How to properly protect management subnet

I have a multi-vlan setup at home via pfsense, and I have things such as proxmox, pfsense, truenas etc all managed on a “management” vlan. That part works fine, and I have full separation from IoT devices for example as they sit in s walled off vlan.

I have SMB shares and such on a “lower level” vlan, but…. For easy or management of my homelab, my windows desktop and MacBook which sit on that lower level vlan still have full access to the management subnet which obviously defeats some of this segmentation.

What are topologies/VPN/tools folks use to still “easily” manage things, but have good separation from the management webUI’s and SSH ports.

Two options I considered was set up a VPN with access to the management subnet, and then have to “VPN up” up that management level, or put a VM on the management subnet and RDP into it. I figure there must be a more elegant solution…

Management can all be put on native and then create a VLAN for each other network.

How do you interact with the management vlan?

I have everything on that vlan, but have a wide open pfsense rule to allow my PC and MacBook to be able to manage everything. Someone or something could laterally move from my PC to the management network without any step in between.

You lock down what devices can access the management vlan.

Give your PC and Macbook fixed IP address within dhcp, create a Aliases with the IP address of your devices.

On the firewall that you create to allow access to the management lan, add the alises as the source.

1 Like

I keep my switches and AP on the management vlan. My CAM / IoT / GUEST vlans cannot access the management vlan nor the pfsense GUI.

As an additional layer of security my external cams connect with a RADIUS profile, so you could not unplug the cam and plug into my network easily. The same goes for my wifi. If I wanted I could also apply RADIUS to ports on my switches, but if someone is already plugging into a switch I think I have bigger problems.

I will say I also use OpenVPN on my phone / tablet to access my wifi because I have it already setup, perhaps it has a layer of additional security that needs to be penetrated.

I have this set up currently, but my concern is more around what happens if I do get malware on my PC. My PC can access the management vlan. If said malware is able to pull our password manager data, it would be able access truenas webUI or SSH, and then my idea of “well, I use ZFS snapshots, I am pretty well protected against almost everything” goes out the window.

I do believe I am going beyond what a normal homelab would do, but just thinking through the attack vectors, my PC being windows is a pretty big threat surface, and it having access to the management vlan at all times for easy administering of the lab seems like a security oversight.

Same. All of my infrastructure, hypervisors, and network gear is held on the management vlan. My only devices on a vlan that has access to that are my PC, MacBook, and iPhone. But, I still am considering that one of those devices could get pwned (it seems like every week there is a new actively exploited zero day against at least one of them), and those three devices can all directly access the management subnet.

A better option is to run something like vmware workstation on your host PC, then run windows in a vm, you can easily limit what it can access on the network. Have been running windows in a vm for years without any issues, with linux on the host. I originally did this so that I could optimise my RAM for the vms I needed to run and just carried on like this.

Realistically my PC is mostly used for gaming and photo editing, I’m probably not going to virtualize it. But I could spin up a windows VM on my homelab and RDP into that just to use chrome and access password manager, as well as use that as my homelab management interface. Hmm

Since you have Proxmox, you could setup a “jump network” (vlan) where a special vm (or jump station) for only your management is. So from you laptop/pc (and only those devices) you can remote in on that vm that in turn has access to the management vlan and you could then manage things from there.
Of course, you should have a backup connection to that management vlan since your hypervisor or management vm can crash by setuping a physical port on your switch that is on the management vlan also. That port of course has nothing connected to it, it is just in case of emergencies.

1 Like

This is basically what I was describing as my assumed option, but was curious if there are things folks do in industry that is ‘smarter’. I assume there must be a standard practice for this sort of thing, I just don’t know what it is.

But this “special vm” idea is what I wa a leaning towards because it seems relatively easy.

That’s how it is done in the industry.
The management network is never accessible directly but only from another network (the jump network) that also has restricted access. So in order the access the management network, an attacker will have to breach 2 networks.