with valid wildcard certificate. The domain is used to access the SSL VPN and I also then use the cert within my entire homelab so I have everything encrypted

I was not a fan of PF sense, the fortigate has more security features that I wanted

True, and 100% agree except I forgot to mention

1.) The fortigate has a known list of botnet command and control servers that are blocked 2.) I only allow them to access their home server domain names for the only purpose of allowing for firmware updates. They are not capable of accessing any other domains or IPs

https://grafana.com/grafana/dashboards/893-main/

this would allow you to log the network usage per docker container, and you can then use grafana’s integration function to get total data sent/recieved over a period of time.

this was just using a quick google search

I use my fortigate router as it logs everything natively. Logs DNS request, outbound traffic, internal lan local traffic, and so much more

i recommend not using the cloud at all. go 100% local. you have no idea if the cloud provider is actually properly protecting your stuff, and you are beholden to them continuing their cloud services.
in that regard, it will be more work to be able to access your video outside of your house.
if you get a NAS, there are plenty of NVR software available
https://www.reddit.com/r/selfhosted/comments/zydzyx/best\_free\_affordable\_nvr\_software\_i\_have\_tried\_a/
i personally use synology surveillance station since i already have synology systems.
to ensure security, the cameras should be placed on a dedicated network with no internet access. this is easy since you will already need a POE switch, so the only devices connected to the POE switch are the cameras and the NVR. no higher security (from the camera point of view) than that. then you just need to ensure the NVR is secure.
going to store bought route from Hickvision or others for example, they have horrible security so going with a Linux (or windows if you want to use Blue Iris) machines with the proper security in place is a good bet.

1. strict 3-2-1 backup policy
2. VLANs. all VLANs are controlled by my Fortigate FWF-61E (soon to be replaced by a FG-91G). the VLANs have strict access permissions on a per-device basis on what they can and cannot access.
   1. CORE network where the NAS live
      1. only specific devices can access this VLAN, and most only have access to the SMB ports for data access. even fewer devices have access to the NAS management ports
      2. this network has restrictions on how is accesses the internet
      3. I have strict IPS, web-filtering, DNS filtering, network level fortigate AV, deep SSL inspection, and intrusion protection activities
      4. everything is logged, any and all incoming and outgoing connections both to/from the internet but also any LAN based local communications.
   2. Guest wifi
      1. can ONLY access the internet
      2. has very restrictive web and DNS filtering
      3. I have strict IPS, web-filtering, DNS filtering, network level fortigate AV, basic SSL inspection, and intrusion protection activities
   3. APC Network Management Cards
      1. can ONLY access my SMTP2GO email client so it can send email notifications
      2. it does have some access to the CORE network (NTP, SYSLOG, SNMP)
      3. very select few devices can access the management ports of these cards
      4. I have strict IPS, web-filtering, DNS filtering, network level fortigate AV, basic SSL inspection, and intrusion protection activities
   4. Ethernet Switch / WIFI-AP management
      1. 1. very select few devices can access the management ports of the switches
      2. ZERO internet access allowed
   5. ROKUs
      1. restrictive web and DNS filtering to prevent ads and tracking. Love seeing the space where ads SHOULD be and seeing a blank box.
      2. can access ONLY the IP of my PLEX server on the CORE network, on ONLY the PLEX port for the services PLEX requires.
   6. IoT devices
      1. Internet access ONLY except for a few devices like my IoTaWatt that needs CORE network access to my NAS on ONLY the port required for InfluxDB logging.
   7. Wife’s computer
      1. because of HIPPA due to her job, i have ZERO logging, and no SSL inspection, but do have some web and DNS filtering.
   8. print server
      1. zero internet access, and only the machines that need to print can access.
3. as already indicated i have a fortigate router which has next generation firewall abilities to protect my network
4. while i do not have automatic updates i am notified when updates are available for my router, my NAS, the switches, and APC network cards. i always like to look at the release notes and ensure there are no known issues that can negatively impact my operations. I do have most of my docker containers auto-update using watchtower.
5. i keep SSH disabled and only enable when i ACTUALLY need it, and when i do, i use certificate based authentication
6. i have disabled the default admin account on ALL devices and made custom admin/root users but also have “normal” users and use those normal users for everything UNLESS i need to perform some kind of activity that requires root/admin rights.
7. on all devices that have their own internal firewall, i have enabled it to only allow access from VLAN subnets that i allow, and go even further by restricting which IPs on those VLANS can access the device
8. changing default ports is fairly useless in my opinion as once someone is on your network it is trivial to perform a port scan and find the new ports.
9. all windows based endpoint machines
   1. have a strict endpoint control using fortigate’s fortiguard software with EMS server. this allows me to enforce that machines have minimum specifications,
   2. i use group policy to enforce restrictive user environments to prevent installation of programs, making system changes, accessing the C: drive etc as this prevents a decent amount of malware from executing
   3. antivirus must be enabled and active or the endpoint becomes quarantined.
   4. if the system has unusual behavior it is automatically quarantined and i am notified to take a look
   5. even though the fortigate router blocks all ads and trackers i also use a combination of UBlock Origin to prevent ads and trackers from running in the browser as ADs are now one of the most common points of entry for malware
   6. i use ESET antivirus which also performs and ties into the fortiguard endpoint protection to ensure everything on the machines is OK
10. for all phones/tablets i have Adguard installed which blocks all ads and malicious web sites and tracking at the phones level

​

this is not even all of it.

​

the big take away is i try to layer things. the endpoint devices are most important to protect and monitor as those are the foot hold something needs to then move through the network.

i then use network level protections to secure the remaining portions of the network from other portions of the network.

overall entire house: IoTaWatt. with this I monitor the power usage on every individual breaker in my house plus the 240VAC mains

for the home lab: combination of my APC network management card V3 in my UPS, which shows aggregate lab power usage but i also have a cyberpower pdu81003 that gives me outlet level on/off controls and outlet level power monitoring.

all of these report back to my InfluxDB database and i have nice grafana dashboards.

you can see more here

https://www.reddit.com/r/homelab/comments/om91wn/new_vs_old_homelab_setup/

https://www.reddit.com/r/selfhosted/comments/11yq6bh/home_lab_custom_webinterface_grafana_dashboards/

yes, i am over 100TB and backup everything on two sets of external disk arrays. one is at my house only powered when i perform my monthly backup and the other is at the in-laws house. i swap the two sets every 3 months

here are the enclosures i use

https://www.amazon.com/gp/product/B07MD2LNYX. between all my backups i have 4x of these enclosures and 32x drives

backup 1

–> 8 bay USB disk enclosure #1: filled with various old disks i had that are between 4TB and 10TB each. the total USABLE space is 71TB

–> 8 bay USB disk enclosure #2: filled with various old disks i had that are between 4TB and 10TB each. the total USABLE space is 68TB

Backup 2

Exact duplicate of backup #1.

i have windows stable bit drive pool to pool all of the drives in each enclosure. i also use bitlocker to encrypt the disks when not in use.