Pete90

joined 1 year ago
[–] [email protected] 7 points 9 months ago

I tried this. Put a DNS override for Google.com for one but not the other Adguard instance. Then did a DNS lookup and the answer (ip) changed randomly form the correct one to the one I used for the override. I'm assuming the same goes for the scenario with the l public DNS as well. In any case, the response delay should be similar, since the local pi hole instance has to contact the upstream DNS server anyway.

[–] [email protected] 1 points 10 months ago

I see, thanks for clearing that up.

[–] [email protected] 1 points 10 months ago (2 children)

Sounds like I'll do just that, thanks. Should I move all public facing services to that DMZ or is it enough to just isolate Traefik?

[–] [email protected] 1 points 10 months ago (4 children)

Only Nextcloud if externally available so far, maybe I'll add Vaultwarden in the future.

I would like to use a VPN, but my family is not tech literate enough for this to work reliably.

I want to protect these public facing services by using an isolated Traefik instance in conjunction with Cloudflare and Crowdsec.

[–] [email protected] 1 points 10 months ago* (last edited 10 months ago)

Both public and local services. I have limited hardware for now, so I'm still using my ISP router as my WLAN AP. Not the best solution, I know, but it works and I can seperate my Home-WLAN from my Guest-WLAN easily.

I want to use an AP at some point in the future, but I'd also need a managed switch as well as the AP itself. Unfortunately, thats not in my budget for now.

[–] [email protected] 1 points 10 months ago (6 children)

Thank you so much for your kind words, very encouraging. I like to do some research along my tinkering, and I like to challenge myself. I don't even work in the field, but I find it fascinating.

The ZTA is/was basically what I was aiming for. With all those replies, I'm not so sure if it is really needed. I have a NAS with my private files, a nextcloud with the same. The only really critical thing will be my Vaultwarden instance, to which I want to migrate from my current KeePass setup. And this got me thinking, on how to secure things properly.

I mostly found it easy to learn things when it comes to networking, if I disable all trafic and then watch the OPNsense logs. Oh, my PC uses this and this port to print on this interface. Cool, I'll add that. My server needs access to the SMB port on my NAS, added. I followed this logic through, which in total got me around 25-30 firewall rules making heavy use of aliases and a handfull of floating rules.

My goal is to have the control for my networking on my OPNsense box. There, I can easily log in, watch the live log and figure out, what to allow and what not. And it's damn satisfying to see things being blocked. No more unknown probes on my nextcloud instance (or much reduced).

The question I still haven't answered to my satisfaction is, if I build a strict ZTA or fall back to a more relaxed approach like you outlined with your VMs. You seem knowledgable. What would you do, for a basic homelab setup (Nextcloud, Jellyfin, Vaultwarden and such)?

[–] [email protected] 1 points 10 months ago (1 children)

This sounds promising. If I understand correctly, you have a ton of networks declared in your proxy, each for one service. So if I have Traefik as my proxy, I'd create traefik-nextcloud, traefik-jellyfin, traefik-portainer as my networks, make them externally available and assign each service their respective network. Did I get that right?

[–] [email protected] 1 points 10 months ago

I've read about those two destinctions but I am simply lacking the number of ports on my little firewall box. I still only allow access to management from my PC, nothing else - so I feel good enough here. This all is more a little project for me to tinker on, nothing serious.

You're explanation with trust makes sense. I will simply keep my current setup but put different VMs on different VLANs. Then I can seperate my local services from my public services, as well as isolate any testing VMs.

I've read that one should use one proxy instance for local access and one for public services with internet access. Is it enough to just isolate that public proxy or must I also put the services behind that proxy into the DMZ?

Thank you for your good explantion.

[–] [email protected] 2 points 10 months ago (2 children)

Thanks for your input. Am I understanding right, that all devices in one VLAN can communicate with each other without going through a firewall? Is that best practice? I've read so many different opinions that it's hard to see.

[–] [email protected] 4 points 10 months ago* (last edited 10 months ago) (1 children)

Ah, I did not know that. So I guess I will create several VLANs with different subnets. This works as I intended it, trafic coming from one VM has to go through OPNsense.

Now I just have to figure out, if I'm being to paranoid. Should I simply group several devices together (eg, 10=Servers, 20=PC, 30=IoT; this is what I see mostly being used) or should I sacrifice usability for a more fine grained segeration (each server gets its own VLAN). Seems overkill, now that I think about it.

[–] [email protected] 1 points 11 months ago* (last edited 11 months ago)

Nevermind, I am an idiot. You're comment gave me thought and so I checked my testing procedure again. Turns out that, completly by accident, everytime I copied files to the LVM-based NAS, I used the SSD on my PC as the source. In contrast, everytime I copied to the ZFS-based NAS, I used my hard driver as the source. I did that about 10 times. Everything is fine now. THANKS!

[–] [email protected] 1 points 11 months ago

Both machines are easily capable of reaching around 2.2Gbps. I can't reach full 2.5Gbps speed even with Iperf. I tried some tuning but that didn't help, so its fine for now. I used iperf3 -c xxx.xxx.xxx.xxx, nothing else.

The slowdown MUST be related to ZFS, since LVM as a storage base can reach the "full" 2.2Gbps when used as a smb share.

view more: ‹ prev next ›