this post was submitted on 12 Jun 2023
25 points (100.0% liked)

Selfhosted

40183 readers
748 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hi All!

New to the Fediverse from the reddit exodus, I've gotten into Self-hosting around January this year and have been loving learning about Networks and how they are structured and communicate and I love the projects that come out of managing a home lab.

As I've built up my home lab, from a single node to 3, I've been trying to think of how to structure my network to segment it in such a way that my homelab is on its own segmented network, whether this be VLAN or separate LAN (though I've heard terrible things about double NAT), and have that whole segment of traffic be pushed through a VPN tunnel. Unless that is not necessary? Part of the reason I want to make this post is so that people who are around the same point in their home lab adventure who might have similar questions can come to this thread to discuss particulars about the manner at hand. I'll probably be structuring future questions in such a manner that allows people to discuss and nail down topics they may be struggling with wrapping their head around.

Back to my question, so let me give a better lay of the land. I am running Proxmox as my hypervisor on all these nodes, I have a generic ISP-provided router (ActionTek T3200 if interested in the model) that handles LAN routing and WiFi. Currently all my nodes are hard-lined to the router and I rely on proxmox default firewall atm, I haven't dug into how to properly configure any of that since I wanted a separate solution, not sure the security implications of just using proxmox's firewall so chime in if you know.

So all my nodes are hooked up to my router, but I have a Layer 2 switch I got for free (supports basic VLANs as well as some other basic features) and I want to configure my 3rd node to run OPNsense for my routing and VLAN tagging. The 3rd node will sit on the edge of the Router and the Switch, meaning Router connects to Ethernet port 1 on node 3 and Ethernet port 2 on node 3 connects to the switch and would be providing the LAN and internet access from my understanding. Node 3 will also be running a VPN tunnel to provide remote access as well as providing protection for my *Arr downloads. So the routing for my homelab should go from this:

Node 1, Node 2, Node 3 ------- ISP Router ------ Internet

to this:

Node 1, Node 2--Switch/Node3---ISP Router --Internet

Now my understanding is that structuring it in such a way means that if, for example, Node 1 which hosts my *Arr network were to pull a compromised download then its damage would only go as far as where the VLAN ends, ie would only affect my homelab network because its segmented in such a way that my devices connected to wifi would be unaffected.

I've just started to tinker around with configuring OPNsense when I got a sense for how to structure my network. I'm trying to virtualize it, which is a bit unconventional but not unheard of. I was able to spin up a VM running the installer and it gets through the install just fine but I am unable to reach the address provided. It's 192.168.1.1 which is off my IP range. This might be where I need a bit of help understanding, but shouldn't it give me an IP address that's in my Routers IP Range? Maybe not, maybe its a sort of DMZ type thing? I'm not all too familiar so give a shout if you know something. I am thinking that the WAN and LAN ports are just getting switched during install and I need to interrupt the install and manually delegate those ports and then I'll be able to connect? I haven't had some solid time to dig deep on this so I figured rambling on a forum with tech savvy individuals might at the very least provide me with some insight and more understanding.

So I suppose my question is what do you think of my thought process? Am I missing anything major in my understanding? How should you think about configuring your firewall and VPN? How do you setup VLANs to allow communication where necessary between VLANs and Wifi network? Apologies that this got so long, I was trying to keep it brief but also give enough info on my environment. Let me know if there's any questions. I'd also be interested in resources if my topics just point to needing a better understanding of networking generally. Thanks for your time

you are viewing a single comment's thread
view the rest of the comments
[–] jellyfish@beehaw.org 9 points 1 year ago (4 children)

This sounds like a fun project! I recently just ripped out and redid the network segmentation on my 3-node proxmox cluster too.

Originally I had everything in a /16, but that was causing some routing problems because I actually needed to static route a /24 that was in the /16 to a VM for VPN. Anyways, I'm going to try to dig through your post and give some advice. This is all just personal opinion on how I'd set stuff up after over a decade of homelabbing/home infra, so ya know, take and leave what you want.

It sounds like you want to use one of your Proxmox nodes with a VM running OPNSense as your router? I'd highly discourage this. I know you call your setup a lab, but it's running the *arrs and probably a streaming server; and there's nothing worse than planning a movie night and having your networking be down. Also, it'll make it easier to recover from a power outage or hardware failure, keep your network config much simpler, and provide physical boundaries between machines increasing security.

So, I'd say unless you're fine with the possibility of extended outages, use dedicated hardware for network. I'm partial to pfsense's netgate, it's a good price and a lot of bang for your buck, and it comes from an awesome open source project. I use Unifi, though I wouldn't necessarily recommend it due to some shady stuff the company has done/said over the last few years.

OPNSense looks neat, but the only reason I see to use it over pfsense is the integrated IDS/IPS, which is just a nice gui over suricata and a proofpoints subscription. Personally I'd run suricata in a VM and mirror WAN traffic to it via pfsense. This way a VM isn't in your critical network path, but IDS is available and easy to manage.

Don't forget, when you separate stuff into VLANs, it forces the traffic to go up to the router, and back down to the switch. This means any inter-VLAN traffic has a 1gb limit on it. So if you ever upgrade your servers with 10gb nics, if you setup VLANs incorrectly, you won't get that performance. Or if you just have a lot of traffic, you'll start getting TCP slow starts and retransmissions and it may play havoc on your network. That's why many usually just don't bother with VLANing, it gives you network isolation, but comes at the cost of increased routing.

As for routing, all VLANs will route between eachother automatically. As obvious as it is, just think of two VLANs as two separate physical switches plugged into the same router. By default those two switches will be able to communicate with each other through the router, but they can't directly communicate with one an other (which would have higher throughput/bandwidth).

DMZ is interesting, in my mind it basically came from a time when networks had a hard shell and a soft interior (wrt security). I don't DMZ because I have host level firewalls and network firewalls to do LAN segmentation. But, that isn't to say it's a bad idea if you're up for it. Basically a DMZ (demilitarized zone) is a VLAN where you'd put stuff like a mail server, DNS servers, and maybe an HTTP server. Stuff you'd want to expose to the internet, as well as into your local network. The idea is that if one of those servers were compromised, you wouldn't want it to have full access to your local network. So instead you split off a DMZ network so if a host in it gets compromised, it wouldn't provide the attackers a good base to pivot into your local network from. I don't expose any services to the internet, except a VPN, and that VPN definitionally needs a lot of access to my local network to be useful, so I don't partition it off into its own DMZ. I'm not a network admin, so that's just my interpretation of it.

As for structure, this is where I ended up: 10.0.0.0/24 - LAN management - Stuff like Unifi/Pfsense admin panels 10.0.1.0/23 - LAN - Where most of my normal stuff goes 10.99.0.0/24 - OOB Administration - Things like IPMI and BMCs end up here 10.99.1.0/24 - Administration - Things like Proxmox VMs end up here 10.99.2.0/24 - Core network - Things like VPN, DNS, backups, basically important network services. 10.99.3.0/24 - Services - Things like *arr, etc. end up here. I actually run K8s via kubespray in Proxmox, so for me this is actually my metalLB service IP range. 10.99.100.0/24 - VPN IP pool - I static IP my VPN clients instead of masquerade, so they get an IP out of this pool, the VPN instance acts as a router, and I static route from my main router back to the VPN instance.

My LAN is a separate IP range that then routes to this. And I have a separate /24 for my 10gb network for Ceph.

So yeah! I don't know if that helps at all, feel free to ask questions to clarify. If you still really want to install OPNSense in a VM I can give you some tips on that as well.

[–] Viclan@beehaw.org 4 points 1 year ago (3 children)

Dude this is awesome, thanks for your comment! It’s exactly the type of engagement I was hoping for, someone to help with a few key concepts. I’ll definitely be taking your advice to heart it sounds like you’ve been through the ringer with your own setup

I agree with you that running OPNsense in a VM is less than ideal but I figured as it would only affect my lab, I can deal with the occasional outage and this is more so I can learn first before going all in on a solution such as a netgate, I appreciate the suggestion there too. I’m not dead set on OPNsense I just figured a gui would be easier to navigate and it looked nice. I haven’t heard of suricata and mirroring WAN connection to pfsense, that definitely makes sense.

As for the VLANs I’m not dead set on that in particular either, the switch I have supported it and it made the most sense as to how to segment my network in that way. So you are saying you can also segment a LAN connection with just a firewall? It would make sense as you can set rules as to how a device can communicate with other devices on the network, is it rather cumbersome to set it up in that way? And on VLAN performance I would assume that would not be a problem as I am the only user who would be connecting to my media server, unless I had a bunch of services sending and receiving shitloads of data essentially?

I really appreciate all your help! You definitely sound like you’ve been doing this for a decade haha, very useful stuff. I might pop back and ask more questions later if you don’t mind

[–] Viclan@beehaw.org 2 points 1 year ago

Oh on my first point I misunderstood, this will not replace my router, it will only be used by my proxmox network

load more comments (2 replies)
load more comments (2 replies)