On my network, I have quite a few VLANS.

One for work, one for IoT devices, one for security cameras and home automation, one for Guests, etc.

I typically keep everything inward facing, with the only way to access them via my OpenVPN connection (which only can see specific services on specific VLANs).

Recently, I thought of hosting a little Lemmy instance, since I have a couple domains I’m not doing much with.

I know I can just expose that one system/NGINX proxy and the necessary ports via WAN, but is it best practice to put external facing things on their own VLANs?

I was thinking of just throwing it on my IoT VLAN, but if it were to be compromised, it would have access to other devices on that VLAN because (to my knowledge) you cannot prevent communication between clients within the same VLAN.

  • g5pw@feddit.it
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 year ago

    Yeah, the usual approach is to create a DMZ network/VLAN where you forward external traffic to, but you can’t reach anything except the internet from.

    • root@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 year ago

      Thank you for the reply. I’ll make sure to isolate like this if I decide to host. So when people expose Jellyfin or Home assistant via NGINX, they’re usually putting those services ok their own VLAN?

      • Catsrules@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        1 year ago

        Usually doesn’t equal best practice.

        I would argue usually for selfhosters they don’t have secondary VLAN or DMZ. They just expose the service they want via a port forward and call it good. I may or may not be guilty of this :)

        But best practice would be to create a DMZ put any servers you want expose on the DMZ network. But the downside is this adds complexity to your network. But upside is it add security to your network. If your server gets compromised it isn’t an automatic door into your internal network.

        Edit I would also add, depending on what your ultimate goals are your time might be better used looking into a VPN solution as that is far more secure. It just depends on your remote clients.