← Back to Garden
evergreen ·
networking homelab pi-hole tailscale

Homelab Networking: The "Office Building" Analogy

This document explains the flow of network traffic in a homelab that uses Pi-hole for DNS and Tailscale for remote access, using a simple analogy.

The Core Concepts

It's easiest to understand the network by thinking of your homelab as a private, secure office building.

  1. The Building = Your Home Network (192.168.1.0/24) This is your private space. All the devices inside (your servers, your laptop, your phone) can communicate with each other directly and securely, away from the public internet.

  2. The Lobby Directory = Your Raspberry Pi (Pi-hole) When you're inside the building, you use the lobby directory to find where you're going. The Pi-hole acts as this directory. When a device needs to find a service (e.g., your Gitea server), it asks the Pi-hole for its room number (IP address). The Pi-hole also acts as a mail sorter, throwing away junk mail (ads) before it even gets to you.

  3. The Security Guard = Your Router (TP-Link Deco) The router is the guard at the single front door to your building. Its main job is to manage traffic going in and out. It lets employees (your devices) out to the public street (the internet) to get things, and it ensures only authorized traffic comes back in. It stops random people from wandering into your private building.

  4. The Secure Keycard System = Tailscale Tailscale is a modern, high-tech keycard system. By installing Tailscale on a device (like your Raspberry Pi), you give it a secure, encrypted identity and a keycard. When you are away from the office, you can use your own keycard (the Tailscale app on your laptop or phone) to prove you're an employee and should be allowed secure access.

Special Permissions for the Raspberry Pi

When we configured Tailscale on the Pi, we gave that specific keycard holder two special jobs:

Job 1: The "Concierge" (--advertise-routes)

By advertising the subnet routes, we promoted the Raspberry Pi to be the building's concierge. Now, when you're away from home and use your keycard to connect, you can talk to the concierge (the Pi) and say, "I need to get a message to the Mail Room."

The Mail Room (your NAS at 192.168.1.12) doesn't have its own keycard, but the concierge knows where it is and has the authority to route your request directly to it. This is what enabling IP forwarding does; it gives the concierge permission to pass messages between keycard holders and non-keycard holders within the building.

Job 2: The "Private Courier" (--advertise-exit-node)

By setting it as an exit node, we also made the Pi your personal, trusted courier. When you're at a public coffee shop, you can give your internet requests to your private courier (the Pi). The courier takes your requests, goes back to the secure office building, and sends them out from there.

This means all your internet traffic is wrapped in a secure tunnel back to your home network before going out to the public internet, making your activity much more private and secure than using public Wi-Fi directly.

The Result

By combining these elements, you have created a system where you can be anywhere in the world and, with the tap of a button (turning on Tailscale), your laptop behaves as if it's sitting on your desk at home, with secure access to all your internal services and a private line out to the internet.