Working with OPNsense as my firewall right now, but I'm leaning towards VyOS because I prefer CLI setups and want to automate everything for my router and gateway. It's great for writing firewall policies, but I'm worried about Layer 7 stuff like log analysis and dynamic blocking once I make the switch.
Currently got Caddy handling reverse proxy and CrowdSec for basic IPS through plugins. If I go with VyOS, I'll probably spin up an LXC in Proxmox in the DMZ to run Caddy and CrowdSec separately. Most apps are locked behind WireGuard, but for the ones that need public access like my Immich photo sharing or media server, I want something solid.
Wondering if this is a good approach or if there are easier options out there. What are you all using for homelab security? Any tips on alternatives like NGINX or Traefik for proxies, or better IPS tools that integrate well? Also curious about common pitfalls and how folks handle dynamic blocking in their setups.
