this post was submitted on 10 Apr 2026
55 points (98.2% liked)

Selfhosted

58691 readers
853 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
HybridSarcasm@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
55
Establishing proper VLAN's (lemmy.world)
submitted 1 week ago by koldanor@lemmy.world to c/selfhosted@lemmy.world
26 comments fedilink hide all child comments
 

Hey there selfhosted community.

I had big plans when I moved last year to finally setup my homelab with proper VLAN seperation. Well a stressfull move later I simply had no energy left and just threw my whole homelab and all my services in my main LAN with no seperation whatsoever.

In how much of a world of pain am I in now when I want to switch my homelab services over in a seperate VLAN? Any recomendations or pointers to documentation for me to go through before I decide if this is something I want to do right now?

Currently this would impact a proxmox host with 3 VM's and 1 LXC and around 20 docker images.

you are viewing a single comment's thread
view the rest of the comments
[–] WhyJiffie@sh.itjust.works 1 points 1 week ago (1 children)

if you allowed that to happen you either did not set firewall rules strict enough, or if the client doing the compromise absolutely had to have access to the vulnerable service then you did everything you could to limit the chance of it happening.

usually the solution to that is to limit who can access what more strictly. dont allow user devices like smartphones on the iot vlan, as any app running on the phone could be doing nefarious things. only allow the iot devices and the home assistant service on the iot vlan, and user devices will only talk to home assistant, something supposedly more secure than whatever iot devices there are.
similarly, don't allow user devices to access the ip cameras. put the ip cameras on a network where only the NVR software can access them, and user devices will only access the NVR. if you can, don't put the whole operating system of these services on the iot and ipcam vlans either. this is possible when the services run in containers, because you can pass in only vlan specific interfaces to the containers. if not using containers, you can still use the operating systems firewall to filter incoming traffic.

if you set up proper network filtering, the "if" in "If your firewall couldn't stop it" will become a pretty big "if"

[–] Blue_Morpho@lemmy.world 1 points 1 week ago (1 children)

if you allowed that to happen you either did not set firewall rules strict enough

The argument was that the vlans force a device through the firewall so that the firewall can protect it. But for that to happen, like you said the firewall wasn't strick enough or didn't have a defense against a 0 day.

So the vlan doesn't do anything either way. Either the firewall works in which case you don't need vlans to force local traffic through them a second time or they don't work in which case again the vlan did nothing.

[–] WhyJiffie@sh.itjust.works 1 points 1 week ago (1 children)

or didn't have a defense against a 0 day.

firewalls are not for defending against 0 days. it is about access control, and reducing, sometimes even minimizing access to potentially vulnerable services. firewalls are not an infallible security tool, but there is no such thing either. the reason to use it is to restrict access such that fewer attackers can take advantage of a potential vulnerability.

there are intrusion detection/prevention systems that could do more, but it's unlikely they will protect against 0 days, because 0 days are undiscovered and unknown issues.

So the vlan doesn't do anything either way.

it does. its useful to force traffic through a firewall. its for limiting what has access to what. if you wouldn't use vlans, hosts on the network would not care about your firewall because they can just go straight to the destination.

I'm not sure I understand your argument, but I think what you say is, firewalls are not infallible so they are useless

[–] Blue_Morpho@lemmy.world 1 points 1 week ago

I'll try an analogy to explain better. The firewall is a lock on the door to your house. Vlans are a rule that to go from one room to another, you must go back out the locked door and back in.

So an attacker tries to come in and can't pick the lock. You are safe.

Another attacker can pick the lock and get into a room. But if they can pick the lock for one room, they can pick the same lock again and get into any other rooms because it's the same lock protecting every room in the house.