Jump to content

Network Segmentation and Vlans

Bdavis
By Bdavis
in Networking
 Share
Go to solution Solved by LIGISTX,
11 hours ago, Bdavis said:

Over the past few weeks I have been slowly organizing and segmenting my network layout. I feel I have a pretty good layout but what was wondering best practices for separating devices using Vlans.

 

Here's a list of my devices. I use PfSense and ubiquiti managed switches and access points just FYI.

 

-trueNAS server 1 with plex, ubiquiti controller, and home assistant.

-trueNAS server2 (backup in another building via ptp)

- personal desktop

- smart light switches

- ipmi for both servers

- fire TV's

- echo dots

- security cameras

- smart phones

- kids tablets

- printers

- smart thermostats

 

How would you separate all of this? My main issue is the TrueNAS Scale server. I want it to be secure, but it needs to interact with all my smart home stuff for plex and home assistant.

But back to actually helping OP…

 

You definitely want a VLAN for IoT devices. Stick them all on a subnet with no access to any other subnet. If you need to punch holes for things like Plex, or use avahi for mDNS translation across the subnets, go ahead and do that. I have my network set up this way, and I can chromecast from my private subnet just fine, and Plex clients and talk to my Plex server via firewall rules for specific ports and specific IP’s. 
 

I would then have a subnet just for management surfaces (pfsense webui, NAS webui (assuming your NAS itself isn’t a garbage tier IoT device itself and is actually secure), networking management like UniFi controller, and hypervisor for virtualization environments. Don’t let anything talk to this subnet except for what is required to do management. Ideally, it would be only accessible via enabling a VPN or via plugging in to a specific port on your firewall, but this makes it such a pain to use, so, that’s a hard one. But definitely don’t allow IoT devices touch the management subnet. 
 

This would be a good way to get you going in the right direction. I also have a homelab subnet just for all my VM’s and docker containers etc.

Posted
18 hours ago, LIGISTX said:

You can set them up on any schedule you want, and as many schedules as you want, on a directory by directory or all up dataset basis. 
 

ZFS snapshots are just block level deltas,  so if no data ever changes, they are effectively free and take up no space at all. As the directory changes, only the delta is used. Snapshots are forever read only, and can only be deleted via webUI or SSH - they are a function of ZFS itself, not special to truenas at all. 
 

So I have multiple snapshots set up and different setups based on data. For my personal data, I take a snapshot every 10 minutes and store that for 12 hours, I take one every hour and store that for a day, take one every 6 hours and store it for a week etc all the way up to 6 months of retention. So I can revert to any of those places on time, or I can create a new dataset FROM one of those past times to just grab a single file that was deleted for example, restore it, then delete that newly created dataset (the ZFS snapshot will remain, the dataset is just a SMB accessible way to go and retrieve said file). 
 

I like this idea a lot.  Making a backup takes a while and when something encrypts your data, the backup is too late for that.  Nothing speaks against taking a snapshot every half hour or more often, at no additional cost.

18 hours ago, LIGISTX said:

This is the power of ZFS… you can also use snapshots for ZFS replication tasks. So if you have a remote server that you backup to, you can backup snapshots via ZFS’s built in replication mechanism as well: https://www.google.com/amp/s/klarasystems.com/articles/introduction-to-zfs-replication/%3Famp

 

I am telling you…. ZFS really is the best file system out there, which is why you should grab yourself a LSI HBA and switch to it 🙂

Well, you can do it with btrfs as well, but that lacks RAID56, is less mature and deduplication is kinda a joke and in alpha stage (but won't require as much RAM) and not really usable.  So when you want features like that, there's no way around ZFS.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
15 hours ago, Bdavis said:

That is exactly what I'm trying to achieve. I only want devices to be able to talk to the devices and resources on the network that the need to.

That sounds like the right approach.  When you have IPv6, that'll require some thought, especially when you don't have static addresses.  You can utilize interface groups for that.  One of the biggest disadvantages of PFsense and OPNsense is that they are not zone based.

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
16 hours ago, Bdavis said:

I have nightly snapshots that back up to another TrueNAS server at my brother's house across the street via a ptp link. I'll install avahi as soon as I'm back from my work trip.

Did you run a cable across or are you doing it over internet?

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
9 hours ago, heimdali said:

Did you run a cable across or are you doing it over internet?

 

What part of the P2P link didn't you understand though ?

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
51 minutes ago, itsparks said:

What part of the P2P link didn't you understand though ?

P2P means point to point.  That can as well be a VPN connection between two sites that goes over the internet or over whatever else, over your own radio antennas, over your own cable or anything that can be used to establish a P2P connection.

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
11 hours ago, heimdali said:

Did you run a cable across or are you doing it over internet?

 

It's via a point to point link by ubiquiti. I get gigabit throuput across it.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
1 hour ago, heimdali said:

P2P means point to point.  That can as well be a VPN connection between two sites that goes over the internet or over whatever else, over your own radio antennas, over your own cable or anything that can be used to establish a P2P connection.

 

Are you drunk ?  Since when is a vpn a ptp link ?  ANY TIME I have heard P2p link means wireless.   

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
18 minutes ago, Bdavis said:

It's via a point to point link by ubiquiti. I get gigabit throuput across it.

YOU ever tried the Micotik WIreless Wire units ? NOW Those are impressive !! 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
3 hours ago, itsparks said:

YOU ever tried the Micotik WIreless Wire units ? NOW Those are impressive !! 

I've heard good things, and they are really well priced. I've been eyeing ubiquiti's new one that can send at around 6gb/s. It costs a grand though and I don't really need it.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
2 hours ago, Bdavis said:

I've heard good things, and they are really well priced. I've been eyeing ubiquiti's new one that can send at around 6gb/s. It costs a grand though and I don't really need it.

The wireless wire is 270$ canadian, unbox point and go. I have done about 6 systems. ROCK solid too!! 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
11 hours ago, itsparks said:

Are you drunk ?  Since when is a vpn a ptp link ?  ANY TIME I have heard P2p link means wireless.   

We can argue if it means 'point to point' or 'peer to peer', but maybe you have been drinking too much.  In any case, it doesn't have anything to do with "wireless", whatever that means.  Ever heared of PPPoE?

 

https://en.wikipedia.org/wiki/Point-to-Point_Protocol :

"PPP is used over many types of physical networks, including serial cable, phone line, trunk line, cellular telephone, specialized radio links, ISDN, and fiber optic links such as SONET. Since IP packets cannot be transmitted over a modem line on their own without some data link protocol that can identify where the transmitted frame starts and where it ends, Internet service providers (ISPs) have used PPP for customer dial-up access to the Internet."

 

https://en.wikipedia.org/wiki/Peer-to-peer :

"Peer-to-peer (P2P) computing or networking is a distributed application architecture that partitions tasks or workloads between peers. Peers are equally privileged, equipotent participants in the network."

 

https://en.wikipedia.org/wiki/Wireless :

"Wireless communication (or just wireless, when the context allows) is the transfer of information between two or more points without the use of an electrical conductor, optical fiber or other continuous guided medium for the transfer. The most common wireless technologies use radio waves. With radio waves, intended distances can be short, such as a few meters for Bluetooth or as far as millions of kilometers for deep-space radio communications."

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
5 hours ago, heimdali said:

We can argue if it means 'point to point' or 'peer to peer', but maybe you have been drinking too much.  In any case, it doesn't have anything to do with "wireless", whatever that means.  Ever heared of PPPoE?

 

https://en.wikipedia.org/wiki/Point-to-Point_Protocol :

"PPP is used over many types of physical networks, including serial cable, phone line, trunk line, cellular telephone, specialized radio links, ISDN, and fiber optic links such as SONET. Since IP packets cannot be transmitted over a modem line on their own without some data link protocol that can identify where the transmitted frame starts and where it ends, Internet service providers (ISPs) have used PPP for customer dial-up access to the Internet."

 

https://en.wikipedia.org/wiki/Peer-to-peer :

"Peer-to-peer (P2P) computing or networking is a distributed application architecture that partitions tasks or workloads between peers. Peers are equally privileged, equipotent participants in the network."

 

https://en.wikipedia.org/wiki/Wireless :

"Wireless communication (or just wireless, when the context allows) is the transfer of information between two or more points without the use of an electrical conductor, optical fiber or other continuous guided medium for the transfer. The most common wireless technologies use radio waves. With radio waves, intended distances can be short, such as a few meters for Bluetooth or as far as millions of kilometers for deep-space radio communications."

yeah back in 1998 when 10/100 network cards were just rolling out PPOE was a thing! Static Ip's or DHCP was a thing too!

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
7 minutes ago, itsparks said:

yeah back in 1998 when 10/100 network cards were just rolling out PPOE was a thing! Static Ip's or DHCP was a thing too!

What are you using for your internet connection if not PPPoE?

 

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Networking

×