Hey there selfhosted community.
I had big plans when I moved last year to finally setup my homelab with proper VLAN seperation. Well a stressfull move later I simply had no energy left and just threw my whole homelab and all my services in my main LAN with no seperation whatsoever.
In how much of a world of pain am I in now when I want to switch my homelab services over in a seperate VLAN? Any recomendations or pointers to documentation for me to go through before I decide if this is something I want to do right now?
Currently this would impact a proxmox host with 3 VM’s and 1 LXC and around 20 docker images.
How much hurt you’re in is largely going to be a factor of how dependent you are on IP addresses between all your services. Moving services into a VLAN is also going to require new IPs. If you’re using DNS names between everything that will help, especially if you’re mostly using DHCP. If you’ve got lots of hand configured IPs between you’re services you’re going to have to chase all those down.
My recommendation is to start small. Create the new VLAN and put a new host in it, make sure you’re confident about how you want to set it up in ProxMox and your router, get some experience.
Then think about which services you’re actually going to be benefit from the VLAN switch to move. You’ll probably do best at this point to just leave your ProxMox management interface where it is and just move services over that need it.
All said, I run a small stack at home and haven’t really found any personal need for VLAN segregation for my services, so definitely start with a reason and a plan. Learning can be a reason.
haven’t really found any personal need for VLAN segregation
I feel like many setup vlans “because it exists”, not for actual need. The security reason generally doesn’t exist for home labs because most need to setup bridging or you can’t access the devices on the secure vlan at all.
Honestly it could very much be that I fell into the security trap. It’s just that everytime I read something about “homelab best practices” VLAN’s are close to the top of the list.
Maybe I ditch my plans and just establish a VLAN for IoT and guests.
Maybe I was too literal in how I answered the question because I do use VLANs in my home network, but just to segregate my guest wifi which I also use for IoT things that I don’t need on my main network.
I don’t think of this as “home lab” because all my services run on my primary network VLAN and my secondary VLAN only exists at my router, switch and wifi APs.
I haven’t found a need for a “no access” VLAN as if I wanted to keep something from going outbound I would just create a firewall rule. I’ve also found my PiHole to be very effective at blocking telemetry traffic from things.
The security reason generally doesn’t exist for home labs because most need to setup bridging or you can’t access the devices on the secure vlan at all.
bridging can be set up in a limited fashion. it could happen with a firewall doing routing and filtering
To compromise a device on a vlan it had to get through the firewall. If your firewall couldn’t stop it then it can attack any other device by going through the firewall because again the firewall didn’t stop the device from being compromised in the first place.
if you allowed that to happen you either did not set firewall rules strict enough, or if the client doing the compromise absolutely had to have access to the vulnerable service then you did everything you could to limit the chance of it happening.
usually the solution to that is to limit who can access what more strictly. dont allow user devices like smartphones on the iot vlan, as any app running on the phone could be doing nefarious things. only allow the iot devices and the home assistant service on the iot vlan, and user devices will only talk to home assistant, something supposedly more secure than whatever iot devices there are.
similarly, don’t allow user devices to access the ip cameras. put the ip cameras on a network where only the NVR software can access them, and user devices will only access the NVR. if you can, don’t put the whole operating system of these services on the iot and ipcam vlans either. this is possible when the services run in containers, because you can pass in only vlan specific interfaces to the containers. if not using containers, you can still use the operating systems firewall to filter incoming traffic.if you set up proper network filtering, the “if” in “If your firewall couldn’t stop it” will become a pretty big “if”
if you allowed that to happen you either did not set firewall rules strict enough
The argument was that the vlans force a device through the firewall so that the firewall can protect it. But for that to happen, like you said the firewall wasn’t strick enough or didn’t have a defense against a 0 day.
So the vlan doesn’t do anything either way. Either the firewall works in which case you don’t need vlans to force local traffic through them a second time or they don’t work in which case again the vlan did nothing.
or didn’t have a defense against a 0 day.
firewalls are not for defending against 0 days. it is about access control, and reducing, sometimes even minimizing access to potentially vulnerable services. firewalls are not an infallible security tool, but there is no such thing either. the reason to use it is to restrict access such that fewer attackers can take advantage of a potential vulnerability.
there are intrusion detection/prevention systems that could do more, but it’s unlikely they will protect against 0 days, because 0 days are undiscovered and unknown issues.
So the vlan doesn’t do anything either way.
it does. its useful to force traffic through a firewall. its for limiting what has access to what. if you wouldn’t use vlans, hosts on the network would not care about your firewall because they can just go straight to the destination.
I’m not sure I understand your argument, but I think what you say is, firewalls are not infallible so they are useless
I’ll try an analogy to explain better. The firewall is a lock on the door to your house. Vlans are a rule that to go from one room to another, you must go back out the locked door and back in.
So an attacker tries to come in and can’t pick the lock. You are safe.
Another attacker can pick the lock and get into a room. But if they can pick the lock for one room, they can pick the same lock again and get into any other rooms because it’s the same lock protecting every room in the house.
It really depends on how coupled your services are and how sparse you want to place them.
Are you learning VLANS? Heres my default setup anytime i set a home up:
10.0.10.0/24 my personal devices that I trust the most communicate with anything, but not administrative 10.0.20.0/24 wife/family members that may do stupid things. Communicate with most things 10.0.30.0/24 IoT Communicate with outside only 10.0.40.0/24 Guest. Communicate with some IoT 1.0.50.0/25 outside services. DMZ. All rfc 1918 blocked 1.0.90.0 /24 MGMT communicate everywhere. Administrative use only.
I run most services on .10.
Although I can log into anything from .10, its only to a non-administrative user to check in on basic stuff (is this service running? Did x drive not mount on boot?). Each host is configured to restrict ssh access to admin users to mgmt.
This means i have to switch VLAN to administrate services. It also means those users get less use and are easier to audit. Plus switching to ‘network root’ feels intentional.
You could get it done in an afternoon if you draw a map of the network and keep a tidy checklist. Seriously, map it out first. It’ll serve as documentation you that you WILL need in the future.
Good luck with the build!
Just a general suggestion here, as a first step, do some diagrams of your environment. Start with a general diagram and work from the top down to more specifics. Consider what goes into like buckets of use cases, and where use cases are different. All this vlan & firewall talk is downstream of design intent.
Is there a few examples of good practice here? I see a lot but have no idea of what is realistic or well put together.
IMO vlans are the nuclear option to network separation.
try setting up some proper firewall rules first. if that doesn’t solve your issue then start going down the vlan route.