I want to establish a second LAN at home. It’s supposed to host different services on different infrastructure (vms, k8s, docker) and mostly serving as a lab.
I want to separate this from the default ISP router LAN (192.68.x.0/24).
I have a machine with 2 NIC (eno1 plugged in at ISP router and eno2), both with corresponding bridges and proxmox. I already set up the eno2 bridge with a 10.x.x.x IP and installed a opnsense vm that has eno1 as the WAN interface in the 192 network and eno2 as the LAN interface as 10. network with dhcp server.
I connected a laptop (no wifi) to eno2, got a dhcp lease and can connect the opnsense interface, machines in the 192 network and the internet, same for a vm on the eno2 bridge, so that part is working. There’s a pihole in the 192 network that I successfuly set as the dns server in opnsense.
Here’s what I am trying to achieve and where I’m not sure about how to properly do it:
- Block access from the 10 network to 192 network except for specific devices - I guess that’s simply firewall rules
- Make services (by port) in the 10 network accessible to the internet. I currently have a reverse proxy vm in the 192 network which got 80 and 443 forwarded by the ISP router. Do I need to add a second nic to the vm or can I route some services through the firewall? I want to firewall that vm down so it can’t open outgoing connections except for specific ports on specific hosts.
- Make devices in the 10 network available for devices in the 192 network - here I’m not quite sure. Do I need to a static route?
- Eventually I want to move all non-enduser devices to the new LAN so I can experiment without harming the family network but I want to make sure I understand it properly before doing that
I’d be glad for any hints on this, I’m a bit confused with the nomenclature here. If you have other ideas on how to approach this, I’m open for that too.
Are you learning networking? You’re entering the world of vlans. In the networking OSI model, Layer 3 is where you’re dipping your toes.
I’m gonna try to over-simplify this, but each network has a gateway, which is a layer 3 device that helps a local network talk to other networks, either in the house or on the internet. That doesn’t have to be a physical device, it can be a virtual network device on your bigger layer 3 device. Most residential network gear won’t understand this. When you get into vlans, it’s like having multiple separate networks on the same devices; if you have “vlan 10” and “vlan 20”; devices on vlan 10 cannot see devices on vlan 20, even if they’re connected to the same switch. This is done by “tagging” ports, which is where you specify what network each port is on. You can also have a port with multiple vlans on it, which is called a “trunk”, but for this to work the network traffic has to carry a tag specifying what vlan each packet belongs to (though each trunk also has a “native” port, think of it like a default vlan if a packet isn’t tagged). The verbage changes based on the vendor, but that’s the idea.
In the actual world, here’s how that works. Ports with devices on the other end with multiple devices/networks on them (access points, switches, firewalls) usually are trunks, then end client ports (your computer, a printer) are “access” ports. You would apply a single vlan to access ports, or make it an “untagged” port, whereas you “tag” multiple vlans on trunk ports. The networking devices will make most of that happen.
So how can you shape the traffic between them? Your firewall/gateway/layer3 device. The easiest entrypoint into this is get a small computer (1L PC which you can get nearly as ewaste, having multiple network ports is good) and installing opnsense on it. It’s free and good for learning, and I use it in prod today. The opnsense box, let’s say, has 1 physical nic, then you create a virtual vlan interface on vlan 10 and 20. That becomes your “default gateway” on all client devices on the respective networks. All traffic leaving the networks go through this device (so faster network ports is better) and that is why firewall rules get to allow/block ports, IP’s, endpoints, etc. Your port forwards to the internet happen here as well. You can make a firewall rule to say your other network allows passing traffic to the original network on port 53 to the pihole, for example, so dns servers on a different “lan” can still be used.
This is a complicated subject, but getting some gear on ebay (a “managed switch”) is a great way to learn. For example, I have an access point with a management interface on my “mgmt” vlan (99, number is arbitrary), then I have 2 ssid’s, one for IoT stuff (vlan 5) and one for my devices (vlan 4). The port going to the access point on the switch is native vlan 99 but tagged to allow traffic with packets tagged with vlan 4 or vlan 5, and the access point tags the traffic based on which SSID the client connects to, the client doesn’t care.
Thanks a lot for your explanation, this sounds like an interesting approach! And yes, I’m trying to deepen my mostly shallow understanding of networking a bit.
Your current default gateway for your existing 192 network needs to have a route to your 10 network. Otherwise none of your devices in the 192 network know where to go to access the 10 network.
Makes sense to have it at that level instead of each client, thanks
