Looking for advice to implement proper network segmenting

[vernand]

I have the following setup where I run both private services (ie paperless and vaultwarden) and an exposed webserver on my homelab. These services are separated by putting them on their own VLAN (private 10, exposed 30). To manage the web-exposed servers I have a few firewall rules on the firewall that allow SSH traffic etc from the private VLAN. To create backups I’m connecting Apple’s Time machine from the workstations to the TrueNAS server. So far this works all well.

However, I also would like to backup my exposed servers (on VLAN30) to my TrueNAS server, while keeping things separated. Some solutions that came to mind

• Instead of running TrueNAS bare metal, virtualize two instances which are exposed to VLAN10 (private) and VLAN30 (respectively). The downside is that virtualizing TrueNAS is not recommend and I don’t think there are currently two host controllers to do the drive pass-through.
• Continue with the baremetal approach, create two bridges in TrueNAS and just bind the ‘s3’ service to VLAN30 and the ‘SMB’ service to VLAN10. However, this would prevent me in the future from using SMB on VLAN30 for example.
• Continue with the baremetal approach, create a firewall rule to allow s3 traffic from VLAN30 to VLAN10.

Any thoughts, or am I missing some obvious other solutions?

 

[Morris]

Why not punch IP and Port specific holes in your firewall to allow connections?

 

[Elliot Dierksen]

What kind of storage is being used for the exposed servers and what hypervisor are you using? Are you talking about backing up the VM itself or some kind of application level backup from the exposed servers to TrueNAS?

 

[vernand]

Why not punch IP and Port specific holes in your firewall to allow connections?

Indeed, this is what I meant with 'Continue with the baremetal approach, create a firewall rule to allow s3 traffic from VLAN30 to VLAN10.'. But it would mean that the traffic would have to be routed through the firewall instead of the switch (but I don't see why this would be a big problem though?).

What kind of storage is being used for the exposed servers and what hypervisor are you using? Are you talking about backing up the VM itself or some kind of application level backup from the exposed servers to TrueNAS?

The latter, I would like to backup the Postgres database on the webserver in VLAN30 to an S3 bucket on TrueNAS (using the MinIO service) in VLAN10.

 

[Elliot Dierksen]

The latter, I would like to backup the Postgres database on the webserver in VLAN30 to an S3 bucket on TrueNAS (using the MinIO service) in VLAN10.

FreeNAS/TrueNAS is only going to see the data for the virtual disks regardless of whether you access them via NFS or iSCSI. That means that it would have to be some kind of backup happening within the VM. That would just require outbound internet access to whatever backup target you wish to use. Any replication task from within TrueNAS is only going to be able to back up the virtual disks unless I am really missing something.