Get AI summaries of any video or article — Sign up free
you need to learn Load Balancing RIGHT NOW!! (and put one in your home network!) thumbnail

you need to learn Load Balancing RIGHT NOW!! (and put one in your home network!)

NetworkChuck·
5 min read

Based on NetworkChuck's video on YouTube. If you like this content, support the original creators by watching, liking and subscribing to their content.

TL;DR

Forward only TCP/443 from the router to Kemp’s VIP, then route all internal services through that single entry point.

Briefing

A home network can be secured and simplified by exposing only a single public entry point—HTTPS on port 443—then using a Kemp “LoadMaster” load balancer to route that traffic to many internal services (Plex, NAS, websites, Proxmox, ESXi) based on domain names and URL/host rules. The payoff is practical: fewer router “holes,” one public IP/port for everything, and HTTPS certificates that keep external access clean and browser-friendly.

The tutorial starts with what load balancing does in general: when traffic grows, multiple backend servers can share the work, but clients still need a single address to reach the service. A load balancer sits in front, accepts incoming requests, and distributes them across “real servers,” while also monitoring health so dead or unhealthy backends don’t receive traffic. That enterprise pattern is then mapped to a home lab, where the real problem isn’t CPU spikes—it’s remote access.

Without a load balancer, remote access typically means opening multiple ports on the router (for example, 443 for a website, 50001 for a Synology NAS, 32400 for Plex, and others). That approach creates multiple inbound attack surfaces and runs into a hard limitation: port 443 can only point to one internal IP, so adding more HTTPS services becomes awkward or impossible. The solution presented is to close everything except port 443 and forward that single port to the load balancer’s virtual IP (VIP). From there, the load balancer routes requests internally.

The build uses three key components. First, Kemp LoadMaster runs as a virtual appliance on a hypervisor such as VMware ESXi (with guidance that other platforms like KVM or Proxmox may require workarounds). Second, a free domain is obtained from Freenom (example used: hackwell.tk). Third, Cloudflare manages DNS and SSL. Cloudflare’s “proxy” feature hides the home’s public IP address, and its integration with Let’s Encrypt provides certificates—crucially including wildcard coverage—so subdomains like plex.hackwell.tk and nas.hackwell.tk can use valid HTTPS.

Inside Kemp, the configuration begins by creating a VIP (the single internal IP that represents the public-facing portal) and then defining “virtual services” on TCP/443. Backend services are added as real servers, including multiple NAS instances and multiple web servers. Kemp health checks verify whether each backend is actually reachable using the right protocol (HTTPS, HTTP, or even ICMP ping), and traffic is withheld from unhealthy targets.

To make routing intelligent, the setup moves beyond basic layer-3 forwarding into layer-7 content switching. Content rules inspect the Host header (e.g., requests for plex.hackwell.tk) and switch to the correct subservice, forwarding traffic to the appropriate internal port (Plex to 32400, NAS to 501, and so on). The tutorial demonstrates that Plex, Proxmox, ESXi, and a multi-server website can all be reached securely through their own subdomains while still sharing the same external port 443.

Finally, the guide highlights operational benefits: automatic failover when a backend server goes down, centralized security controls such as a built-in web application firewall option, and an enterprise-like architecture that can be replicated in real deployments. The author notes an alternative SSL approach—having Kemp handle certificates directly via Let’s Encrypt—but keeps Cloudflare as the practical choice for the home lab.

Cornell Notes

The setup uses a Kemp LoadMaster load balancer to expose home services securely through a single public HTTPS entry point (port 443). Instead of opening many router ports for Plex, NAS, Proxmox, ESXi, and websites, the router forwards only 443 to Kemp’s VIP, and Kemp routes requests to the correct internal server based on domain/Host rules (layer 7 content switching). A free domain from Freenom (example: hackwell.tk) and Cloudflare DNS/SSL provide wildcard certificates and hide the home’s public IP via proxying. Kemp health checks prevent traffic from being sent to unhealthy backends, enabling automatic failover. The result is “one port, many services,” with clean HTTPS for every subdomain.

Why does a home network typically end up opening multiple ports for remote access, and what breaks when everything needs HTTPS?

Remote access usually requires router port forwarding for each service: Plex commonly uses 32400, a Synology NAS often uses 50001, and websites use 443. That means multiple inbound “holes” in the router. It also runs into a structural limitation: port 443 can only forward to one internal IP, so multiple HTTPS services can’t each have their own dedicated 443 mapping without extra complexity.

How does the Kemp LoadMaster design replace many router port forwards with one?

The router forwards only TCP/443 to Kemp’s VIP (a virtual IP created inside LoadMaster). Kemp then defines virtual services on that VIP/port and maps them to backend “real servers.” Requests arrive at the VIP, and Kemp decides which internal server/port should handle them based on configured rules—so one external port can serve many internal services.

What role do Cloudflare and Freenom play in making the setup usable and secure?

Freenom provides a free domain (example: hackwell.tk). Cloudflare manages DNS and SSL: its proxy feature hides the home’s public IP address, and its SSL automation (Let’s Encrypt) provides wildcard HTTPS coverage so subdomains like plex.hackwell.tk can use valid certificates. The guide also mentions Cloudflare can be used to handle SSL end-to-end (with encryption mode set to strict) while Kemp handles routing.

What does “layer 7 content switching” add compared with basic load balancing?

Basic load balancing often relies on layer-3/connection details (IP/port). Layer 7 content switching inspects application-level information—specifically the Host header or URL patterns. In the example, a content rule matches requests beginning with plex.hackwell.tk and switches traffic to the Plex subservice, forwarding to the Plex backend port (32400). Similar rules route Proxmox, ESXi, NAS subdomains, and web services.

How does Kemp avoid sending traffic to broken or offline services?

Kemp uses health checks per real server. The tutorial notes health checks can be configured to test HTTPS/HTTP endpoints or even ICMP ping. If a backend fails the health check, Kemp marks it unhealthy and stops routing client traffic to it, which also enables automatic failover when one server goes down.

Why create a wildcard certificate, and how does it relate to subdomains?

A wildcard certificate (e.g., *.hackwell.tk) covers many subdomains under the same domain. That means plex.hackwell.tk, nas.hackwell.tk, proxmox.hackwell.tk, and web.hackwell.tk can all present valid HTTPS certificates without manually issuing separate certs for each service.

Review Questions

  1. If port 443 can only map to one internal IP, how does this setup still allow multiple HTTPS services to work?
  2. Describe the chain of decisions from an external request to the final backend service in this architecture.
  3. What health-check method would you choose for a service that doesn’t have a valid HTTPS certificate, and why?

Key Points

  1. 1

    Forward only TCP/443 from the router to Kemp’s VIP, then route all internal services through that single entry point.

  2. 2

    Use Kemp virtual services and real servers to map one VIP/port to many backends (Plex, NAS, Proxmox, ESXi, and web servers).

  3. 3

    Rely on Cloudflare + Freenom to get a domain and wildcard HTTPS, while Cloudflare proxying hides the home’s public IP.

  4. 4

    Implement layer 7 content rules that match the Host header (e.g., plex.hackwell.tk) so each subdomain reaches the correct internal port.

  5. 5

    Configure Kemp health checks per backend so unhealthy services are automatically excluded and failover can occur.

  6. 6

    Enable strict HTTPS behavior in Cloudflare and align Kemp SSL settings so browser access stays error-free.

Highlights

One public port (443) can securely front an entire home lab by forwarding traffic to a load balancer VIP and routing internally by domain/Host rules.
Cloudflare proxying hides the home’s public IP, while wildcard certificates keep HTTPS working cleanly across many subdomains.
Layer 7 content switching lets requests for plex.hackwell.tk automatically forward to the Plex backend port (32400) without changing the external port.
Kemp health checks prevent traffic from being sent to dead backends and support automatic failover when a server goes offline.
The architecture mirrors enterprise patterns: centralized ingress, centralized routing, and centralized security controls like WAF options.

Topics

  • Load Balancing
  • Home Lab
  • SSL Certificates
  • Cloudflare DNS
  • Layer 7 Routing

Mentioned

  • VIP
  • SSL
  • WAF
  • DNS
  • ESXi
  • ICMP
  • TLS
  • HTTP
  • HTTPS

Get summaries like this for any content

Videos, articles, research papers — all summarized by AI and searchable in one place.

Start building your library