Hmm, I haven’t heard of that before. Could you explain?

Could you elaborate why the question of trust invalidates using just subnets?

Thanks, but to make that work I would need a managed switch running a proprietary OS can I cannot trust. If there was a switch running a FOSS OS then I would use that

Thanks, yes I realised that OpenWRT devices can do this

I use testing, prod and stale. Stale is simply one version behind prod in case I see something in prod I need to roll back

I’d either have to do it in the router (which would need a lot of PCIe network cards which can get expensive + difficult to accommodate enough physical PCIe lanes on consumer hardware) or run it on a switch running a proprietary OS that I can’t control and don’t know what it’s doing underneath.

Ah, sucks

I see. But does the installation cover hardening steps like hardened_malloc, permission hardener, kernel self-protection etc?

I had looked into openstack a while back but left it thinking it was too complex. I was looking at Apache’s Cloudstack then.

I see now that a contributor has got Debian in the official list of supported distributions. Which means my distro-morphing idea should work in theory with OpenStack. This is a great idea, thanks. I will look at OpenStack more seriously now. Does look like it will need some effort though

No, I do not trust my computers that much. Quite unfortunate, really that I’ll have to build a whitebox switch to get what I want

I never considered tailscale for my LAN, but it’s certainly an intriguing idea. I suppose running Headscale as a VM on my router isn’t that difficult. Thank you, I will think about it a bit more

Thanks

asking for people to solve a solved problem

Solved using devices that run proprietary software (which is, I imagine, frowned upon in such communities) which we don’t control at all. Heck, even Mikrotik who has a good rapport with this community uses a proprietary Linux distro with a severely outdated kernel for their devices. For something as critical as internal networking, I’m surprised I do not see more dialogue on improving the situation.

Let me try and explain the problem. I want to build a setup where I have multiple clustered routers (I’m sure you’ve heard of the clustering features in PFSENSE/OPNSENSE/DIY approach using Keepalived). But if I want to use VLANs without using a switch running god-knows-what under the hood, I’m going to need a LOT OF ports. Unfortunately, 6+ port PCIe cards are quite expensive and sometimes have many other problems.

This is why I’m trying to find simpler solution. The solution that you mention doesn’t seem to be a solution at all, but just the community giving up on trying to find one and accepting what is given. I was hoping for a better outcome.

I’m using Cisco terminology so it likely means VLAN trunking unfortunately (unless I missed something)

Thank you for that. I’d also like to ask you: is that a possibility too if one were to configure a trunk port on a switch and plug the PCs in?

Hmm, so virtual interfaces on the router won’t work? I admit I’m a bit stumped, would you be able to give me an ELI5 on why this is the case? I will try and read up more, of course

The computers will be running OpenBSD. I am researching hardening methods for them and also seeing if it is feasible for me to get Corebooted hardware. I didn’t mention it because I didn’t think it was important.

I feel like my post is being taken very negatively with people finding faults in my words rather than in the networking concept. Would you happen to know why?

Thanks but as I mentioned that will not scale. I’m interested in if separating computers by subnets will work. Have you tried something like this?

It’s not that they are expensive, it’s that they run archaic proprietary OSes which the consumer cannot control. I cannot trust such a switch when the rest of my network depends on it. Please let me know if something in the post didn’t make sense.

Thank you for the wonderful comment. I am talking about the operating system (Debian vs CentOS if I remember correctly) when I mention Hardening.

I haven’t seen a concrete example of anyone applying CIS policies on the XCP-NG base, neither have I seen any mentions of securing the XCP-NG base by companies using them in production. I understand that having a walled-off dom0 is great and I like that about Xen, but not seeing dialogue on base OS level security is making me a bit uncomfortable about XCP-NG. Not sure if it is immutable, if it is then that would relieve some of my worries.

Personally, I think Proxmox is somewhat unsecure too. I believe something like following relevant STIG recommendations, kernel self-protection, hardened malloc and other things (there’s a huge list but I’ll be brief) should be essential. Ideally I would’ve preferred that the Proxmox project took some of the measures that the Kicksecure project does in hardening debian but I don’t see any mention of something like that. If I end up wanting to run Proxmox, I’ll install Debian, distro-morph it to Kicksecure and then follow the instructions for Proxmox (not sure how I’ll keep from using the Proxmox custom kernel but we’ll see).