How do people segment their vms, docker containers, lxc, etc on proxmox? I have a dedicated nic ->linux bridge for most VMs etc. Is it overkill to give each its own vlan?
At what point am I going to slow down my throughput (currently gigabit networking)
I have a variety of vlans. Proxmox exists technically in its own. All VMs exist in at least the management vlan. Then if they have active services, those services are offered over a different vlan. If the vm requires storage from the nas, that’s a different vlan. Home assistant is in the IOT vlan.
It’s probably overkill. But it works.
That makes sense. I will probably keep the proxmox server / management on the same lan as my workstation until I completely reconfigure (currently running a ZFS share bare metal on the Debian under proxmox, but it should be easy enough to move all services to their own vlans. This all started because I thought better of having Nextcloud open to the net on the same lan as all my more mission critical computers.
Basically trying to start to figure out what I don’t know.
My vlan list is like this
Wired
Wireless
Guest
IOT
IPMI (nothing here but logically prepared for it)
Hypervisor
VM management
VM service
Surveillance
Storage
Realistically everything could be in the same network and work perfectly fine. But I don’t want it like that.
If you plan on separating each VM from each other, it’s better to do it on their own local OS firewalls. You don’t need a separate VLAN for that. You can filter layer 2 frames with ebtables and keep them in a singe VLAN and single subnet. But I’d say it’s way past overkill.
Personally, I have very few VLANs. I mostly treat them like I do physical hardware. I have trusted, untrusted and wifi. Trusted is the vlan / subnet that I allow to go to all the others, untrusted is for things that I only allow access to the internet, wifi is allowed only to untrusted and internet. I could add more, but I don’t really have the need for more. Untrusted works more like a pseudo-DMZ, it can go to the internet, but not on other subnets. I could add a restricted one, that is basically blocked to everywhere and it just sits there, going nowhere. That would be a good subnet for IoT devices, like security cameras and access controllers / door access systems. Those should normally not leave the network. But I don’t have any such devices or VMs for that.
You can put your VMs in a single subnet and just use Proxmox firewall to restrict traffic between them. I separate them because I don’t use that feature. The only reason you’d want them completely separated in their own VLANs is if you have a multi-tenant network, with people having their own subnets that they should manage themselves.
If I were to expand my network, I’d probably do:
With the exception of out-of-band management, I can’t think of any reason to want more VLANs, unless you want to split those even further, like one dedicated IoT network with internet access for spyware hardware like Echo, Home and your run-of-the-mill automatic vacuum and another for your smart TVs. Or a dedicated restricted VLAN for surveillance and another for access control.