Optimal home Network topology with Proxmox

[exciting_spaghetti]

Dear all,

I am trying to build a home server where i want to run few services, such as Nextcloud, as LXC contianers. I am relatively new to networking and before posting here i have read several pieces of documentation. Nevertheless, i still have doubts regarding the best setup for my use case.

Here below i summarize my needs:

• I have a modem/router provided by my ISP and i can't change it. Moreover, its features are quite limited, especially when It comes ti firewalling.
• I want to create a Nextcloud AIO LXC container reachable from a Caddy reverse proxy (deployed in a different container).
• I have a domain that will point toward the static IP of my router which will pass internet traffic to the reverse proxy on port 443.

Given the above, i am wondering what can i do to increase the security of the above setup, maybe by including and additional firewall. Moreover, i would love to have some isolation, but i can't set VLAN or DMZ with my ISP router, so i don't know what's the most appropriate way to set this up.

I have seen people doing similar things with the PVE firewall or with Opnsense running in a VM. However my server has only 1 nic and i am actually quite confused about how should this work.

Since i am new to network security, please forgive me! I would love to learn new things about this field.

 

[Dunuin]

Given the above, i am wondering what can i do to increase the security of the above setup,

Not using LXCs but VMs would be a good start for stuff thats public and attackable by any bot net out there.
VMs are much better isolated.

Moreover, i would love to have some isolation, but i can't set VLAN or DMZ with my ISP router, so i don't know what's the most appropriate way to set this up.

Use an additional OPNsense VM between your PVE host and guests to create your DMZ.

However my server has only 1 nic and i am actually quite confused about how should this work.

Get a managed switch that is tagged vlan capable so you can trunk multiple VLANs over a single NIC. Or add more NICs.

 

[exciting_spaghetti]

Not using LXCs but VMs would be a good start for stuff thats public and attackable by any bot net out there.
VMs are much better isolated.


Use an additional OPNsense VM between your PVE host and guests to create your DMZ.


Get a managed switch that is tagged vlab capable so you can trunk multiple VLANs over a single NIC. Or add more NICs.

Thanks for your answer. Except for the first point which iseasily understandable. Could you please explain me better the setup that you suggest in the last two points?

 

[Dunuin]

Thats a lot of stuff to explain. You best search for some tutorials on how to set up an OPNsense VM on PVE.
For tagged VLAN see "IEEE 802.1Q".
Its also possible to add USB-NICs in case you got one of these unversatile MiniPCs where you can't add any PCIe NIC cards.

 

[exciting_spaghetti]

Thats a lot of stuff to explain. You best search for some tutorials on how to set up an OPNsense VM on PVE.
For tagged VLAN see "IEEE 802.1Q".
Its also possible to add USB-NICs in case you got one of these unversatile MiniPCs where you can't add any PCIe NIC cards.

Ok, i will look around to what you adviced. However, with this setup, would the other devices connected through WiFi to my ISP router work as usual?

 

[Dunuin]

Depends how you set it up. But yes, usually the LAN-side of your ISPs router would be your DMZ and your actual LAN behind another router. In that case your Wifi clients would be part of the DMZ and not the LAN.

 

[exciting_spaghetti]

Ok! I will get back on this if i have other doubts. Until then, thanks a lot!