Hello,

Just spent a good week installing my home server. Time to pause and lookback to what I’ve setup and ask your help/suggestions as I am wondering if my below configuration is a good approach or just a useless convoluted approach.

I have a Proxmox instance with 3 VLAN:

  • Management (192.168.1.x) : the one used by proxmox host and that can access all other VLANs

  • Servarr (192.168.100.x) : every arr related software + Jellyfin (all LXC). All outbound connectivity goes via VPN. Cant access any VLAN

  • myCloud (192.168.200.X): WIP, but basically planning to have things like Nextcloud, Immich, Paperless etc…

The original idea was to allow external access via Cloudlfare tunnel but finally decided to switch back to Tailscale for “myCloud” access (as I am expected to share this with less than 5 accounts). So:

  • myCloud now has Tailscale running on it.
  • myCloud can now access Servarr VLAN

Consequently to my choice of using tailscale, I had now to use a DNS server to resolve mydomain.com:

  • Servarr now has pihole as DNS server reachable across all VLAN

On the top of all that I have yet another VLAN for my raspberry Pi running Vaultwarden reachable only via my personal tailscale account.

I’m open to restart things from scratch (it’s fun), so let me know.

Also wondering if using LXCs is better than docker especially when it comes to updates and longer term maintenance.

  • just_another_person@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    3
    ·
    4 days ago

    Friend…you clearly are not reading what I’m saying. Not one single sentence that I’ve typed suggested there needs to be, or ever was a physical separation. That is why this setup without clarification doesn’t make much sense if security is the goal.

    You are saying exactly what I’m saying and arguing about it for some reason.

    • curbstickle@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      2
      ·
      4 days ago

      Your first sentence was about physical switches…

      There already is a logical separation that makes perfect sense - out through VPN with no network access initiated by that VLAN to the other two internal. That’d a security step that’s pretty clear and valid off the bat.

      So again - I don’t follow anything of what you’re driving at, no. Because from the first sentence in your first comment forward isn’t making any sense.

      Please, clarify, because I don’t know why you’d even bring up different switches for an extremely basic logical separation.

      • just_another_person@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        4
        ·
        4 days ago

        VLAN on a singular router without physical separation is not secure. OP was asking for feedback, that’s my feedback. It’s accurate.

        • athes@lemmy.worldOP
          link
          fedilink
          English
          arrow-up
          2
          ·
          4 days ago

          Thx for the feedback, I don’t have multiple router no. If I had would it be still called VLAN? I thought the V was Virtual for achieving that LAN segmentation with one router. With one router, don’t you think the security added is the same level as configuring a firewall on each VM/LXC ?

          • just_another_person@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            3
            ·
            4 days ago

            Well it wouldn’t matter if your router is the thing that someone gets into. All you’re doing is separate traffic in different subnets, and if that’s your goal, you’re good to go.

            • curbstickle@lemmy.dbzer0.com
              link
              fedilink
              English
              arrow-up
              2
              arrow-down
              1
              ·
              edit-2
              4 days ago

              You are aware that a firewall rule is how you would address - in software, with logic - someone trying to get from VLAN C to VLAN A, right?

              That its part of the method you’d use as a layer of security to prevent someone gaining access to.your router?

              Assuming the router is compromised from the start is similarly just nutso.

                • curbstickle@lemmy.dbzer0.com
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  arrow-down
                  1
                  ·
                  4 days ago

                  That’s not how any of this works… At all.

                  No, its managed by the firewall. The existence of a VLAN does not grant it access to egress. The firewall needs to permit that behavior.

                  Your entire understanding of how a logical network works is wrong. I’m not trying to be a dick - this is just really bad information that you’re sharing.

                  • just_another_person@lemmy.world
                    link
                    fedilink
                    English
                    arrow-up
                    2
                    arrow-down
                    2
                    ·
                    edit-2
                    4 days ago

                    JFC 🤦

                    How are you NOT understanding what OP thinks is happening, versus what you thinks is happening?

                    If I get shell access to this router I have access to ALL NETWORKS. VLAN won’t help any of this.

            • curbstickle@lemmy.dbzer0.com
              link
              fedilink
              English
              arrow-up
              2
              ·
              4 days ago

              Because the overwhelming majority of multiple vlan use, and proper use at that, is going to be managed by a single firewall at the end. Because that firewall is going to manage intra and inter vlan communication, and to suggest that requires a different physical router is… Wild.

              Because logical network design - regardless of egress - is a vital component of any security implementation.

              Because having a multiple egress solution that doesn’t rely on a software based connection (VPN) would be absolutely bonkers for a self hosted solution at home.

              There are just… So many things that are absolutely buck wild crazy to me in what you’ve said. And not in a fun ‘yee haw’ kind of way, but a “boy oh boy if that could be bottled it would sell like hotcakes on the street” sort of way.