this post was submitted on 01 Nov 2024
43 points (97.8% liked)

Selfhosted

39980 readers
771 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
43
VLAN usage under Proxmox (lemmy.world)
submitted 1 week ago* (last edited 1 week ago) by athes@lemmy.world to c/selfhosted@lemmy.world
33 comments fedilink hide all child comments
 

Hello,

Just spent a good week installing my home server. Time to pause and lookback to what I've setup and ask your help/suggestions as I am wondering if my below configuration is a good approach or just a useless convoluted approach.

I have a Proxmox instance with 3 VLAN:

  • Management (192.168.1.x) : the one used by proxmox host and that can access all other VLANs

  • Servarr (192.168.100.x) : every arr related software + Jellyfin (all LXC). All outbound connectivity goes via VPN. Cant access any VLAN

  • myCloud (192.168.200.X): WIP, but basically planning to have things like Nextcloud, Immich, Paperless etc...

The original idea was to allow external access via Cloudlfare tunnel but finally decided to switch back to Tailscale for "myCloud" access (as I am expected to share this with less than 5 accounts). So:

  • myCloud now has Tailscale running on it.
  • myCloud can now access Servarr VLAN

Consequently to my choice of using tailscale, I had now to use a DNS server to resolve mydomain.com:

  • Servarr now has pihole as DNS server reachable across all VLAN

On the top of all that I have yet another VLAN for my raspberry Pi running Vaultwarden reachable only via my personal tailscale account.

I'm open to restart things from scratch (it's fun), so let me know.

Also wondering if using LXCs is better than docker especially when it comes to updates and longer term maintenance.

you are viewing a single comment's thread
view the rest of the comments
[–] just_another_person@lemmy.world -2 points 1 week ago (18 children)

Friend...you clearly are not reading what I'm saying. Not one single sentence that I've typed suggested there needs to be, or ever was a physical separation. That is why this setup without clarification doesn't make much sense if security is the goal.

You are saying exactly what I'm saying and arguing about it for some reason.

[–] curbstickle@lemmy.dbzer0.com 0 points 1 week ago (17 children)

Your first sentence was about physical switches...

There already is a logical separation that makes perfect sense - out through VPN with no network access initiated by that VLAN to the other two internal. That'd a security step that's pretty clear and valid off the bat.

So again - I don't follow anything of what you're driving at, no. Because from the first sentence in your first comment forward isn't making any sense.

Please, clarify, because I don't know why you'd even bring up different switches for an extremely basic logical separation.

[–] just_another_person@lemmy.world -3 points 1 week ago (16 children)

VLAN on a singular router without physical separation is not secure. OP was asking for feedback, that's my feedback. It's accurate.

[–] curbstickle@lemmy.dbzer0.com 0 points 1 week ago (1 children)

That's... Insane feedback.

But sure.

[–] just_another_person@lemmy.world -1 points 1 week ago (1 children)

Please inform me of how that's..."insane"?

[–] curbstickle@lemmy.dbzer0.com 2 points 1 week ago

Because the overwhelming majority of multiple vlan use, and proper use at that, is going to be managed by a single firewall at the end. Because that firewall is going to manage intra and inter vlan communication, and to suggest that requires a different physical router is... Wild.

Because logical network design - regardless of egress - is a vital component of any security implementation.

Because having a multiple egress solution that doesn't rely on a software based connection (VPN) would be absolutely bonkers for a self hosted solution at home.

There are just... So many things that are absolutely buck wild crazy to me in what you've said. And not in a fun 'yee haw' kind of way, but a "boy oh boy if that could be bottled it would sell like hotcakes on the street" sort of way.

load more comments (14 replies)
load more comments (14 replies)
load more comments (14 replies)