Advice needed - VLAN's, subnets.

Started by day88, October 12, 2024, 12:44:28 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 12, 2024, 12:44:28 PM
I'm fairly new to all this and need some advice.

Basically I have a server with couple of docker containers that are accessible from the outside world via a cloudflare tunnel. I have no open WAN ports.
Is it advisable to have the containers on a different VLAN?,  that i guess would minimise the chance of intrusions accessing my main LAN. I could do the same for IoT devices putting them on a different VLAN.

But if I do that, I would need an OPNsense rule to allow traffic between my main LAN and the VLANS so I can access them locally just as I do now.
So what I'm not sure on is doesn't creating that rule make it a free for all between the LAN / VLANS, defeating the object of isolation in the first place ?
I'm clearly not understanding something so I'm after some advise on the best approach.
If i've got the wrong end of the stick then please correct me.

October 12, 2024, 01:55:48 PM #1
Yes, I've had cloudflared services on a DMZ for the same reason.

You need to work out the requirements; do any docker apps require access to anything else? What ports do you need to expose?

To reduce the latter, have a look at a reverse proxy like Caddy, NPM, Treafik, etc. which would simplify your firewall rules. You would only needing 80/443 to the proxy IP and you can then offer the appropriate service by host header using DNS CNAME records.

Bart...
October 12, 2024, 05:44:10 PM #2
Quote from: day88 on October 12, 2024, 12:44:28 PM
Is it advisable to have the containers on a different VLAN? ...
But if I do that, I would need an OPNsense rule to allow traffic between my main LAN and the VLANS so I can access them locally ...
doesn't creating that rule make it a free for all between the LAN / VLANS, defeating the object of isolation in the first place ?

Hello. I'm also new to  OPNSense but have managed other firewalls so am happy to address the gist of your questions. In short:

1. Yes, it's advisable (essential?) to put public (a.k.a. DMZ) services on a different VLAN than your main internal VLAN.
2. Correct, once you have them on different VLANs connected to the router, you will need to create rule(s) to pass the necessary traffic.
3. No, this is not at all the same as having the Docker containers on the same VLAN as your internal management hosts. 

I think the part you may be missing is the rules on a firewall can be used to create "pinholes" that allow only a very narrow subset of traffic categories to travel between hosts. Moreover, unless your docker containers are initiating some kind of callback onto the internal management hosts, you would want to prevent all network connections initiating on the docker containers from reaching your internal VLAN. This to me would be the main security benefit as my primary concern would be a breach on the public facing docker containers providing a vector to allow a rogue actor onto your internal network.

Without the separate VLANs, a breach on a public facing docker container may allow the rogue to probe every service on every host on your internal network. That's a very bad situation.

Hope this helps!


Sent from my iPhone using Tapatalk
Print
Go Up Pages1
User actions