How to secure your home network from threats from inside the house.

For the past few years I’ve been building and maintaining website/blog at www.pragmaticcoding.ca. It’s mostly about programming, and more specifically it’s ended up having a lot of content about JavaFX with Kotlin.

Lately, I’ve been spending all of my time building out my own homelab and self-hosting the services that I need. I’ve got a little stack of M910Q’s running in a Proxmox cluster with an HP T740 running OPNSense.

Since I’ve been spending all - and I do mean all - of my time futzing about with this self-hosted stuff, I thought I’d try to add some content to my website to help people doing the same thing. My idea was to make it more “bloggish”, talking about the tricky things I’ve had to master along the way as I implement various services.

But I feel like there also needs to be some foundational content. Articles that explain concepts that a lot of people, especially people without professional networking experience, find difficult to grasp. So I’ve started working on those.

While I think of myself as mostly a programmer, my career (now, thankfully over) had me as an “IT Guy” more often than not. I spent 24 years at the same mid-sized company with a tiny IT department and simply had to get involved with infrastructure stuff because there was nobody else to do it. It was very hands-on at first, but as we grew I was able be limit my involvement to planning and technical strategy.

Since the mid 90’s, we went from self-hosted physical servers, to colocated servers, to colocated virtual servers to cloud servers and services. So I feel like I have the insight to provide help.

Anyways, this is the first article in this new section. I’ve seen a lot of people posting questions about how VLAN’s work and I know that it’s mystifying to many. So I wanted to push it out before I have the supporting framework put together on the website, and it’s just sitting there as the first post that’s not about programming.

My goal is to provide practical, pragmatic advice. I’m not particularly worried if some particular facet of an article isn’t 100% totally correct on some obscure technical level…as long as the article gives solid practical advice that readers can act on.

Anyways, take a look and let me know if you think this kind of article might me of use to yourself or other people getting started on self-hosting.

  • neidu3@sh.itjust.worksEnglish
    5·
    15 hours ago

    Some VLAN-related nuggets that you may find useful for your post/blog:

    • 99% of the time when people refer to VLAN, they’re talking about 802.1Q (VLAN tagging). There are others, so it’s up whether you want to cover those as well.
    • The word “Trunk” can mean different things, depending on vendor. In the Cisco world, it means a line/port carrying multiple VLANs. With many other vendors, such as Aruba/HPE, it refers to link aggregation which isn’t necessarily relevant to VLANs
    • A lot of hardware still use VLANs even none have been configured. For example, defaulting all switch ports to have an Access tag of 1 makes it behave like a dumb switch. This can cause issues later if you’re configuring VLANs elsewhere
    • Anything connected to a VLAN-enabled switch will have to be connected to a port with a default VLAN tag. This is usually referred to as an “Access port” or an “Untagged port”
    • “How do I configure the switch to allow units on VLAN 123 to talk to VLAN 321?”. You don’t. Connect both VLANs to a router which will route between them. Either connect the router to both VLANs individually and skip the tagging on the router, or you can run a single trunk between the switch and the router which carries both VLANs. The latter requires you to configure VLANs on your router accordingly.
    • It might make sense in many cases to have the VLAN tag the same as the last octet in the IPv4 subnet. Makes it easier to keep track of.
    • A PC can implement VLANs on its network port, allowing you to connect to a trunk port and access several VLANs with one cable.

    Source: VLANs have been an integral part of my career for 20ish years.