Lab - Hardware Requirements

E

EXODIA

Member
Jul 14, 2021
8
0
6
35
I figured its always best to start with what are my current goals or ideas that should lead the discussion for specific items.
I think my use case is pretty basic (hoping) and look forward to any feedback.
It's pretty easy to overshoot the types of equipment or tech needed, and while I don't have a hard budget let's stick to < $2000 USD. (Also probably too much)

Now I won't get into the weeds with network segmentation but I'm thinking the following.

WAN > LAN
VLAN 10: Management Network/OPNSense?(Im guessing since it's sitting directly behind the modem it can't be in a VLAN?)
VLAN 20: Mobile Phones
VLAN 30: TVs
VLAN 40: Computers(Laptops, desktops and Windows 11 Gaming VM?)
VLAN 50: Printers
VLAN 60: IoT(Thermostat, Doorlock, Hub Gateway)
VLAN 70: Testing (For linux distros, Mac vm)

1. OPNsense firewall VM to sit directly behind ATT Modem in passthrough mode. (500/500Mbps connection)
-ZenArmor Subscription, & Unbound DNS
-Supporting Small Home Network of approximately 15-20 connected devices(Laptops, Phones, Smart devices, Printers, Tvs etc)

2. Windows 11 VM that will serve primarily as a gaming workstation for games on steam(1440p, 60fps I think is totally fine)
-GPU Passthrough*

3. Setup a few Linux distros, a Mac Ventura VM(If possible, have I MacBook and seen an interesting tutorial on this)

In terms of platform obviously Epyc/Xeon processors seem overkill for my scenario.
That leaves either traditionally an enthusiast CPU such as 7950x3d or i9-13900ks, also probably overkill? Might be better served with something more modest.
Threadripper seems also maybe a possibility, albeit, maybe from a generation or two ago.
This looks like only a handful of VMS at most, and the gaming VM will probably require more of the resources.
 
EXODIA said:
WAN > LAN
VLAN 10: Management Network/OPNSense?(Im guessing since it's sitting directly behind the modem it can't be in a VLAN?)
VLAN 20: Mobile Phones
VLAN 30: TVs
VLAN 40: Computers(Laptops, desktops and Windows 11 Gaming VM?)
VLAN 50: Printers
VLAN 60: IoT(Thermostat, Doorlock, Hub Gateway)
VLAN 70: Testing (For linux distros, Mac vm)
Click to expand...
No DMZ VLAN for you VMs/LXCs?

EXODIA said:
(Im guessing since it's sitting directly behind the modem it can't be in a VLAN?)
Click to expand...
You could if you connect your modem to a managed switch and giving it a untagged VLAN or in case your modem is using a VLAN anyway. But a dedicated WAN NIC (maybe even passed through into the OPNsense VM) would be preferable for better isolation.
 
Dunuin said:
No DMZ VLAN for you VMs/LXCs?


You could if you connect your modem to a managed switch and giving it an untagged VLAN or in case your modem is using a VLAN anyway. But a dedicated WAN NIC (maybe even passed through into the OPNsense VM) would be preferable for better isolation.
Click to expand...
Going to be completely honest from purely a knowledge gap that I’m ignorant in the fact of why I should do that. I’m presuming to never allow those VMs to be within LAN regardless of VM and sit between LAN and WAN?


Forgot to mention will be using a TP Link TL-SG105MPE and a TP Link 670 AP.
 
EXODIA said:
I’m presuming to never allow those VMs to be within LAN regardless of VM and sit between LAN and WAN?
Click to expand...
Yes, once you port-fordward your services (plex, nextcloud, game server, webservers, homeassistant, ...) they are attackable from the internet by hackers, script kiddies or just some automated bot nets. If you aren't an IT professional you will probably not run your services well secured. So in case one of those VMs/LXCs gets hacked, you really want them isolated from your LAN, so the attacker can't that easily attack all those other devices in your LAN.

In a small environment, segmentation is more about grouping things of similar trust. So a VLAN for visitors, a DMZ for stuff that is attackable from the internet, a IoT VLAN for stuff you don'T want to be able to go online, a management VLAN for super sensitive admin stuff, a VLAN for insecure devices that won't receive security patches any longer, ...
I don't really see the point grouping them by device type like Smartphone, TV, PC and so on. You won't get much of a security benefit if you run an totally insecure Android 4 smartphone together with a modern Android 13 smartphone. Or a WinXP PC together with a Win11 PC. I would rather put that Android 4 and Win XP PC in one VLAN and that Win11 PC and Android 13 smartphone in another one.
 
Last edited:
Understood.. so instead of separating by individual devices maybe have smaller VLANs that are specific to "trust" vs "untrusted" as I've seen some folks do?


Here's build I've been tinkering with

PCPartPicker Part List

CPU: Intel Core i5-13600K 3.5 GHz 14-Core Processor ($317.99 @ Amazon)
CPU Cooler: ARCTIC Liquid Freezer II 280 72.8 CFM Liquid CPU Cooler ($109.99 @ Amazon)
Motherboard: MSI MAG Z790 TOMAHAWK WIFI ATX LGA1700 Motherboard ($299.26 @ Amazon)
Memory: Corsair Vengeance 64 GB (2 x 32 GB) DDR5-5200 CL40 Memory ($159.99 @ Amazon)
Storage: Kingston NV2 4 TB M.2-2280 PCIe 4.0 X4 NVME Solid State Drive ($179.99 @ Amazon)
Video Card: MSI VENTUS 2X 8GD6X OC GeForce RTX 3060 Ti 8 GB Video Card ($364.99 @ Amazon)
Case: NZXT H5 Flow ATX Mid Tower Case ($84.99 @ Amazon)
Power Supply: EVGA SuperNOVA 750 GA 750 W 80+ Gold Certified Fully Modular ATX Power Supply ($139.99 @ Amazon)
Wired Network Adapter: Intel EXPI9301CTBLK Gigabit Ethernet PCIe x1 Network Adapter ($59.99 @ Amazon)
Case Fan: Noctua P14s redux-1500 PWM 78.69 CFM 140 mm Fan ($16.95 @ Amazon)
Case Fan: Noctua P14s redux-1500 PWM 78.69 CFM 140 mm Fan ($16.95 @ Amazon)
Total: $1751.08
Prices include shipping, taxes, and discounts when available
Generated by PCPartPicker 2023-08-14 11:15 EDT-0400
 
Here's what I did and I am completely happy with it. These are not in the order that I purchased them but in the order the exist in the network, starting with the cable modem. I have junky Xfinity internet, its all I can get where I live: I believe all-in I am at about $1100 invested right now if you exclude the upgrade I did to 2.5gbe networking. When I started out I had the same switch as you, just the non-POE version.

1. I have a pfSense firewall running in a J4125 fanless mini pc (Moginsok from Amazon, cost me $279 4gb of ram, 64 gb ssd and pf sense came already loaded)
2. TP-link managed switch (TL-SG105E..cost like $22 on Amazon)

Off of the switch, I have:
3. My proxmox server (HP Z640 workstation, E5-2690 v3/64 gb of ram/2 2gb SATA SSD drives, and 2 1gb NVMe drives. All in it cost me about $500)
4. A Synology DS220+ (cost me $200)
5. A home brewed NAS built on a raspberry pi, running Rsync and NFS...it back ups my server and my synology and it duplicates everything to the cloud for me. (Cost me $200 with two SSD drives)
6. A TP-link wireless access point (TL-WA3001 Cost me $79)
7. My Ring alarm
8. A Pi-star ham radio hotspot

I have VLANs for: televisions, IOT devices (Ring alarm, Ring Cameras, Home Assistant VM, etc.), a trusted devices VLAN for my and my wife's PCs as well as all of my non-internet facing VMs...thinks like Photoprism), a guest VLAN for my daughter and her friends (so she can't access anything else on my network), an un-trusted VLAN for anything that is internet facing, such as Wordpress and Nextcloud. I self host these and expose them to the internet, but they are behind Cloudflare tunnels. The devices in this VLAN can't see or talk to anything else.) and a VLAN dedicate to my Proxmox and other hardware management interfaces (things like the Proxmox web interface, my switch and WAP management interfaces). I have firewall rules isolating all of these VLANs. Only the trusted VLAN can cross VLAN boundaries and access devices in the other VLANs but not the other way around. The television, IOT, guest and un-trusted VLANs are super locked down. They can get to the WAN and that's about it.

The pfsense firewall, managed switch, Synology, Raspberry Pi NAS, WAP and Wireless Access Point stay on 24x7. All in they draw about 45 watts. My server draws about 70 watts (average, more under heavy workloads), so I don't normally run it at night. But still all of the above for an average of 115 watts doesn't seem too bad to me
 
EXODIA said:
VLAN 10: Management Network/OPNSense?(Im guessing since it's sitting directly behind the modem it can't be in a VLAN?)
VLAN 20: Mobile Phones
VLAN 30: TVs
VLAN 40: Computers(Laptops, desktops and Windows 11 Gaming VM?)
VLAN 50: Printers
VLAN 60: IoT(Thermostat, Doorlock, Hub Gateway)
VLAN 70: Testing (For linux distros, Mac vm)

You may want to rethink the printer in its own VLAN. I tried that and my desktop PCs couldn't reach it regardless of any firewall rules I opened up. Some printers seem to need to be on the same subnet
Click to expand...
 
BTW, the WAP I used is VLAN aware and I have different SSIDs tagged to different VLANs. This unit allows up to 8 different SSIDs
 
That Kingaton NV2 might use QLC or TLC NAND. I would at least buy a SSD that is definitely using TLC NAND.
 
Did a little adjusting/simplying here..
PCPartPicker Part List: https://pcpartpicker.com/list/J6fzMV

CPU: Intel Core i5-13600K 3.5 GHz 14-Core Processor ($317.24 @ Amazon)
CPU Cooler: ARCTIC Liquid Freezer II 360 56.3 CFM Liquid CPU Cooler ($114.99 @ Amazon)
Motherboard: MSI MAG Z790 TOMAHAWK WIFI ATX LGA1700 Motherboard ($286.05 @ Amazon)
Memory: TEAMGROUP T-Create Expert 64 GB (2 x 32 GB) DDR5-6000 CL34 Memory ($169.99 @ Amazon)
Storage: Samsung 980 Pro 2 TB M.2-2280 PCIe 4.0 X4 NVME Solid State Drive ($118.94 @ Amazon)
Video Card: NVIDIA Founders Edition GeForce RTX 4070 12 GB Video Card ($579.00 @ Amazon)
Case: Fractal Design Meshify 2 Lite ATX Mid Tower Case ($100.53 @ Amazon)
Power Supply: SeaSonic FOCUS Plus 750 Gold 750 W 80+ Gold Certified Fully Modular ATX Power Supply ($143.99 @ Amazon)
Wired Network Adapter: Intel EXPI9301CTBLK Gigabit Ethernet PCIe x1 Network Adapter ($59.99 @ Amazon)
Case Fan: Noctua P12 redux-1700 PWM 70.75 CFM 120 mm Fan ($15.95 @ Amazon)
Case Fan: Noctua P12 redux-1700 PWM 70.75 CFM 120 mm Fan ($15.95 @ Amazon)
Case Fan: Noctua P12 redux-1700 PWM 70.75 CFM 120 mm Fan ($15.95 @ Amazon)
Total: $1938.57
Prices include shipping, taxes, and discounts when available
Generated by PCPartPicker 2023-08-25 20:20 EDT-0400

She’s good to go?
 
Last edited:
Dunuin said:
That Kingaton NV2 might use QLC or TLC NAND. I would at least buy a SSD that is definitely using TLC NAND.
Click to expand...
Thank you for the feedback, I’ve put back the Samsung.. was silly of my to cheap out on that in the first place
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back