hello everybody,
I need some help/info about assigning multiple nic to vms.
Since some services (home assistant, frigate, etc) needs to talk with devices on other networks (cameras, iot devices, etc) from a performance/security view, it is better:
give direct access to the network (aka assign one or more dedicated virtual nic)
move all traffic between vlans with fw rules on pfsense
move the vm on the same vlan of the devices (ex. frigate on cameras vlan) and expose only the gui to use it with traefik (on vlan 203), but what to do if example home assistant needs iot stuff and frigate?
other?
what do you suggest?
my current configutation is:
vlan 203 - services (home assistant, nextcloud, etc) and traefik
vlan 207 - iot stuff
vlan 220 - cameras
vlan 201 - main
My typical preference is to keep services in their own VLAN and use firewall rules at the firewall and on the VM host to expose the needed communication.
I agree with the other two posters. Router on a stick is the easiest design for security. If you want to get better performance you can move the switch up into the router as a bridge. I do this to help improve the traffic throughput, but for most small networks it is not necessary.
With frigate I have no problems, it is easy to create the right fw rule.
But, for home assistant?
to work properly it needs to scan the iot network for devices/services discovery etc.
I think that if I route all traffic on firewall, I could lose some functionalities.
My pfsense is a vm on an old xeon e3. Now even with traffic inspection it has no problems managing all vlans, gaming, watching 4k contents etc.
But I am worried that all this new traffic (10 cameras in h264 for 24/7, iot stuffs, etc) will add extra weight on the router…
I’d say stick untrusted devices on vlans that can’t see other vlans, if you need to see those devices from a trusted vlan just create the required rules.
Things like your camera don’t need internet access so block it, IoT doesn’t need to see other stuff, services might need to see IoT but not vice versa etc.
You’ve got a complicated setup, doing anything fancy to boost performance is going to make it even more complicated. If you want to go down that rabbit hole it will take a lot of time and learning. Giving specifics beyond what others have suggested may not be helpful at this stage of the game.
Think about your choke points. The first two I can think of are disks and cabling. Disks will likely fall over first, then cabling. Play around with your setup. Stand up one camera, then measure, test, & make estimates. Remember, this is suppose to be the fun part.
I think I got your point.
Adding networks separation can bring benefits but can also be a nightmare if not done correctly.
In my current configuration, on these few vms, I did so to maximize the performances, since the packets comes and goes directly from the vm itself to the devices without been analyzed, filtered etc by the router.
But security?
Not the best (since the vms can be “exposed” to potential risks), and not the worst (since all the IoT stuffs and cameras are blocked on firewall level).
It is just a way to “organize” the GUIs since are all on the same vlan. stop.
But, if I correctly understand, if one of these vms is compromised (ex. by some IoT device with malicious firmware), because of the 2 nics, all the vms on the “safe” network can been compromised since the attacker has a free access to this network. right?
So this could also be a problem even for TrueNas… is it so?
Because, while I am writing, I just figure out that I could have the same thing there, since I assigned it multiple nics
1 main network (with gateway) - GUI, Proxmox storage, vm backups
2 IoT network (no gateway) - music / video / photos
3 services (no gateway) - nfs/smb for services
4 truested (no gateway) - smb for pc/mac
5 office/work (no gateway) - smb for company laptop (when I work from home)
Sorry about the confusion. My point is not that network segmentation is complicated, it is that doing that trick I mentioned while running your router in a VM is complicated.
Your current setup is actually pretty good for network performance. You do not have the problems of a router on a stick. Looks like all your heavy throughput traffic will be on nic 2. If you have dedicated drives for those services, then I/O you should be in decent spot. Setting up vlans would be easy and help with L2 security.
Honestly, I would worry about reliability with your setup long before security or performance.
