Assumptions & requirements
The network is the root of my home lab configuration. It’s beginning and frame everything what next happening. As you may have read in this post.
I have the first Proxmox node and the main assumption is possibility quick and easy adding next nodes if I decide I need. So, my network setup has to meet this requirement, it’s obvious. So, configuration should be one and wide on whole cluster.
Secondly, I’d like to use the Proxmox (in the future, maybe) cluster to two separated different things. It’s not précised now, but I’m considering to start provide some service for my private daily uselike as the Nextcloud for example. And I see the need to create area for developing and test my projects. I’m afraid the “project” part can be a weak point of secure. Everybody who develop something knows that such staging should be separated from sensitive date and these will be in the private part. So, I have to create separate subnets. I have to be able to quick create it and easy connect and switch VM’s to them.
The last require is free authorized access beside local network. So, kind of VPN.
Sum-up requirements:
- configuration should be one and wide on whole cluster
- separate subnets
- I have to be able to quick create it and easy connect and switch VM’s to them
- free authorized access beside local network
Blueprint
After research, I chose the simplest and fasts resolve. I consulted with dev-ops in our company, and they suggested me create VM which will be virtual router. One VM which is capable:
- route traffic to suitable subnet
- has a NAT and a Firewall setting to provide separation between them.
- serve VPN or WireGuard service for secure and free access.
It’s many solutions which you can use. The most popular are OPNsense, PfSense (which I tried but failed) and many. I personally choose a Vyos after recommendations and paradoxically console interface, it turned out to be easier for me.
Finally, I set up something of this.
📥 homelab-network-2024-01-13.drawio
What we have on this diagram?
The central point of this configuration is Vyos virtual machine. It’s works like a normal router. So I set up two separated subnets Home & Lab and access to them via a WireGuard.
The WireGuard created another virtual net, so you need to set up NAT between WireGuard network and subnet which the WireGuard connection you’d like to create. You see this as gray arrows between wg1 and vmbr1 in the diagram.
The vmbr is a Linux bridge set in the Proxmox network configuration. You can think about it like as virtual plugs. If you imagine it, you see we have to add all virtual plugs (vmbr) in virtual router vm and next plug in the correct the vmbr to the right vm depends on in which network should be.
Conclusion is that, after correct virtual router configuration, you can to manage network separation on virtual plugs (vmbr) layer. It’s easy and fast. It would be enough to chose correct network device in Vm hardware configuration.