this post was submitted on 26 Oct 2023
18 points (87.5% liked)

Selfhosted

39435 readers
7 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

So I bought a fanless firewall appliance with 4x2.5Gbps ports and I would like to setup Proxmox on two identical SSD drives. I also want to configure a bridge on my ISP router and then configure the router as a firewall on top of Proxmox. My plan is to install HA on top of Proxmox too.

My goal is to separate both my normal WiFi connection into two or even 3 VLANs, one for normal devices, one for IoT and a third for Guest VLAN. And I would like the Home Assistant to have access to both my normal SSID and IoT VLANs.

For the Access point I have a mesh router that doesn't support VLANs and I was thinking temporary to repurpose an old Netgear R7800 and here I don't know whether I should simply configure the Guest SSID to be for the IoT or repurpose the 2.4GHz network and leave the 5Ghz for normal devices. Currently on the WiFi router I have OpenWRT but I am also considering switching to Voxel?

Can you maybe recommend some tutorials with what settings and setup to use and if you had similar network setup to give me some hints on what to

top 13 comments
sorted by: hot top controversial new old
[–] [email protected] 4 points 1 year ago (2 children)

You need two Proxmox nodes for HA.

Virtual networking is also not a great idea in the homelab. It's better if you do have HA, but even so, if you screw it up and break something in Proxmox, you'll be without any network access to look for help online (except on your phone, so good luck retyping commands or transferring files).

[–] [email protected] 5 points 1 year ago (1 children)

HA = High-Availability

But I think OP meant Home Assistant

[–] [email protected] 0 points 1 year ago

Exactly, sorry for the confusion

[–] [email protected] 5 points 1 year ago (1 children)

Sorry, HA is Home Assistant, not high availability.

[–] [email protected] 1 points 1 year ago

Then his point is stronger, since you would be in a shittier situation without High Availability.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
AP WiFi Access Point
HA Home Assistant automation software
~ High Availability
IP Internet Protocol
IoT Internet of Things for device controllers
MQTT Message Queue Telemetry Transport point-to-point networking
SSD Solid State Drive mass storage

6 acronyms in this thread; the most compressed thread commented on today has 5 acronyms.

[Thread #245 for this sub, first seen 26th Oct 2023, 21:45] [FAQ] [Full list] [Contact] [Source code]

[–] [email protected] 2 points 1 year ago

In the realm of firewall applications, i use the following: ° Ipfire is easy to use, but lacks ipv6 support and it doesn't have otp. It has lots of packages though.

° Alpine is good, if you don't want a GUI or want to spend time figuring out how to build a web ui (really good for beginners as its mostly xml)

° openwrt is good fit for low end hardware (SPARC or arm processors mostly) but also works on x86.

° opnsense - like pfsense, but more up to date. Has some quirks in it (like if you block both incoming and outgoing, but just want to allow 80/443, the rules look weird...like the direction you have to allow is in, but destination is 80/443. Very strange bug that isn't in pfsense).

° hardenedbsd firewall - literally just opnsense but with hbsd's fully patched kernel. No repo though.

That being said, you can make any distro a firewall, just use iptables/pf/ipfw/ipfilter rules through command line, and you can add anything in that distros repo you can think of.

[–] [email protected] 1 points 1 year ago (1 children)

Ok, so it is not that hard then I guess. Install proxmox on the appliance, then install two vm’s, HA and pfsense. Deal with further segmentation of your lan and the bridge to the router in pfsense.

But if you ask me, drop the idea of vlans for appliances and keep it simple. Only make a guest network on WiFi, but using vlans is a pita, people want to stream to tv’s, use the app to control heating, etc. If you are concerned about appliances connecting to internet, just block internet access in OpenWRT or pfsense.

[–] [email protected] 1 points 1 year ago

Personally, I'd advise to use opnsense over pfsense. Opnsense kernels are more up to date, and the devs are less toxic.

Ipfire is a Linux alternative that is easy to use, just no otp.

[–] [email protected] 0 points 1 year ago (1 children)

Can you list the devices you have and what you want each one to be doing?

[–] [email protected] 0 points 1 year ago (1 children)

I have this fanless PC, and it has 4 ethernet ports, 2.5Gbps. I have equipped it with 2x2Tb of SSD and 32Gb of RAM.

I have an ISP router, but it would only serve to bridge the WAN interfaces.

I have Netgear with OpenWRT running on it.

I want to install proxmox on the fanless PC and spin up Opnsense and Home assistant on it. The plan is to run a couple of containers but I consider them out of scope for now.

I want to pass through the network interfaces to Opnsense directly as I have a Gbps Internet connection.

The plan is to create a couple of VLANs, e.g.

  • 100 - home connection
  • 200 - IoT
  • 201 - Guest WiFi VLAN

Here I am debating whether I need a fourth for the management interfaces of all services, but let's say not for now.

The WiFi router would be connected to one of the ports of the firewall appliance and it would need to have access to all three VLANs in tagged mode. I want to configure them on the Netgear R7800 running OpenWRT or Voxel, need to decide what's better suited for my needs as I believe this router would only act as a dumb AP and all the networking and firewalling will be handled by Opnsense. Here the plan is to create three different SSIDs (Home WiFi, connected to VLAN 100 on 5GHz, IoT SSID for the IoT devices connected to VLAN 200 and running at 2.4GHz and a Guest SSID.

My HomeAssistant VM should have access to both the VLAN 100 and 200. Eventually it should have management IP from VLAN 100 and also access to see all the IoT devices over VLAN 200.

I know that's not the best setup and I have one huge point of failure, but since I am living in Europe in a country where electricity is one of the most expensive, I wanted to minimise my cost over time. I specifically bought a fanless firewall appliance that is using N100 CPU and through some BIOS tweaks I managed to reduce the idle power consumption to 9 Watts, as I don't want my annual electricity bill to balloon by adding a couple of devices. Alternatively I also have a Raspberry Pi but I would prefer not to use it, to save on electricity costs.

My goal is to try this setup for a couple of days and in the worst case I can always revert to the old setup.

[–] [email protected] 0 points 1 year ago (1 children)

Your MQTT broker for IoT lives in your IoT VLAN, obviously.

Assuming your Home Assistant webfrontend lives in your "home" VLAN (otherwise you can't get all the fancy controls). Then how are these two talking to each other?

[–] [email protected] 0 points 1 year ago

That's the question? If the device has access to both VLANs I presume I would be able to configure the Management interface to be on VLAN 100 while everything else is on VLAN 200 Is it that hard to configure?