On my network, I have quite a few VLANS.

One for work, one for IoT devices, one for security cameras and home automation, one for Guests, etc.

I typically keep everything inward facing, with the only way to access them via my OpenVPN connection (which only can see specific services on specific VLANs).

Recently, I thought of hosting a little Lemmy instance, since I have a couple domains I’m not doing much with.

I know I can just expose that one system/NGINX proxy and the necessary ports via WAN, but is it best practice to put external facing things on their own VLANs?

I was thinking of just throwing it on my IoT VLAN, but if it were to be compromised, it would have access to other devices on that VLAN because (to my knowledge) you cannot prevent communication between clients within the same VLAN.

  • ShouldIHaveFun@lemmy.pec0ra.ch
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    1 year ago

    you cannot prevent communication between clients within the same VLAN.

    Can’t you use a firewall for this?

    Anyway, my guess is it’s probably better to use a separate vlan or a DMZ for that. But given my poor security experience, others can probably better help you on this one

  • wirelesslywired@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    I would highly suggest using a separate VLAN at the minimum directly off your firewall, and at the ingress of your firewall put rules in blocking any traffic from the server to the rest of your home. You can always allow ssh from your work env to the server, but block unsolicited traffic from the server to your home. I’d also suggest potentially leveraging a secondary public IP if you have service that will give you a block of IP addresses for a fee. It would be worth it to just keep your home separate from any denial of service type attacks directed at your lemmy instance.

  • RxBrad@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    1 year ago

    Is just exposing it via a Cloudflare Zero Trust tunnel enough for security?

    (Serious question that I don’t know the answer to, as this is what I’m currently considering for a project.)

    • daFRAKKINpope@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      From what I’ve read about Cloudflares Zero Trust Tunnel thing it’s actually more secure than hosting it with a public IP address.

      To be clear I haven’t done it. So idk for sure. But it sounds like they use some kinda 2fa system to get to your services, you don’t expose a public IP, and it’s all behind Cloudflares service. Which is great for security. If you trust Cloudflare. I trust Cloudflare, but some folks might not.

      I might check this out as a weekend project tho. See how it differes from my setup with vlans, VM’s, firewalls and fail2ban.

      • RxBrad@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        1 year ago

        Welp, I did it. One nice thing is that Cloudflare has an official WordPress plugin that applies recommended security settings.

        I will note that WordPress does not take kindly to being setup on http localhost, then put into a Cloudflare Tunnel. It goes into a redirect hell that I wasn’t able to figure out. You basically need to setup the tunnel, then run the WordPress install script from scratch.

        Exporting from http localhost to your URL on Cloudflare is also not fun. The import process fails at pulling in your photos. Luckily, my blog was mostly empty, so manually re-adding the media to the posts didn’t kill me.

  • g5pw@feddit.it
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Yeah, the usual approach is to create a DMZ network/VLAN where you forward external traffic to, but you can’t reach anything except the internet from.

  • code@lemmy.mayes.io
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Seperate vlan for any external service. Fail2ban/firewalled ssh keys. All the normal stuff

    Im thinking of fronting it with cloudflare and run it through tunnel eventually