Homelab-to-Production
Network Redesign

The Situation

The client had been running on a single Windows Server 2012 R2 box doing triple duty — domain controller, file server, and line-of-business application host. The hardware was seven years old, under no support contract, and had never had a successful test restore from their tape rotation. Their entire network sat on a single flat subnet: workstations, printers, IP cameras, and servers all visible to each other with no firewall between them.

They'd had a near-miss the year prior when a phishing email hit a workstation and began scanning the network. It hadn't escalated, but only because the malware happened to fail — not because anything stopped it. That was the moment leadership decided to take infrastructure seriously.

The Challenge

• Single physical server with no redundancy — one hardware failure meant full business outage
• Windows Server 2012 R2 past end-of-extended-support with no upgrade path planned
• Flat /24 network with no segmentation between workstations, servers, IoT devices, and guest access
• Consumer-grade ISP router serving as the only firewall, with default credentials still set
• Tape backup with no documented recovery procedure and no verified test restore in 24+ months
• No IT documentation — institutional knowledge lived entirely in one employee's head

The Approach

The engagement started with a two-day on-site assessment: documenting every device on the network, reviewing firewall rules (there were none worth keeping), mapping data flows, and doing a tabletop walk-through of what a ransomware event would actually look like given their current posture. The output was a prioritized risk register that drove the project sequencing.

We agreed on a phased approach to avoid a big-bang cutover that would take staff offline during business hours.

• Phase 1 — Edge security: Replaced the consumer router with a Ubiquiti UniFi Security Gateway and managed switches. Established VLANs for Staff, Servers, IoT/Cameras, and Guest with firewall rules blocking lateral movement between segments. Default-deny between VLANs with explicit allow rules only where needed.
• Phase 2 — Hypervisor migration: Deployed Proxmox VE 8 on new hardware alongside the existing server. Migrated each workload to a VM one at a time — domain controller first, then file server, then the LOB application — with a rollback window for each. Original server kept as fallback for two weeks before decommission.
• Phase 3 — Backup and DR: Implemented Veeam Community Edition for VM-level backups to a local NAS (on the Servers VLAN, not reachable from workstations), with offsite replication to Wasabi cloud storage. First verified test restore completed within the engagement window.
• Phase 4 — Documentation: Wrote runbooks for the 12 most common IT tasks the client handles in-house: password resets, adding a new workstation, backup verification, and what to do if the internet goes down, among others. Formatted for non-technical staff.