Change my homelab - security thoughts

M

MSP1978

Member
Mar 18, 2021
31
4
13
46
Mönchengladbach
Hello all :-)

'cause this is my first post, i want to thank you all for the very good informations in this forum. It helps me a lot to create my "new" homelab.

As for my project, i'm actually running a HP Microserver Gen8 with ESXi and some windows server vms (DC, Exchange, Fileserver)
I Connect to my home by OpenVPN on my QNAP Nas.
This is my actual setup which is working, but which i want to change and go away from windows / exchange and from ESxi.

After some weeks with test setups of Proxmox, learning the basics and doing tests with vms and lxc, i am now at the point to create my productive homelab :-)

The "normal" setup will be Proxmox as base, running actually on an old i5 with 24GB ram.
My final lab will be running on the HP Microserver after running bith parallel for migration.

I am not sure in the moment about the security of the setup and want to know your thoughts about it.

The "normal" family network is connected to my router, IP 192.168.0.0/24. The router has 192.168.0.1
Here i want to connect the proxmox server on a fixed ip 192.168.0.2

Here i am not sure about the security and whats best to secure
- the proxmox server
- the vms running on the proxmox server

I am not sure if i should only use pfsense als firewall or just use the firewall of the proxmox host.
If i run pfsense, should i use on this vm also all other services for the network(s) behind the firewall?
Is it a good idea to use the openvpn on the pfsense or is it better to run openvpn on an lxc?

As i want to change my windows servers over to this vms:
- Univention UCS as domain server / family server with emails, nextcloud e.g.
- An debian based file server / nas for my files

AS i would run the vms behind the pfsense, how can i secure it as good as possible and ensure that my family devices from 192.168.0.0/24 can connect to the file- / mailserver / DC?

The network hardware is based on a single router and the backbone is powerline without the possibility of vlans

Michael
 
It's quite common to run pfsense/opensense on Proxmox as a firewall/router solution so all well and good. Regarding the firewall, something like pfSense is much easier to setup and manage with a gui rather than relying on iptables on the Proxmox host so personally that's the way I would recommend. Ideally you should have two physical nics on your host so that you can dedicate one to the LAN role and the other to WAN duties.

It would be easier if you put all your 'home' devices on the LAN side of the pfSense but you will probably need a small network switch to accomplish this. They would then be behind the firewall and you would have far more control of their protection. A complication could be with regard to wifi if this is currently provided by your ISP router because this traffic would not be able to reach your LAN devices without creating a firewall rule - this may not be a problem if they only require internet access but needs to be considered. Alternatively you would need to purchase an wireless access point and disable the wifi on your router.

If you currently run OpenVPN on your NAS, you should be able to duplicate this using pfSense to allow you to connect to your network from the outside world.

You can run NAS services on the proxmox host using something like TrueNAS as a VM or you can just install SAMBA directly on the host which is the solution that I prefer because it's simpler and more flexible.
 
Hello again,

i now got some vlan enabled switches (3x TP Link SG108E) to expand my network with vlans, as the isp router is not capable of vlans. It is a fritzbox which only has the lan and the guest network, also it serves as my wlan ap together with some powerline adapters, some also with wlan in the fritzbox mesh.

While in the wlan are only mobile phones, tablets and some alexa devices, i will put all of them into the guest wlan of the fritzbox, so they are isolated from the lan part.
For this, i will enable the guest lan and wlan on the fritzbox, connect port 1 and 4 (guest) to one of the vlan switches and then by trunk to the powerline network.
Here i will put the two other switches with vlan, so i can put my desktop and servers into the vlans to isolate them from the guest network as well.

The only thing where i have no solution in the moment is how to grant access from the mobiles / tablets inside the guest network to my printer. As the guest networks are managed from the fritzbox and not by the vlan switches, i see no chance at the moment to grant access from guest network to the printer.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom