Feedback on Network Design and Proxmox VM Isolation - eviltoast

Network design. I started my homelab / selfhost journey about a year ago. Network design was the topic that scared me most. To challenge myself, and to learn about it, I bought myself a decent firewall box with 4 x 2.5G NICs. I installed OPNsense on it, following various guides. I setup my 3 LAN ports as a network bridge to connect my PC, NAS and server. I set the filtering to be applied between these different NICs, as to learn more about the behavior of the different services. If I want to access anything on my server from my PC, there needs to be a rule allowing it. All other trafic is blocked. This setup works great so far an I’m really happy with it.

Here is where I ran into problems. I installed Proxmox on my server and am in the process of migrating all my services from my NAS over there. I thought that all trafic from a VM in Proxmox would go this route: first VM --> OPNsense --> other VM. Then, I could apply the appropriate firewall rules. This however, doesnt seem to be the case. From what I’ve learned, VMs in Proxmox can communicate freely with each other by default. I don’t want this.

From my research, I found different ideas and opposing solutions. This is where I could use some guidance.

  1. Use VLANs to segregate the VMs from each other. Each VLAN gets a different subnet.
  2. Use the Proxmox firewall to prevent communication between VMs. I’d rather avoid this, so I don’t have to apply firewall rules twice. I could also install another OPNsense VM and use that, but same thing.
  3. Give up on filtering traffic between my PC, NAS and server. I trust all those devices, so it wouldn’t be the end of the world. I just wanted the most secure setup I could do with my current knowledge.

Is there any way to just force the VM traffic through my OPNsense firewall? I thought this would be easy, but couldn’t find anything or just very confusing ideas.

I also have a second question. I followed TechnoTim to setup Treafik and use my local DNS and wildcard certificates. Now, I can reach my services using service.local.example.com, which I think is neat. However, in order to do this, it was suggested to use one docker network called proxy. Each service would be assigned this network and Traefik uses lables to setup the routes. ’ Would’t this allow all those services to communciate freely? Normally, each container has it’s own network and docker uses iptables to isolate them from each other. Is this still the way to go? I’m a bit overwhelmed by all those options.

Is my setup overkill? I’d love to hear what you guys think! Thank you so much!

  • DeltaTangoLima@reddrefuge.com
    link
    fedilink
    English
    arrow-up
    1
    ·
    10 months ago

    What would you do, for a basic homelab setup (Nextcloud, Jellyfin, Vaultwarden and such)?

    I guess my first question is are you intending to open up any of these to be externally available? Once you understand the surface area of a potential attack, you can be a lot more specific about how you protect yourself.

    I have just about everything blocked off for external access, and use an always-on Wireguard VPN to access them when I’m not home. That makes my surface area a lot smaller, and easier to protect.

    • Pete90@feddit.deOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      10 months ago

      Only Nextcloud if externally available so far, maybe I’ll add Vaultwarden in the future.

      I would like to use a VPN, but my family is not tech literate enough for this to work reliably.

      I want to protect these public facing services by using an isolated Traefik instance in conjunction with Cloudflare and Crowdsec.

      • DeltaTangoLima@reddrefuge.com
        link
        fedilink
        English
        arrow-up
        2
        ·
        10 months ago

        Right, then you’ll probably want to do something similar to what I’m planning next, which is creating a small “DMZ” VLAN, for the public facing things, and being very specific about the ACLs in/out, default deny anything else.

        The few things I allow public access to are via Nginx Proxy Manager, using Authelia for SSO/2FA where applicable. I’m intending to move that container into a dedicated VLAN that only allows port 443 in from anywhere (including other VLANs), and only allows specific IP/port combinations out for the services it proxies.

        I don’t even intend to allow SSH in/out for that container. I can console in from the Proxmox management console if required.

        • Pete90@feddit.deOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          10 months ago

          Sounds like I’ll do just that, thanks. Should I move all public facing services to that DMZ or is it enough to just isolate Traefik?

          • DeltaTangoLima@reddrefuge.com
            link
            fedilink
            English
            arrow-up
            1
            ·
            10 months ago

            Just the stuff that’s being accessed directly, so if anything’s only going to be accessed via your Traefik server from outside, leave them where they are. That way, any compromise of your Traefik server doesn’t let them move laterally within the same VLAN (your DMZ) to the real host.