Selfhosted

39939 readers

383 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago

MODERATORS

HybridSarcasm@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz

VLAN usage under Proxmox (lemmy.world)

submitted 4 days ago* (last edited 4 days ago) by athes@lemmy.world to c/selfhosted@lemmy.world

33 comments fedilink hide all child comments

Hello,

Just spent a good week installing my home server. Time to pause and lookback to what I've setup and ask your help/suggestions as I am wondering if my below configuration is a good approach or just a useless convoluted approach.

I have a Proxmox instance with 3 VLAN:

Management (192.168.1.x) : the one used by proxmox host and that can access all other VLANs
Servarr (192.168.100.x) : every arr related software + Jellyfin (all LXC). All outbound connectivity goes via VPN. Cant access any VLAN
myCloud (192.168.200.X): WIP, but basically planning to have things like Nextcloud, Immich, Paperless etc...

The original idea was to allow external access via Cloudlfare tunnel but finally decided to switch back to Tailscale for "myCloud" access (as I am expected to share this with less than 5 accounts). So:

myCloud now has Tailscale running on it.
myCloud can now access Servarr VLAN

Consequently to my choice of using tailscale, I had now to use a DNS server to resolve mydomain.com:

Servarr now has pihole as DNS server reachable across all VLAN

On the top of all that I have yet another VLAN for my raspberry Pi running Vaultwarden reachable only via my personal tailscale account.

I'm open to restart things from scratch (it's fun), so let me know.

Also wondering if using LXCs is better than docker especially when it comes to updates and longer term maintenance.

you are viewing a single comment's thread
view the rest of the comments

[–] just_another_person@lemmy.world -1 points 4 days ago* (last edited 4 days ago) (30 children)

I don't think there is anything wildly wrong with it, but it seems like you're doing all of this at the router, unless you have dedicated switches for each VLAN?

VLAN is not a security feature, it's a logical separation of IP segments. Maybe I'm missing your intention here, but just setting different IP spaces on VLANs and then bridging them doesn't help your security, it just complicates your network.

[–] curbstickle@lemmy.dbzer0.com 5 points 4 days ago (29 children)

Not OP, but logical separation and firewall rules is a needed first step for security. They already mentioned in the post that one vlan has dedicated outbound (via VPN only) and doesn't have access to their .200.

Physical switches per vlan is completely unnecessary, and entirely why vlans are used rather than subnets.

[–] athes@lemmy.world 2 points 4 days ago

Yes the idea is to make it easier to isolate/configure firewall rules and try to protect more sensitive data. (i.e. I don't care much if people can access my ISOs ;) However, at the end of the day they are all on the same Proxmox host.

load more comments (28 replies)