0

I have a question how I can share a disk across different home network subnets (e.g. 192.168.1.1 and 10.0.0.1) to different VMs. Within the same network subnets I just put up an NFS storage, but how can I setup so that it is also reachable by a different network subnets?

I want to self host a website, but for security have it on a separate network subnet to all my other devices at home. However, somehow I still need to share storage or at least a folder.

Same with Nextcloud, I want to have that on a separate subnet but still be accessible to my main subnet. Just so that there's some security and separation versus my home network to what is exposed to the internet.

My server runs Proxmox 5.1, currently only LXC but for the externally hosted website and Nextcloud I'm planning to install 2 separate VMs that are using two different virtual bridges (firewall is pfsense, another VM on Proxmox).

Hope that makes sense, thank you for your help!

Improve this question
2
  • 1
    Why do you think subnets make any difference in NFS usage?
    – grawity_u1686
    Commented Feb 3, 2018 at 22:47
  • Hmm, well I tried to access a machine on 10.0.0.1 from an VM with IP 192.168.1.1 and had problems - but you are saying that these should easily be able to connect to each other as if they were both on the same IP range (e.g. both on 192.168.1.1)? Then my problems must have come from something else I guess...I thought it was because they were on two different subnets. I'm then confused why the recommendation for improving security when exposing an application to the web is to put it on a different subnet - if the communication is as easy to all other subnets then why bother? I'm confused...
    – Svarto
    Commented Feb 3, 2018 at 22:53

1 Answer 1

Reset to default
0

A lot to address, but let me try. First: if all concerned hosts (VM's) use the same pfSense VM as their default gateway, then pfSense will know how to route the traffic in both directions. Next: have you added firewall rules to permit the traffic? pfSense has some default rules for (1) WAN + (1) LAN to permit all egress from LAN, but any OPT interfaces you add come with a default Deny rule. If the traffic is permitted, an explicit request for a specific host/service should work, but know that broadcast traffic (service advertising/network discovery) will be blocked. Separate subnets = separate broadcast domains. For file transfer to your web-server, I'd recommend you consider sftp (ftp over ssh) rather than NFS on your Internet accessible host, unless you are certain you've restricted access from only your LAN. How much security you get by putting the hosts on separate subnets all depends on what you configure into pfSense firewall rules: if you permit everything, then you have only blocked automatic network discovery: basically security through obscurity. The security benefit occurs when you permit only the necessary communications. In this case, I expect you would permit connections from your 'LAN' to the web-host, but permit nothing initiated in the reverse direction. Unless you NEED this all in one box, for a home setup, I'd want a dedicated box for the pfSense firewall, rather than exposing a ProxMox physical interface to the Internet. I'm not saying you can't do it. I have. I have a Debian box sitting in a datacenter running KVM/QEMU with pfSense on a VM running OpenVPN, and a few LAN and DMZ VMs: basically it was a client's office LAN, and they got small enough they closed their brick and mortar and now everyone works from home. It was a fun exercise, but I don't think I'll do it again.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .