On my network, I have quite a few VLANS.

One for work, one for IoT devices, one for security cameras and home automation, one for Guests, etc.

I typically keep everything inward facing, with the only way to access them via my OpenVPN connection (which only can see specific services on specific VLANs).

Recently, I thought of hosting a little Lemmy instance, since I have a couple domains I’m not doing much with.

I know I can just expose that one system/NGINX proxy and the necessary ports via WAN, but is it best practice to put external facing things on their own VLANs?

I was thinking of just throwing it on my IoT VLAN, but if it were to be compromised, it would have access to other devices on that VLAN because (to my knowledge) you cannot prevent communication between clients within the same VLAN.

  • @wirelesslywired
    link
    English
    71 year ago

    I would highly suggest using a separate VLAN at the minimum directly off your firewall, and at the ingress of your firewall put rules in blocking any traffic from the server to the rest of your home. You can always allow ssh from your work env to the server, but block unsolicited traffic from the server to your home. I’d also suggest potentially leveraging a secondary public IP if you have service that will give you a block of IP addresses for a fee. It would be worth it to just keep your home separate from any denial of service type attacks directed at your lemmy instance.

    • @rootOP
      link
      English
      21 year ago

      Got it, thank you. I’ll look into the 2nd static IP from Comcast. That is/ was one of my major concerns. I don’t want my whole home network going down if someone decides to dos it

      • @BurntRiddles
        link
        English
        31 year ago

        A second IP on the same connection and router will not prevent the other IP from being affected by a ddos. A ddos is meant to either saturate a connection or overload a device. Since you will be using the same connection and device, a second IP will not help with this.

        • @rootOP
          link
          English
          21 year ago

          Turns out I don’t have access to a second IP anyways; Only available for Businesses from my ISP :( thank you for the reply

  • @[email protected]
    link
    fedilink
    English
    51 year ago

    Yeah, the usual approach is to create a DMZ network/VLAN where you forward external traffic to, but you can’t reach anything except the internet from.

    • @rootOP
      link
      English
      11 year ago

      Thank you for the reply. I’ll make sure to isolate like this if I decide to host. So when people expose Jellyfin or Home assistant via NGINX, they’re usually putting those services ok their own VLAN?

      • @[email protected]
        link
        fedilink
        English
        2
        edit-2
        1 year ago

        Usually doesn’t equal best practice.

        I would argue usually for selfhosters they don’t have secondary VLAN or DMZ. They just expose the service they want via a port forward and call it good. I may or may not be guilty of this :)

        But best practice would be to create a DMZ put any servers you want expose on the DMZ network. But the downside is this adds complexity to your network. But upside is it add security to your network. If your server gets compromised it isn’t an automatic door into your internal network.

        Edit I would also add, depending on what your ultimate goals are your time might be better used looking into a VPN solution as that is far more secure. It just depends on your remote clients.

        • @rootOP
          link
          English
          11 year ago

          Very good points, thank you! My network is solid right now, and I feel very confident in my security, but if I were to take on this project, I’d definitely want to do it the right way. Security first, convenience second :D

  • @[email protected]
    link
    fedilink
    English
    41 year ago

    Seperate vlan for any external service. Fail2ban/firewalled ssh keys. All the normal stuff

    Im thinking of fronting it with cloudflare and run it through tunnel eventually

  • @[email protected]
    link
    fedilink
    English
    3
    edit-2
    1 year ago

    you cannot prevent communication between clients within the same VLAN.

    Can’t you use a firewall for this?

    Anyway, my guess is it’s probably better to use a separate vlan or a DMZ for that. But given my poor security experience, others can probably better help you on this one

    • @rootOP
      link
      English
      21 year ago

      To my knowledge, devices within a VLAN can see eachother, because they do not cross the firewall (since they are layer 2). I may be wrong, but that’s my experience and what I’ve read.

      • @damium
        link
        English
        11 year ago

        You can use host firewalls or l2 firewalls (sometimes called transparent mode). Many hypervisors offer l2 firewall features. You can also enable l2 isolation on some network devices.

  • @RxBrad
    link
    English
    3
    edit-2
    1 year ago

    deleted by creator

    • @daFRAKKINpope
      link
      English
      41 year ago

      From what I’ve read about Cloudflares Zero Trust Tunnel thing it’s actually more secure than hosting it with a public IP address.

      To be clear I haven’t done it. So idk for sure. But it sounds like they use some kinda 2fa system to get to your services, you don’t expose a public IP, and it’s all behind Cloudflares service. Which is great for security. If you trust Cloudflare. I trust Cloudflare, but some folks might not.

      I might check this out as a weekend project tho. See how it differes from my setup with vlans, VM’s, firewalls and fail2ban.

      • @RxBrad
        link
        English
        2
        edit-2
        1 year ago

        deleted by creator