Hey there selfhosted community.

I had big plans when I moved last year to finally setup my homelab with proper VLAN seperation. Well a stressfull move later I simply had no energy left and just threw my whole homelab and all my services in my main LAN with no seperation whatsoever.

In how much of a world of pain am I in now when I want to switch my homelab services over in a seperate VLAN? Any recomendations or pointers to documentation for me to go through before I decide if this is something I want to do right now?

Currently this would impact a proxmox host with 3 VM’s and 1 LXC and around 20 docker images.

  • WhyJiffie@sh.itjust.worksEnglish
    3·
    1 day ago

    The security reason generally doesn’t exist for home labs because most need to setup bridging or you can’t access the devices on the secure vlan at all.

    bridging can be set up in a limited fashion. it could happen with a firewall doing routing and filtering

    • Blue_Morpho@lemmy.worldEnglish
      1·
      1 day ago

      To compromise a device on a vlan it had to get through the firewall. If your firewall couldn’t stop it then it can attack any other device by going through the firewall because again the firewall didn’t stop the device from being compromised in the first place.

      • WhyJiffie@sh.itjust.worksEnglish
        1·
        6 hours ago

        if you allowed that to happen you either did not set firewall rules strict enough, or if the client doing the compromise absolutely had to have access to the vulnerable service then you did everything you could to limit the chance of it happening.

        usually the solution to that is to limit who can access what more strictly. dont allow user devices like smartphones on the iot vlan, as any app running on the phone could be doing nefarious things. only allow the iot devices and the home assistant service on the iot vlan, and user devices will only talk to home assistant, something supposedly more secure than whatever iot devices there are.
        similarly, don’t allow user devices to access the ip cameras. put the ip cameras on a network where only the NVR software can access them, and user devices will only access the NVR. if you can, don’t put the whole operating system of these services on the iot and ipcam vlans either. this is possible when the services run in containers, because you can pass in only vlan specific interfaces to the containers. if not using containers, you can still use the operating systems firewall to filter incoming traffic.

        if you set up proper network filtering, the “if” in “If your firewall couldn’t stop it” will become a pretty big “if”