One bit of guidance I've been trying to figure out is this: how does one properly segment one's homelab to be able to firewall potentially dangerous stuff (e.g. IoT gear, hosting publicly-available websites via Cloudflare tunnels or something, all while running on the usual "virtualize all workloads" thing with Docker/Proxmox, etc)?
The best I've come up with so far is segmentation via VLANs, then adding many rules to deal with inter-VLAN reachability (e.g. should it be forced to transit to the firewall and back? Can my laptop reach out to the IoT devices, even if I block connections in the reverse direction?).
Beyond this, I'm not sure how to best handle similar segmentation on my few servers (all running proxmox), e.g. whether to expose VLANs to the VMs (which I kinda need to do for the pfsense firewall, maybe?).
The biggest thing is how to keep these network configs in sync, e.g. when adding a new VLAN, etc. I basically have an Org file that I write all this down, but I'm guessing there's a better way.
Also, if anyone wants a cheaper alternative to Ubiquiti, Mikrotik has served me well for years. I'm considering switching to Ubiquiti stuff though, as they seem to have a solution to synchronize state between multiple switches that is much better (vs. manually using Winbox on each individual router).
The best I've come up with so far is segmentation via VLANs, then adding many rules to deal with inter-VLAN reachability (e.g. should it be forced to transit to the firewall and back? Can my laptop reach out to the IoT devices, even if I block connections in the reverse direction?).
Beyond this, I'm not sure how to best handle similar segmentation on my few servers (all running proxmox), e.g. whether to expose VLANs to the VMs (which I kinda need to do for the pfsense firewall, maybe?).
The biggest thing is how to keep these network configs in sync, e.g. when adding a new VLAN, etc. I basically have an Org file that I write all this down, but I'm guessing there's a better way.
Also, if anyone wants a cheaper alternative to Ubiquiti, Mikrotik has served me well for years. I'm considering switching to Ubiquiti stuff though, as they seem to have a solution to synchronize state between multiple switches that is much better (vs. manually using Winbox on each individual router).