Hello,

Just spent a good week installing my home server. Time to pause and lookback to what I’ve setup and ask your help/suggestions as I am wondering if my below configuration is a good approach or just a useless convoluted approach.

I have a Proxmox instance with 3 VLAN:

  • Management (192.168.1.x) : the one used by proxmox host and that can access all other VLANs

  • Servarr (192.168.100.x) : every arr related software + Jellyfin (all LXC). All outbound connectivity goes via VPN. Cant access any VLAN

  • myCloud (192.168.200.X): WIP, but basically planning to have things like Nextcloud, Immich, Paperless etc…

The original idea was to allow external access via Cloudlfare tunnel but finally decided to switch back to Tailscale for “myCloud” access (as I am expected to share this with less than 5 accounts). So:

  • myCloud now has Tailscale running on it.
  • myCloud can now access Servarr VLAN

Consequently to my choice of using tailscale, I had now to use a DNS server to resolve mydomain.com:

  • Servarr now has pihole as DNS server reachable across all VLAN

On the top of all that I have yet another VLAN for my raspberry Pi running Vaultwarden reachable only via my personal tailscale account.

I’m open to restart things from scratch (it’s fun), so let me know.

Also wondering if using LXCs is better than docker especially when it comes to updates and longer term maintenance.

  • @just_another_person
    link
    English
    0
    edit-2
    8 hours ago

    I don’t think there is anything wildly wrong with it, but it seems like you’re doing all of this at the router, unless you have dedicated switches for each VLAN?

    VLAN is not a security feature, it’s a logical separation of IP segments. Maybe I’m missing your intention here, but just setting different IP spaces on VLANs and then bridging them doesn’t help your security, it just complicates your network.

    • @[email protected]
      link
      fedilink
      English
      48 hours ago

      Not OP, but logical separation and firewall rules is a needed first step for security. They already mentioned in the post that one vlan has dedicated outbound (via VPN only) and doesn’t have access to their .200.

      Physical switches per vlan is completely unnecessary, and entirely why vlans are used rather than subnets.

      • @athesOP
        link
        English
        25 hours ago

        Yes the idea is to make it easier to isolate/configure firewall rules and try to protect more sensitive data. (i.e. I don’t care much if people can access my ISOs ;) However, at the end of the day they are all on the same Proxmox host.

      • @teslasaur
        link
        English
        -17 hours ago

        You can’t use the same subnet on different vlans if you ever intend for both of them to reach the internet. In that case you’d need a second router which just defeats the purpose

        • @athesOP
          link
          English
          15 hours ago

          They are all defined as 192.168.x.y/24 Doesn’t this make them in different subnets?

          • @[email protected]
            link
            fedilink
            English
            35 hours ago

            Yes.

            And to be clear about things, because that comment doesn’t make any sense for VLANs - a VLAN can contain multiple subnets. You will not have a single subnet across multiple VLANs.

            Your config is fine in that regard.

        • @[email protected]
          link
          fedilink
          English
          17 hours ago

          You dont need to have the same subnet on different vlans. You also dont need them to each have a router, that isn’t how this works.

          Each VLAN gets a gateway, in a subnet accessible within that VLAN.

          Under no circumstances do you need a separate physical router for having 2 VLANs on the same network. That’s not how VLANs work.

      • @just_another_person
        link
        English
        -17 hours ago

        Not saying physical switches are needed for security, which is why I was asking for clarification. Doing all of this on a router doesn’t make sense without a physical separation though. That’s my point. If the router gets owned, they have access to all networks anyway. If the idea is just for traffic direction and shaping, then I’m confused why the bridged pihole.

        • @[email protected]
          link
          fedilink
          English
          07 hours ago

          Doing all of this on a router doesn’t make sense without a physical separation though

          I’m going to have to say, I have zero idea why you would suggest this for something that is logical, and specifically not physical.

          Logical separations and vlan segregation for trust models is standard practice (though hopefully more will trend towards a zero trust model, but irrelevant here). There is zero need for any physical separation. What are you talking about?

          • @just_another_person
            link
            English
            -17 hours ago

            Friend…you clearly are not reading what I’m saying. Not one single sentence that I’ve typed suggested there needs to be, or ever was a physical separation. That is why this setup without clarification doesn’t make much sense if security is the goal.

            You are saying exactly what I’m saying and arguing about it for some reason.

            • @[email protected]
              link
              fedilink
              English
              -17 hours ago

              Your first sentence was about physical switches…

              There already is a logical separation that makes perfect sense - out through VPN with no network access initiated by that VLAN to the other two internal. That’d a security step that’s pretty clear and valid off the bat.

              So again - I don’t follow anything of what you’re driving at, no. Because from the first sentence in your first comment forward isn’t making any sense.

              Please, clarify, because I don’t know why you’d even bring up different switches for an extremely basic logical separation.

              • @just_another_person
                link
                English
                -16 hours ago

                VLAN on a singular router without physical separation is not secure. OP was asking for feedback, that’s my feedback. It’s accurate.

                • @athesOP
                  link
                  English
                  25 hours ago

                  Thx for the feedback, I don’t have multiple router no. If I had would it be still called VLAN? I thought the V was Virtual for achieving that LAN segmentation with one router. With one router, don’t you think the security added is the same level as configuring a firewall on each VM/LXC ?

                  • @just_another_person
                    link
                    English
                    -15 hours ago

                    Well it wouldn’t matter if your router is the thing that someone gets into. All you’re doing is separate traffic in different subnets, and if that’s your goal, you’re good to go.