Hey there selfhosted community.
I had big plans when I moved last year to finally setup my homelab with proper VLAN seperation. Well a stressfull move later I simply had no energy left and just threw my whole homelab and all my services in my main LAN with no seperation whatsoever.
In how much of a world of pain am I in now when I want to switch my homelab services over in a seperate VLAN? Any recomendations or pointers to documentation for me to go through before I decide if this is something I want to do right now?
Currently this would impact a proxmox host with 3 VM’s and 1 LXC and around 20 docker images.
I feel like many setup vlans “because it exists”, not for actual need. The security reason generally doesn’t exist for home labs because most need to setup bridging or you can’t access the devices on the secure vlan at all.
bridging can be set up in a limited fashion. it could happen with a firewall doing routing and filtering
To compromise a device on a vlan it had to get through the firewall. If your firewall couldn’t stop it then it can attack any other device by going through the firewall because again the firewall didn’t stop the device from being compromised in the first place.
The biggest reason is to prevent iot or other untrustworthy devices from reaching the Internet.
Or in some cases ONLY allowing them to reach the Internet. So they can’t access your other devices…
You can do that at the router. You don’t need vlans to block Mac addresses.
Honestly it could very much be that I fell into the security trap. It’s just that everytime I read something about “homelab best practices” VLAN’s are close to the top of the list.
Maybe I ditch my plans and just establish a VLAN for IoT and guests.
I would say there’s solid benefits to breaking out your networking into at least 4 VLANs: IoT, guest, main, and infrastructure. IoT is obvious, these devices are security nightmares, but sometimes you have no alternative so you throw them into a network black hole. Guest for guests that you don’t want touching your stuff but keep asking for wifi. Main is for everybody else, this is your “real” network. Infrastructure for servers and network equipment.
The reason you break infrastructure off into its own VLAN is that modern firewalls are stateful and you can allow the main VLAN to initiate connections to the infrastructure VLAN but not the other way around, so if your server or IoT stuff gets infected it can’t become an attack vector for all your other devices. You allow Main to access Infrastructure, but not vise versa.
I take mine further and add two more VLANs, services and admin access. I split infrastructure (networking, proxmox hosts, etc) and services (proxmox VMs, NAS, etc) and then only allow admin access to the former, which is exclusive to my PC and phone. Some might call this excessive, but it helps me sleep a little better at night.
I usually end up doing it very simple with huge /24 ipv4 networks, f.e.
10.100.10.0/24 = VLAN 10 = User devices and purely internal servers
10.100.20.0/24 = VLAN 20 = IoT
10.100.30.0/24 = VLAN 30 = Servers that are reachable from outside
10.100.40.0/24 = VLAN 40 = Guests
The main thing for me is to ensure that traffic that wants to pass between VLANs go through my firewall/router and allow Suricata to do its IPS work.
Pretty much this. I have several VLANS set up to segrigate traffic. For instance, one VLAN services the ‘smart’ TVs and gives access for my lady friend when she comes to visit. She apparently likes ads and crap hogging her screen’s real estate. I have tried to get her to listen to reason, but as soon as there is an issue, it becomes an exercise in figuring out what is blocking her unfettered access. So I want that totally separate from traffic destined in and out of my server. Then I have a VLAN for some 25 security cameras, and a VLAN for server and lab operations. I make no Guest accommodations for Wi-Fi tho. You are either trusted, or not.
It might be overly complicated, but I like to 'keep ‘em separated’, and it seems to work just jammy, so there’s that.
That’s a good starting point. Keep IoT away from your primary vlan (for all things holy don’t use VLAN ID 1). You can limit your outbound traffic for that vlan more easily if you want to cut your smart things off from the Internet.
Guest WiFi/vlan can be just a straight shot to the internet, probably no need for visitors to get to your internal services.
Eventually, you could add a DMZ where any Internet available systems like your VPN - with specific firewall rules only permitting VPN to specific locations inside your primary vlan.
Maybe I was too literal in how I answered the question because I do use VLANs in my home network, but just to segregate my guest wifi which I also use for IoT things that I don’t need on my main network.
I don’t think of this as “home lab” because all my services run on my primary network VLAN and my secondary VLAN only exists at my router, switch and wifi APs.
I haven’t found a need for a “no access” VLAN as if I wanted to keep something from going outbound I would just create a firewall rule. I’ve also found my PiHole to be very effective at blocking telemetry traffic from things.