this post was submitted on 01 Nov 2024
41 points (97.7% liked)

Selfhosted

39919 readers
324 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hello,

Just spent a good week installing my home server. Time to pause and lookback to what I've setup and ask your help/suggestions as I am wondering if my below configuration is a good approach or just a useless convoluted approach.

I have a Proxmox instance with 3 VLAN:

  • Management (192.168.1.x) : the one used by proxmox host and that can access all other VLANs

  • Servarr (192.168.100.x) : every arr related software + Jellyfin (all LXC). All outbound connectivity goes via VPN. Cant access any VLAN

  • myCloud (192.168.200.X): WIP, but basically planning to have things like Nextcloud, Immich, Paperless etc...

The original idea was to allow external access via Cloudlfare tunnel but finally decided to switch back to Tailscale for "myCloud" access (as I am expected to share this with less than 5 accounts). So:

  • myCloud now has Tailscale running on it.
  • myCloud can now access Servarr VLAN

Consequently to my choice of using tailscale, I had now to use a DNS server to resolve mydomain.com:

  • Servarr now has pihole as DNS server reachable across all VLAN

On the top of all that I have yet another VLAN for my raspberry Pi running Vaultwarden reachable only via my personal tailscale account.

I'm open to restart things from scratch (it's fun), so let me know.

Also wondering if using LXCs is better than docker especially when it comes to updates and longer term maintenance.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] -2 points 3 days ago (1 children)

Well it wouldn't matter if your router is the thing that someone gets into. All you're doing is separate traffic in different subnets, and if that's your goal, you're good to go.

[–] [email protected] 1 points 3 days ago* (last edited 3 days ago) (1 children)

You are aware that a firewall rule is how you would address - in software, with logic - someone trying to get from VLAN C to VLAN A, right?

That its part of the method you'd use as a layer of security to prevent someone gaining access to.your router?

Assuming the router is compromised from the start is similarly just nutso.

[–] [email protected] -1 points 3 days ago (1 children)

You are aware that being on the router would have access to ALL the ingress and egress interfaces, right?

[–] [email protected] 1 points 3 days ago (1 children)

That's not how any of this works.... At all.

No, its managed by the firewall. The existence of a VLAN does not grant it access to egress. The firewall needs to permit that behavior.

Your entire understanding of how a logical network works is wrong. I'm not trying to be a dick - this is just really bad information that you're sharing.

[–] [email protected] 0 points 3 days ago* (last edited 3 days ago) (2 children)

JFC 🤦

How are you NOT understanding what OP thinks is happening, versus what you thinks is happening?

If I get shell access to this router I have access to ALL NETWORKS. VLAN won't help any of this.

[–] [email protected] 1 points 3 days ago (1 children)

HOW WOULD YOU GET SHELL ACCESS TO HIS ROUTER FROM A FIREWALLED OFF VLAN THAT DOES NOT GAIN ACCESS TO THE MANAGEMENT VLAN THE ROUTER IS ON.

Holy crap dude.

BASIC networking.

[–] [email protected] -1 points 3 days ago (1 children)

Lolz at you. Sweet baby Jesus, you have no idea.

[–] [email protected] 1 points 3 days ago (1 children)

Take a networking class instead of spewing nonsense please.

[–] [email protected] -1 points 3 days ago (1 children)

Take your own advice: https://www.n-able.com/fr/blog/vlan-hopping-security

For some reason you think a home router can't be gotten into because of a VLAN of all things🤣

You're sitting here worrying about some packets from the internet being safe for some reason and not realizing the big picture. Go back to Innernette learning school, tough guy.

[–] [email protected] 1 points 3 days ago* (last edited 3 days ago)

Take a networking class. You have numerous fundamental misunderstandings and make wild assumptions on bridging gaps that has specific requirements to occur, which also requires a complete lack of any other security methods.

Take a networking class, please. You need it.

Edit: You're mad and still down voting, I want to point out you dont even understand the link you provided.

You should probably read that. But looooooong before then, you should take an actual class on networking.

You need it.

[–] [email protected] 0 points 3 days ago

Thats my line.

I'm also done having any sort of discussion with you, there is a fundamental misunderstanding of logical network design here, and I have no interest in correcting that. Enjoy your day.