this post was submitted on 11 Feb 2024
12 points (92.9% liked)

Selfhosted

39435 readers
9 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
12
Opnsense and one ethernet port (lemmy.sdf.org)
submitted 8 months ago by [email protected] to c/[email protected]
5 comments fedilink hide all child comments
 

Hi,

I believe with just one port for opnsense (on a min-pc) we can still do vlans (with tagging I believe?) but how effective is that for segregating and isolating proxmox machines?

Say I want to keep a VPN machine isolated, from other virtual machines? How would you do that? Do you have any tips for running such a system?

top 5 comments
sorted by: hot top controversial new old
[–] [email protected] 6 points 8 months ago* (last edited 8 months ago) (1 children)

Your opnsense will have WAN (ethernet port) and your LAN side will be all virtualized. There's no problem having VLAN 10 with 192.168.10.0/24 for your main vms and then VLAN 20 with 192.168.20.0/24 for your VPN machine. Setup deny rules in the firewall to stop the VLANs from communicating.
If this is inside your current home network you will end up with double NAT though.

[–] [email protected] 2 points 8 months ago* (last edited 8 months ago)

If the opnsense interface on the WAN VLAN has a public routable IP address there shouldn't be a problem with double NAT. Double NAT should only be a problem if they have a crappy ISP that's using CGNAT.

Edit: never mind, I reread your comment. We're saying the same thing essentially.

[–] [email protected] 5 points 8 months ago

If you dont want to do a router on a stick, mabe your minipc has a WiFi socket you're not using. You can get an m.2 A key to gigabit Ethernet adapter. Theyre mostly realtek chips but in my experience they work fine in opnsense.

https://www.youtube.com/watch?v=HXP8IVUVJbg

[–] [email protected] 3 points 8 months ago

It's perfectly effective, they become fully isolated from each other. Yes vlans would work if they're all on the same host. If they're not on the same host you would need a vlan capable switch, or at least one that'll pass tagged packets through.

[–] [email protected] 1 points 8 months ago* (last edited 8 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
CGNAT Carrier-Grade NAT
IP Internet Protocol
NAT Network Address Translation
VPN Virtual Private Network

4 acronyms in this thread; the most compressed thread commented on today has 9 acronyms.

[Thread #503 for this sub, first seen 11th Feb 2024, 20:45] [FAQ] [Full list] [Contact] [Source code]