Hey there selfhosted community.
I had big plans when I moved last year to finally setup my homelab with proper VLAN seperation. Well a stressfull move later I simply had no energy left and just threw my whole homelab and all my services in my main LAN with no seperation whatsoever.
In how much of a world of pain am I in now when I want to switch my homelab services over in a seperate VLAN? Any recomendations or pointers to documentation for me to go through before I decide if this is something I want to do right now?
Currently this would impact a proxmox host with 3 VM’s and 1 LXC and around 20 docker images.
How much hurt you’re in is largely going to be a factor of how dependent you are on IP addresses between all your services. Moving services into a VLAN is also going to require new IPs. If you’re using DNS names between everything that will help, especially if you’re mostly using DHCP. If you’ve got lots of hand configured IPs between you’re services you’re going to have to chase all those down.
My recommendation is to start small. Create the new VLAN and put a new host in it, make sure you’re confident about how you want to set it up in ProxMox and your router, get some experience.
Then think about which services you’re actually going to be benefit from the VLAN switch to move. You’ll probably do best at this point to just leave your ProxMox management interface where it is and just move services over that need it.
All said, I run a small stack at home and haven’t really found any personal need for VLAN segregation for my services, so definitely start with a reason and a plan. Learning can be a reason.
I feel like many setup vlans “because it exists”, not for actual need. The security reason generally doesn’t exist for home labs because most need to setup bridging or you can’t access the devices on the secure vlan at all.
Honestly it could very much be that I fell into the security trap. It’s just that everytime I read something about “homelab best practices” VLAN’s are close to the top of the list.
Maybe I ditch my plans and just establish a VLAN for IoT and guests.
I usually end up doing it very simple with huge /24 ipv4 networks, f.e.
10.100.10.0/24 = VLAN 10 = User devices and purely internal servers
10.100.20.0/24 = VLAN 20 = IoT
10.100.30.0/24 = VLAN 30 = Servers that are reachable from outside
10.100.40.0/24 = VLAN 40 = Guests
The main thing for me is to ensure that traffic that wants to pass between VLANs go through my firewall/router and allow Suricata to do its IPS work.
Pretty much this. I have several VLANS set up to segrigate traffic. For instance, one VLAN services the ‘smart’ TVs and gives access for my lady friend when she comes to visit. She apparently likes ads and crap hogging her screen’s real estate. I have tried to get her to listen to reason, but as soon as there is an issue, it becomes an exercise in figuring out what is blocking her unfettered access. So I want that totally separate from traffic destined in and out of my server. Then I have a VLAN for some 25 security cameras, and a VLAN for server and lab operations. I make no Guest accommodations for Wi-Fi tho. You are either trusted, or not.
It might be overly complicated, but I like to 'keep ‘em separated’, and it seems to work just jammy, so there’s that.
Maybe I was too literal in how I answered the question because I do use VLANs in my home network, but just to segregate my guest wifi which I also use for IoT things that I don’t need on my main network.
I don’t think of this as “home lab” because all my services run on my primary network VLAN and my secondary VLAN only exists at my router, switch and wifi APs.
I haven’t found a need for a “no access” VLAN as if I wanted to keep something from going outbound I would just create a firewall rule. I’ve also found my PiHole to be very effective at blocking telemetry traffic from things.
That’s a good starting point. Keep IoT away from your primary vlan (for all things holy don’t use VLAN ID 1). You can limit your outbound traffic for that vlan more easily if you want to cut your smart things off from the Internet.
Guest WiFi/vlan can be just a straight shot to the internet, probably no need for visitors to get to your internal services.
Eventually, you could add a DMZ where any Internet available systems like your VPN - with specific firewall rules only permitting VPN to specific locations inside your primary vlan.
The biggest reason is to prevent iot or other untrustworthy devices from reaching the Internet.
You can do that at the router. You don’t need vlans to block Mac addresses.
Or in some cases ONLY allowing them to reach the Internet. So they can’t access your other devices…