I am currently setting up a Proxmox box that has the usual selfhosted stuff (Nextcloud, Jellyfin, etc) and I want all of these services in different containers/VMs. I am planning to start sharing this with family/friends who are not tech savvy, so I want excellent security.

I was thinking of restricting certain services to certain VLANs, and only plugging those VLANs into the CT/VMs that need them.

Currently, each CT/VM has a network interface (for example eth0) which gives them internet access (for updates and whatnot) and an interface that I use for SSH and management (for example eth1). These interfaces are both on different VLANs and I must use Wireguard to get onto the management network.

I am thinking of adding another interface just for “consumption” which my users would get onto via a separate Wireguard server, and they would use this to actually use the services.

I could also add another network just to connect to an internal NFS server to share files between CT/VMs, and this would have its own VLAN and require an additional interface per host that connects to it.

I have lots of other ideas for networks which would require additional interfaces per CT/VM that uses them.

From my experience, using a “VLAN-Aware” bridge and assigning VLANs per interface via the GUI is best practice. However, Proxmox does not support multiple VLANs per interface using this method.

I have an IPv6-only network, so I could theoretically assign multiple IPs per interface. Then I would use Linux VLANs from within the guest OS. However, this is a huge pain and I do not want to do this. And it is less secure because a compromised VM/CT could change its VLAN tag itself.

I am asking if adding many virtual interfaces per CT/VM is good practice, or if there is a better way to separate internal networks. Or maybe I should rethink the whole thing and not use one network per use-case.

I am especially curious about performance impacts of multiple interfaces.

Pyrosis
link
fedilink
English
23M

This would be correct if you are terminating ssl at the proxy and it’s just passing it to http. However, if you can enable SSL on the service it’s possible to take advantage of full passthru if you care about such things.

@raldone01@lemmy.world
link
fedilink
English
13M

Ahh nice good to know. For my use case I’d rather not distribute the certificates to all my services.

Pyrosis
link
fedilink
English
13M

When I was experimenting with this it didn’t seem like you had to distribute the cert to the service itself. As long as the internal service was an https port. The certificate management was still happening on the proxy.

The trick was more getting the host names right and targeting the proxy for the hostname resolution.

Either way IP addresses are much easier but it is nice to observe a stream being completely passed through. I’m sure it takes a load off the proxy and stabilizes connections.

Create a post

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.

Rules:

  1. Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

  • 1 user online
  • 191 users / day
  • 419 users / week
  • 1.14K users / month
  • 3.85K users / 6 months
  • 1 subscriber
  • 3.71K Posts
  • 74.6K Comments
  • Modlog