Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
-
No low-effort posts. This is subjective and will largely be determined by the community member reports.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
view the rest of the comments
Honestly it could very much be that I fell into the security trap. It's just that everytime I read something about "homelab best practices" VLAN's are close to the top of the list.
Maybe I ditch my plans and just establish a VLAN for IoT and guests.
I usually end up doing it very simple with huge /24 ipv4 networks, f.e.
10.100.10.0/24 = VLAN 10 = User devices and purely internal servers
10.100.20.0/24 = VLAN 20 = IoT
10.100.30.0/24 = VLAN 30 = Servers that are reachable from outside
10.100.40.0/24 = VLAN 40 = Guests
The main thing for me is to ensure that traffic that wants to pass between VLANs go through my firewall/router and allow Suricata to do its IPS work.
Pretty much this. I have several VLANS set up to segrigate traffic. For instance, one VLAN services the 'smart' TVs and gives access for my lady friend when she comes to visit. She apparently likes ads and crap hogging her screen's real estate. I have tried to get her to listen to reason, but as soon as there is an issue, it becomes an exercise in figuring out what is blocking her unfettered access. So I want that totally separate from traffic destined in and out of my server. Then I have a VLAN for some 25 security cameras, and a VLAN for server and lab operations. I make no Guest accommodations for Wi-Fi tho. You are either trusted, or not.
It might be overly complicated, but I like to 'keep 'em separated', and it seems to work just jammy, so there's that.
That's a good starting point. Keep IoT away from your primary vlan (for all things holy don't use VLAN ID 1). You can limit your outbound traffic for that vlan more easily if you want to cut your smart things off from the Internet.
Guest WiFi/vlan can be just a straight shot to the internet, probably no need for visitors to get to your internal services.
Eventually, you could add a DMZ where any Internet available systems like your VPN - with specific firewall rules only permitting VPN to specific locations inside your primary vlan.
I would say there's solid benefits to breaking out your networking into at least 4 VLANs: IoT, guest, main, and infrastructure. IoT is obvious, these devices are security nightmares, but sometimes you have no alternative so you throw them into a network black hole. Guest for guests that you don't want touching your stuff but keep asking for wifi. Main is for everybody else, this is your "real" network. Infrastructure for servers and network equipment.
The reason you break infrastructure off into its own VLAN is that modern firewalls are stateful and you can allow the main VLAN to initiate connections to the infrastructure VLAN but not the other way around, so if your server or IoT stuff gets infected it can't become an attack vector for all your other devices. You allow Main to access Infrastructure, but not vise versa.
I take mine further and add two more VLANs, services and admin access. I split infrastructure (networking, proxmox hosts, etc) and services (proxmox VMs, NAS, etc) and then only allow admin access to the former, which is exclusive to my PC and phone. Some might call this excessive, but it helps me sleep a little better at night.
Maybe I was too literal in how I answered the question because I do use VLANs in my home network, but just to segregate my guest wifi which I also use for IoT things that I don't need on my main network.
I don't think of this as "home lab" because all my services run on my primary network VLAN and my secondary VLAN only exists at my router, switch and wifi APs.
I haven't found a need for a "no access" VLAN as if I wanted to keep something from going outbound I would just create a firewall rule. I've also found my PiHole to be very effective at blocking telemetry traffic from things.