November 6, 20241 yr I've been wanting do implement vlan in my network for a long time; and now i'm decided to try. So i want several vlans: - management: for all management interfaces (unifi, switchs, unraid,...) - home: for all users gears (smartphone, laptops,...) or vm - iot : for all stuff related to iot ( devices and dockers) - guest: no comment needed - dmz: for nginx proxy manager - server: for all docker services and vm servers I haven't yet decided in which vlan to put each docker or vm. My unraid server has 4 interfaces: 2x10G+2x2,5G One 2,5G interface is reserved for vpro/amt. I will use macvlan driver when possible as it should make things easier to trace network traffic when i will deploy security monitoring stuff like security onion. If i understood correctly an interface is assigned an ip in its native vlan (depends on the switch port configuration) and you can create a subinterface in each vlan in network settings. I also have a second server as backup with 3 interfaces: 2x1G+10G Here is what i plan to do : main server: 1 2,5G interface for vpro in management vlan 1 10G interface in management vlan for backing up to the backup server 1 10G interface in server vlan. 1 subinterface in dmz for NPM. 1 subinterface in iot vlan. But i have trouble identifying vlan where to put some dockers. For example for smarthome things: i have zigbee poe controllers. I will put them in iot vlan. They need to communicate with zigbee2mqtt docker. So i will put this docker iot vlan too. This docker needs to communicate with mqtt broker which is on my homeassistant vm which is published trough NPM. How to decide where to put HAOS vm ? I'm looking at fair balance between security and firewall complexity. And i have a second question. On which interface does unraid share files trough smb ? is this on all listening interfaces listed ? Because if i want to have unraid gui in management vlan for security reasons how to do i share files on home vlan ?
November 7, 20241 yr 18 hours ago, caplam said: - guest: no comment needed Recommend need, for example I set my mobile can access different vlan, other member and guest only can access Internet. 18 hours ago, caplam said: For example for smarthome things: i have zigbee poe controllers. I will put them in iot vlan. They need to communicate with zigbee2mqtt docker. So i will put this docker iot vlan too. This docker needs to communicate with mqtt broker which is on my homeassistant vm which is published trough NPM. How to decide where to put HAOS vm ? I'm looking at fair balance between security and firewall complexity. In general, you should put HA, MQTT, Z2M in same vlan, but as result those can access each other in all, if you want further protect HA, then HA must put to standalone vlan, but this will increase firewall complexity. You haven't mention WiFi AP, in fact you need a vlan AP, otherwise, all client in same vlan, then you need create many firewall rule to route or block traffic cross vlan. 18 hours ago, caplam said: is this on all listening interfaces listed ? Expect that, but I only use one 10G for all, much simple then use multiple interface. Edited November 7, 20241 yr by Vr2Io
November 9, 20241 yr Author i think i will put HA in a server vlan and zigbee2mqtt in iot vlan. I will need to change mqtt broker (currently hold by ha as a complementary module) to docker on unraid attached to a sub interface in custom macvlan network. For the wifi i use unifi gear. The ap is plugged in a trunk port and i have one ssid per vlan (but limited to 4 ssid as i have uap ac lite access point) I spent my day yesterday to understand traffic rules from unifi as i had unexpected blocking.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.