Networking Diagram Design Help

Hello all,
I’ve been diving into the realm of Homelab’s and I have been severely lacking in my networking design/skills. I have a “draft” of a design that I am trying to create but as you can see there are a few pieces missing that I could use some assistance with. Just a few dots need to be connected.

Draft 1:

The parts I’m having issues with are getting the Proxmox VM’s on the same subnet/VLAN’s as the different subnet/VLANS listed out (personal, security, entertainment, etc).

So Proxmox will be running the following VM’s/CT’s:

  • PFSense or OPNSense → (This might move to a physical machine if needed)
  • Pihole-CT → (This might move to a physical machine if needed as well)
  • Bot-CT
  • Nextcloud
  • Homeassistant

I’m looking to have PFSense & Pi-Hole be the firewall/DNS for the downstream networks. I am not sure if that requires them to be ahead of the switch or if they can be behind the switch. (I’m not sure which way would work the best. I am still learning).

Then I wanted to try and group the following:

(I’m not sure if I should create separate VLANS or create separate subnets so as a placeholder I’m using VLAN/subnet, I understand they are different and it could require some other configuration changes but this is a draft plan for now)

  • Home Assistant with the security cameras in the Security (subnet/VLAN)
  • Nextcloud, bots, with Desktop 1/2 and the wireless network containing the phones, laptops and tablet. This would be the Personal (subnet/VLAN) (I think I would need another AP/Wireless router to tie this together with the wired connections)
  • Proxmox web console would also be in a separate VLAN/Subnet to keep access limited.
  • Game consoles, and smart tv’s would be in the Entertainment VLAN/Subnet

If more hardware is required, I can make the additional purchases to achieve my goal. I am really just looking to create isolated groups for better overall security and groupings.

Would it be better to have the firewall on a separate machine, as well as Pi-Hole ? Then put the Proxmox machine downstream from the switch to then manage the different VLANs/Subnets?

Draft 2:

Ideally you’d have 1 subnet per vlan and you’d only have 1 vlan for a subnet.
Ideally all hosts would only ever “sit” on a single vlan.

pfSense in proxmox is your router - it’ll need access to all your VLANs,

How are you setting up that network? For example:

  1. are you passing through PCIe entire nic?
  2. are you leaving the nic on the proxmox host and using virtio in proxmox?
  3. are you partitioning the nic into several using sr-iov and passing those devices to VMs?

I would most likely be doing PCIe pass through for the nic. However I realize this might come with its own set of challenges.

I think you should not try and get physical design and logical design in the same diagram, it will cause you a lot of headaches in terms of how to draw it and mental confusion in how to implement it.

Think how many logical networks you need, at a glance from your diagram:

  • WAN : ISP Router traffic
  • LAN -TRUSTED: local clients, local services
  • DMZ-SERVICES: DNS, Nextcloud, other services that you want all logical networks to be able to use without having to forward ports in your lan
  • SECURITY: Cameras
  • IOT ? : Other IOT stuff you do not trust with access to local network/you don’t want to phone home
  • Entertainment: Consoles and such
  • Guest: self explaining

This will give you an idea of how many logical networks you will need. If you are going to serve all of them with a single switch layer, that will translate one to one to VLAns, if not, you need to decide which logical network will be a VLAN on the shared switching layer, and which one will require dedicated switches, keeping in mind that if you split somw wireless logical networks over multiple switches you will need to use multiple APs

Next, the wired physical devices will need to be hooked to access ports on the switch: they will need to be assigned a VLAN - logical network at the switch level, while Wireless connected ones will achieve that by connecting to different SSIDs on your wireless infrastructure. I am assuming you plan to use Wifi APs that support VLANs like ubiquity, tpl-link and such …
The hypervisors will need to be connected using trunk ports to the switch, and you will need to create multiple interfaces over the VLANs you need the VMs to be runing on, unless you pass through physical network cards, but unless you are using a server platform you will run out of pci slots/lanes very quickly. Please do not even contemplate using USB LAN adapters for any of this

Once you have built the logical topology, the physical topology , and the assignments of ports between the two layers, and if you still want to draw it, you’ll probably want two diagrams, physical, that will tell you which device is wired where, and logical, which tells you which network(s) each device is capable of connecting to

My suggestion is to start small, and break into multiple logical networks only when realy needed, do not overdo it, or you’ll find yourself struggling to map the connections between VLANS. Also, keep in mind that once you separate devices using VLANS they will not be able to communicate unless a router allows them to. This is good for security, but can quickly become a pain for shared services like pihole/nextcloud unless you plan in advance and have a very clear understanding of routing/firewall policies and what opening ports on a firewall entails …

Have fun :slight_smile:

1 Like

Thank you for the tips! I will get back to the drawing board, this definitely helps and will put me in the right direction! I appreciate it! :smiley: