HA running on Proxmox - how to configure (vlan advice)

Hi all,

I’ve been running HA on a Pi for a number of years, which has been brilliant but recently I got an Intel NUC. Now I’m running HA in Proxmox VE.
All was working fine, moved house, changed my setup.

Due to trying to improve security, I split my home network to the usual Primary and IoT. I had lots of trouble getting HA to communicate and also tried to run HA on the IoT network, whilst keeping Proxmox on the Primary.
Didn’t work out correctly. The next thing I did was a managed switch and using Vlans in Proxmox. Again, didn’t work out and ad to reinstall Proxmox and start over.

Due to this, I went back to basics. I found an issue was within my firewall settings of my new router. Having changed that and reapplied the rules, the IoT network and HA can communicate.

This appears to be fine but what advice do people have regarding Vlans. Should they be setup in Proxmox and use a managed switch to redirect the traffic. Or are firewall rules enough. Just curious to peoples setups.

Thanks in advance

A decent router and it’s firewall is the correct way. They are made for this purpose.

Don’t use them at home.

Sooo much room for frustration due to some fantasized, unproven, security holes.
If you are actually concerned with security, never buy any IoT requiring internet access.

Somewhat true.
If you are trying to prevent a security hole, then a single VLAN is just as good.
The blocking will then be done in the firewall and it does not matter if there or one or multiple VLANs.
Multiple VLANs will just add extra resource requirements on the router/switches/firewalls.

Fair enough. A friend of mine has his bank broken into and only uses a single laptop for online banking. Now I know there could be a million ways in which this happened but it just occurred to me to increase security where I can. There is no getting away from IoT, aside from I enjoy using the stuff but if firewalls are good enough, then that is that really. I’m not adverse in the subject, so just wanted a nod or do X.

Okay, thank you for the input. I’m glad that Proxmox and Vlans are not necessarily required, as they gave me a headache prior.

The firewall will handle it, but you need to configure it to have default denyvføæ from the inside out. This is normally accept.
This is done by having your allowed connection first in the list, if you have such ones and then in the end add a deny with just the MAC address as source

Unfortunate, but be sure that using VLAN’s wouldn’t have prevented this :wink:

The FUD about VLAN is about IoT devices sniffing your network and then sending the result to hackers somewhere. Far-fetched to say the least, not even considering that most of the network communication are SSL/TLS crypted nowadays.

A less frightening FUD is about IoT just sniffing for public data on your LAN and then sending those for profiling. Still unproven FUD, though, afaik :wink:

Be sure that 99% of the hack nowadays are social ones, not technical ones.


1 Like

haha brilliant. Vlans rule all!

I know that wouldn’t prevent that, it was just a catalyst which started me in thinking I should improve my network. Nothing crazy but I can do small changes, it may help keep the villains away ha

Koying is right.
Use different passwords on different sites.
Use two/multiple factor authentication when possible.
Avoid using Google/Facebook as login services to other sites.
Be careful with emails and especially protect you email account with two/multiple factor authentication, because most forgotten password services will send an email to reset it.
If you can use a free spam mail account for news letters and other unimportant stuff, where you do not need to reply. You can then ditch it when it gets too bugged down with spam and just make new one and reassign for the wanted/needed news letters.

2 Likes

Great advice, thank you.

And thank you to @koying