Skip Navigation

Best practice for external facing service

On my network, I have quite a few VLANS.

One for work, one for IoT devices, one for security cameras and home automation, one for Guests, etc.

I typically keep everything inward facing, with the only way to access them via my OpenVPN connection (which only can see specific services on specific VLANs).

Recently, I thought of hosting a little Lemmy instance, since I have a couple domains I'm not doing much with.

I know I can just expose that one system/NGINX proxy and the necessary ports via WAN, but is it best practice to put external facing things on their own VLANs?

I was thinking of just throwing it on my IoT VLAN, but if it were to be compromised, it would have access to other devices on that VLAN because (to my knowledge) you cannot prevent communication between clients within the same VLAN.

14 comments
  • Seperate vlan for any external service. Fail2ban/firewalled ssh keys. All the normal stuff

    Im thinking of fronting it with cloudflare and run it through tunnel eventually

  • Is just exposing it via a Cloudflare Zero Trust tunnel enough for security?

    (Serious question that I don't know the answer to, as this is what I'm currently considering for a project.)

14 comments