Homelab 2.5GB Networking / Firewall Segregation Advice Needed

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

thellamafarm

New Member
Aug 4, 2022
4
0
1
Hello,

I am trying to introduce some more network segregation in my network, primarily around IOT devices, such as internet-connected IP cameras. Right now I have a proxmox server which I use to self-host some apps, run Truenas, and some docker and Kubernetes experimentation etc.

One of my VMs runs some NVR software for IP Camera recording, so I'd like for my VM to talk to my IP cam, however, I don't want my IP cams to see the rest of my network, but still have internet access for Mobile App access, ie 1 way communication.

I am at an impass here, my Asus Merlin Firmware doesnt support vlans, so thats out of the picture for VLAN + Firewall rules.

I have a spare access point/router with Asus Merlin also that I could potentially use for a IOT wifi ssid, im Ok with that but im not sure how todo the one way network with the VM and the IP cameras.

I am open to the idea of getting something dedicated for Firewall/Routers 2.5gb like so https://www.amazon.com/Firewall-Hardware-Security-Appliance-Barebone/dp/B09PHHMJJB/?th=1

However before doing that I wanted to see if there were any other options.

I have attached a diagram of my current setup. I technically have 4 2.5gb NIC ports on proxmox. I dont like the idea of proxmox being the sole router/firewall and nas and my home lab server, seems like too much risk if the server powers off, I have no internet at home. However, for a second AP I dont care if only the IOT network dies if the server dies, I can live with that.
 

Attachments

newabc

Active Member
Jan 20, 2019
465
243
43
There are a discussion thread on 4x2.5gbps mini PCs:

Read from the last page for 4-5 pages or more, you will know what model you needs.

Personally, I will prefer N5105 as the CPU of 4x2.5g mini PC at this moment. J4125 isn't new now.

After the wired router is installed, I think the ASUS router can serve as an access point. (Of cause, you can choose commercial access points if you have this budget.)
 
  • Like
Reactions: thellamafarm

thellamafarm

New Member
Aug 4, 2022
4
0
1
There are a discussion thread on 4x2.5gbps mini PCs:

Read from the last page for 4-5 pages or more, you will know what model you needs.

Personally, I will prefer N5105 as the CPU of 4x2.5g mini PC at this moment. J4125 isn't new now.

After the wired router is installed, I think the ASUS router can serve as an access point. (Of cause, you can choose commercial access points if you have this budget.)
While I dont mind buying a mini PC, is the solution I want only possible with mini pc?
 

newabc

Active Member
Jan 20, 2019
465
243
43
While I dont mind buying a mini PC, is the solution I want only possible with mini pc?
I think a mini PC with 4 or 6 ports like the one on the amazon link you posted is a popular choice in recent years.
Since a thin client like Wyse 5070 or HP T740 needs more works to make it run pfSense or other firewall systems.
 

thellamafarm

New Member
Aug 4, 2022
4
0
1
What about a actual router and a managed 2.5g switch? What options do I have there that are budget friendly? Could I run opnsense on a RPi4 and then use a managed switch for all vlans?
 

PigLover

Moderator
Jan 26, 2011
3,184
1,545
113
Opensense on an RPi (any generation) will be a pretty disappointing experience. One thing that you need in any router is really solid network performance. While there are Arm-based maker boards that have good networking - the RPi isn't one of them.

There are lots of sub-$200 ways to get a decent platform for pfSense/Opensense mostly by repurposing older thin clients or mini-PCs. Use care to find one with Intel NICs as the BSD-based routing software (xxx-sense) historically doesn't play nice with Realtek.

Lastly - your drawing says your Proxmox host (where your run your NVR) has four 2.5gbe NICs. You could always get a dumb switch and put all of your IOT devices on it but don't connect it to any other LAN device. Then add a 2nd virtual network interface to your NVR VM bridged to one of the unused NIC ports on your Proxmox host and connect that port to the dumb switch. You'd probably have to add some services to the NVR VM facing the port on the dumb switch to help the IoT devices work (DHCP, ntpd, etc). Or - alternatively - you could run OpenSense/pfSense in a VM facing the dumb switch.
 
  • Like
Reactions: thellamafarm

thellamafarm

New Member
Aug 4, 2022
4
0
1
Opensense on an RPi (any generation) will be a pretty disappointing experience. One thing that you need in any router is really solid network performance. While there are Arm-based maker boards that have good networking - the RPi isn't one of them.

There are lots of sub-$200 ways to get a decent platform for pfSense/Opensense mostly by repurposing older thin clients or mini-PCs. Use care to find one with Intel NICs as the BSD-based routing software (xxx-sense) historically doesn't play nice with Realtek.

Lastly - your drawing says your Proxmox host (where your run your NVR) has four 2.5gbe NICs. You could always get a dumb switch and put all of your IOT devices on it but don't connect it to any other LAN device. Then add a 2nd virtual network interface to your NVR VM bridged to one of the unused NIC ports on your Proxmox host and connect that port to the dumb switch. You'd probably have to add some services to the NVR VM facing the port on the dumb switch to help the IoT devices work (DHCP, ntpd, etc). Or - alternatively - you could run OpenSense/pfSense in a VM facing the dumb switch.
Yea so all the IP Cams/IoT are wifi based. So I could connect a router in AP mode to the NIC on proxmox eh? I do need these IP cams and Other IOT devices to still be able to get to the internet, I just dont want a comprimised iot device to be able to see my devices on network. I'm following most of what you are saying, but would you be willing to draw a diagram? that would be super helpful.