On my network, I have quite a few VLANS.
One for work, one for IoT devices, one for security cameras and home automation, one for Guests, etc.
I typically keep everything inward facing, with the only way to access them via my OpenVPN connection (which only can see specific services on specific VLANs).
Recently, I thought of hosting a little Lemmy instance, since I have a couple domains I’m not doing much with.
I know I can just expose that one system/NGINX proxy and the necessary ports via WAN, but is it best practice to put external facing things on their own VLANs?
I was thinking of just throwing it on my IoT VLAN, but if it were to be compromised, it would have access to other devices on that VLAN because (to my knowledge) you cannot prevent communication between clients within the same VLAN.
you cannot prevent communication between clients within the same VLAN.
Can’t you use a firewall for this?
Anyway, my guess is it’s probably better to use a separate vlan or a DMZ for that. But given my poor security experience, others can probably better help you on this one
I would highly suggest using a separate VLAN at the minimum directly off your firewall, and at the ingress of your firewall put rules in blocking any traffic from the server to the rest of your home. You can always allow ssh from your work env to the server, but block unsolicited traffic from the server to your home. I’d also suggest potentially leveraging a secondary public IP if you have service that will give you a block of IP addresses for a fee. It would be worth it to just keep your home separate from any denial of service type attacks directed at your lemmy instance.
Got it, thank you. I’ll look into the 2nd static IP from Comcast. That is/ was one of my major concerns. I don’t want my whole home network going down if someone decides to dos it