Hi there,
I’m running HA on a Intel NUC7i3BNH with Home Assistant os on it.
Recently I’ve been playing with the security of my network and I would like to be more in control by adding a firewall.
The idea is to swap to Ubuntu server and run HA in a docker. By adding a additional LAN port I can then run this system as router/firewall in combination with HA, Pi hole, etc.
Is there anything in specific that I need to take care of, other than creating backups and hope for the best?
Any tips, heads up, etc. is al welcome.
I really hope I do not have to redo all my dashboard etc.
I’m using ha in docker compose on dedicated comp that is serving me as a server and nas.
Why using ha in docker ? Well first of all you can control all of your addons aka docker containers. In haos one addon, often frigate, can kill the whole system on cpu usage and you can’t do much about it.
In docker you can always limit mem and cpu usage per container and this is not gonna happen.
You are not limited by docker images provided by someone else, You can use images that works for you with all the bells and whistles you choose, not someone else.
Now, for the os I use debian because it is much better then ubuntu to run as server os.
As for backup goes i use duplicati to backup all my containers on another ssd disk daily.
I also use syncthing for syncing my computers and mob with a dedicated ssd on a server, for the data I need, and then back it up with duplicati on another ssd.
For docker dompose you have great integration called ingress that can provide you access from your ha installation to other containers like z2m, frigate, glances etc, so you can have the same experience as you will have on haos running supervisor.
For home network, weapon of choice is openwrt running batman-adv mesh wifi system that is great if you gonna have vlans. And you should. For gateway I’m using opnsense for dhcp, firewall, traffic sharper and other things.This is one of the best if not the best combo out there.
And of course you can use adguard as your local dns server so you can have control over every device in you network that is using dns.
My system relies mostly on zigbee devices so I have zigbee2mqtt and mosquitto container.
In short with docker you have endless possibilities and tweaks.
But there is another side of the story. You will need more time and energy to set everything up. It is much harder path then just install haos, some addons and there you go.
So you are going to run a ‘router’ on the server + ha + pi hole? From a network point of view this is going to complicate things.
Keep in mind that all the add-ons of HA are itself containers if you are running HAOS. That means that every add-on will need to be run selerately next to the HA container. Not an issue cause it is perfectly possible, just know it’ll be a little more challenging than clicking ‘install this add-on’.
Assuming you are not planning on using the NUC, what you could consider is running a router on it and maybe even some basic services or containers (eg pi-hole, zigbee2mqtt, …) and have it manage the VLANS and inspect traffic. The rest of your applications can then run on the server.
If you haven’t gotten a lot of experience with docker, you can use something like portainer to manage it.
Main goal is to add a firewall to my network to be able to have more control. At this moment running ha os on the nuc and pi hole on my raspberry.
I want to keep an eye on my power usage so just adding more hardware is not my preferred choice.
I do not have a lot of experience with running dockers but we have ai for debugging these days which help a lot.
What’s the concern you have for running all those on one server?
If you want to add firewall then you should use dedicated device for it. It could be router or nuc running opnsense.
You have to understand one thing. There is no free lunch.
Whatever path you take it does have its ups and downs.
Yes, you can use ai to help you figured out some things, but if you expect from ai to build you docker network from scratch and do everything then you are wrong.
It will not work like that.
Better stay on haos.
You still don’t tell me what the reason is to not run it on the same device.
If I want to learn something new there’s always ups and down.
I’m not expecting ai to solve everything. As mentioned it helps debugging.
Just trying to make a good consideration on what path to choose, and normally I do that with proper research and evaluation. So far I do not hear any technical grounded reason on why not to try and install the bunch on one system.
I like the puzzle and am not expecting it to run all by itself.
The road to a properly running and useful has os was also not without challenges but it had been fun all the way.
Just simply because if you run everything on single device then that device became a point of failure of the whole system.
That is why you should use dedicated devices for dedicated purposes.
One device will be gateway, another will be server, something else will be main router, something else will be ap etc.
It will help you tomorrow to point up and resolve problems that might and will occure.
If you put everything on one device you will have a lot of problems solving things.
It is a question of engineering your home network.
I’m not it engineer, never went to school for that, and never worked as such, but I understand necessity of running different things on different devices.
Have you thought about performance? What bandwidth are you going to use this on, and are you planning on IPS/IDS? It seems like a subpar solution to run firewalling and routing on a nuc. Get dedicated network hardware for networking.
Internet is max 250mbits and I think IDS/IPS might be a bit to much for the hardware indeed.
I’m guessing that starting with a standard firewall will give me plenty of options to play with.
As long as the NIC is fast enough, a NUC should be plenty fast to run a router/firewall. Only thing is there might be specific hardware acceleration on dedicated network equipment for things like SSL encryption and other.
Just to confirm: you are able to do so. My understanding of your requirements is that you want to have in-depth control over everything. Having a firewall/ router running on the same device as the rest of your computer means you need to do the networking part of docker (will all docker containers be in the same network, will they each have their own network? Will only the DNS be forwarded to the Pi hole and is it reachable for each container?)
I might be over-complicating things: if you simply want to run everything in containers and forward the DNS to piHole, this is perfectly feasible.
The fun part of this all is that as long as you have a backup of your HA instance, you should definitely try it out and see if it works for you.
Gemini is advising me to run proxmox with 2 vm’s. One for router/firewall and one for home assistant.
Would that be an easier way to configure things? I guess that takes a heavier load on the memory?
