[SOLVED] What is the network organization to choose for proxmox home lab ?

[proxtib]

Hello,

I have a "DIY home lab proxmox server" with two 2.5Gbe net card .
This proxmox is behind a opnsense odroid H2+ (with his net card, so 6 in total) and I have a helios 64 with OpenMediaVault( 2 net card but 1Gbe and 2.5Gbe)
I have tested some net config I don't know which configuration to choose.

In the future I would mainly have a VM to host my cloud (with yunohost), a K8S lab cluster and proxmox uses part of the nas for the storage of backups and VM data.

The easiest way is to put everything: my PC, proxmox and omv on the same LAN ... but for safety, there are better and it's not very professional .

What choice would you make for the organization of the network?


Thank you for your help !

PS: proxmox server, opnsense can use vlan (I have tested). I think that helios/omv too (but I have not tested).

 

[UdoB]

What choice would you make for the organization of the network?

Well, that's an extensive topic and can probably not be answered in a few sentences. I will try anyway, throwing in some aspects:

If you have "some dozen" machines at home:

• segmentation is a requirement to enhance security
• segmentation will increase complexity massively

In any case you need a router. You may virtualize OpnSense. If you go this road: keep in mind that the router is essential and is not available when the Proxmox host is down.

The structure is up to you, of course. My usual zones include:

• DMZ - earlier or later you will want to make some services (YunoHost) available to the outside. This zone is _inside_ your home but on the "outside" of the inner router
• SAN - storage for virtual machines or cloud services shall be placed there. Depending on network load this one may get its own hardware = separate cables, separate switch ports. Not trunked as a VLAN in a single cable
• LAN - the "inner" network for normal computers with Windows, Linux etc
• WLAN1 trusted - tablet, mobile, light bulbs
• WLAN2 untrusted - guests
• MED - plex, tv, streaming
• TOR - separate zone = forces all traffic to go through tor

That's only some catchwords. If "light bulbs" are trustworthy can be doubted, for example (they might phone home back to China as more often than you think). Example 2: I have separated my LG TV in a restricted zone with "outbound blocked + specifically whitelisted some sites" because it talks to everyone on the internet constantly - and I do not like that.

Needless to say that each and every isolated zone should have it's own IP-address range. Let's say 10.1.x.x/16, 10.2.x.x/16 and so on. This is necessary to make traffic go through the router in the first place.

Technically there are two ways to handle separate networks

• the cheap and simple "classic" way using separate(!) plain switches per zone
• the recommended way using VLANS. Your physical switches need to support 802.1q for this approach. There is no fun without this! Keep in mind that all trunked VLANs share the physical layer, so bandwidth is shared also. It is not a good idea to put high-traffic zones and low-latency-required zones into one single cable.
  Specifically for Proxmox: corosync and storage network needs to be separated or you will get sporadic reboots "without reason". Been there, done that...

Most important: have a plan! Document it! Have fun!

 

[proxtib]

Hello,

Tank you for your answer
You gave me ideas that I had not thought !

In any case you need a router. You may virtualize OpnSense. If you go this road: keep in mind that the router is essential and is not available when the Proxmox host is down.

I use the odroid like a router with OPNsense, so so no need for me to virtualize it ... unless you create a 2nd router on the proxmox. But I don't see what the point would be -_- "




I have little questions after that

1) What do you do with the proxmox web interface and the webapps or some stuff hosting on VMs ? Do you separe this on 2 network ?


2) About the SAN: We have the same idee: create a specific network for storage. But how do that ?
I assume that I use one of the Proxmox network cards (10.1.x.x / 16 networks for example) that I connect the nas (its ip will also be in the qsdqsdqsd networks) to my router? That's it ?


3)

WLAN1 trusted - tablet, mobile, light bulbs

It's possible to use vlan with Wifi ??? If yes I have never see that, you have some documentation about that ?

4)

That's only some catchwords. If "light bulbs" are trustworthy can be doubted, for example (they might phone home back to China as more often than you think). Example 2: I have separated my LG TV in a restricted zone with "outbound blocked + specifically whitelisted some sites" because it talks to everyone on the internet constantly - and I do not like that.

yes, these things are a bit too noisy

 

[UdoB]

1) What do you do with the proxmox web interface and the webapps or some stuff hosting on VMs ? Do you separe this on 2 network ?

Well, that would be best practice - to have a separate ADM VLAN only for administration. But for me: no, actually I do access them directly in my LAN. This way the access to them does not depend on my Router-VM ;-)

2) About the SAN: We have the same idee: create a specific network for storage. But how do that ?

Just install a separate Network card and use it accordingly. In my picture this one does not depend von VLANs, so configuration is easy. The actual how-to-configure-the-network is in the documentation: https://pve.proxmox.com/pve-docs/pve-admin-guide.html#sysadmin_network_configuration of course.

3) It's possible to use vlan with Wifi ??? If yes I have never see that, you have some documentation about that ?

You need to differentiate between "I am working with (potentially a lot of) VLANs" vs. "a client is VLAN aware".
When I configure "Access Ports" on a switch for a specific client I do strip VLAN information. Traffic from/to an Access Port is "untaggged". The client (an Access Point with NAT for example but also a "normal" computer) does not know anything about the fact that VLANs are involved.
On the other hand one can grant access including VLAN tagging; then that switch port emits "tagged" traffic. In that case the client decides which VLAN he actually wants to access. In my world is might be useful for a virtualized router as it gets access to ALL VLANs in one go. For clients this is bad as it strips the security aspects also.

Best regards

 

[proxtib]

When I configure "Access Ports" on a switch for a specific client I do strip VLAN information. Traffic from/to an Access Port is "untaggged". The client (an Access Point with NAT for example but also a "normal" computer) does not know anything about the fact that VLANs are involved.

I'm not sure I understand but quickly:
you create a linux bridge and you say / configure : every host connected to this bridge are automaticly on vlan 10.
So client host does not know VLANs , for them they are juste connected to the bridge, right ?

Edit: I don't quite understand how Vlans work, but are you telling me about the difference between "access" Vlans and "802.1Q" Vlans, is that it?

But as far as WiFi is concerned, I don't understand.
Except error, a Wifi network = a ssid = a wifi network card
It is not possible to have something like:

• SSID :my_wifi
  • vlan1: 10.0.1.0/24
  • vlan2: 10.0.2.0/24

We necessarily have:

• SSID: my_wifi1 = vlan1: 10.0.1.0/24
• SSID: my_wifi2 = vlan2: 10.0.2.0/24

 

[ph0x]

I'm not sure I understand but quickly:
you create a linux bridge and you say / configure : every host connected to this bridge are automaticly on vlan 10.
So client host does not know VLANs , for them they are juste connected to the bridge, right ?

If the bridge is vlan-aware (check the box!) then you can either assign a tag for every NIC with said bridge that you put into a VM and this tagged vlan will be forwarded through that NIC as untagged traffic.
Or you assign the bridge as a whole and work with the tagged vlans inside the VM.

Edit: I don't quite understand how Vlans work, but are you telling me about the difference between "access" Vlans and "802.1Q" Vlans, is that it?

These terms are used a bit inaccurately. You can have access ports on a switch, that means that all traffic going through the port is forwarded untagged. There can only be one untagged vlan on every port. Tagged vlans can coexist on the same cable, but there has to be an "end point" that understands this. This can be a switch, a bridge or even a computer that knows how to handle tagged vlans. And remember, even with tagged vlans on the cable you (usually) still have one untagged (or native) vlan on that cable.
This article gives a rough overview: https://www.thomas-krenn.com/en/wiki/VLAN_Basics
If you understand German (or know a good translation tool), this is a brilliant guide that explains a lot: https://administrator.de/tutorial/v...-mikrotik-dd-wrt-cisco-rv-routern-110259.html

If your switch doesn't speak 802.1q it can usually still separate traffic through untagged vlans only, but then you obviously cannot forward multiple vlans over one cable, but just create segments inside the switch. As soon as the switch is "smart" or "managed" it usually speaks 802.1q.

But as far as WiFi is concerned, I don't understand.
Except error, a Wifi network = a ssid = a wifi network card
It is not possible to have something like:

• SSID :my_wifi
  • vlan1: 10.0.1.0/24
  • vlan2: 10.0.2.0/24

We necessarily have:

• SSID: my_wifi1 = vlan1: 10.0.1.0/24
• SSID: my_wifi2 = vlan2: 10.0.2.0/24

That's true, with wifi you have to span different ssids for different vlans. Fortunately, a growing number of access points and control software provides this feature.

 

[proxtib]

Hello,

Thank you for answering my questions.

I managed to configure my vlans on my proxmox and my opnsense.