Search the Community

The idea is to run your block service node daemons from its own VLAN subnet, then setup each daemon including the service node and enterprise xrouter from Proxmox lxc containers. The main network PC's can talk to things in the BLOCK network, but the things in the BLOCK network can't talk to anything outside of the VLAN. UDM Controller is constantly changing, this will vary as they continue releasing firmware updates to fix things. Go to Settings -> Networks -> Add a New Network Name: Block VLAN ID: 100 domain name: block I let the UDM controller handle the rest, as I don't know where they did the DHCP subnet settings for this. Click Apply Changes when done. We now have a BLOCK VLAN to work with, and each hostname will be like denarius-container.block. Next we setup the firewall rules so our LAN network can see the BLOCK VLAN, but BLOCK VLAN can't see our LAN network. Settings -> Security -> Firewall -> LAN -> Create New Rule We want to allow everything so the first rule we create is Allow all Established/Related Traffic Then we want to block BLOCK to LAN With the rules setup we can now setup the Proxmox lxc containers.

Decided to try out Pfsense to compare to the Ubiquiti USG with VLAN's. Pfsense seems a bit easier, but a few more steps to setup. With that in mind I wanted to see how to VLAN a Proxmox Container. I am using a small celeron - 2 Intel NIC mini PC for Pfsense, a Ubiquiti Edgeswitch 24, and for Proxmox - Threadripper 16core on an x399 motherboard with 2 Intel NICS. I think you want 2 NICS for Proxmox, and a managed switch. First setup the VLAN on Pfsense. I am calling mine DockerProxmox and using vlanid 600. Go to Interfaces -> VLANs click Add and change to something like below Parent Interface is your LAN, VLAN tag is 600, Description Docker Proxmox. LAN is important and the rest is up to you. Go to Interfaces -> Assignments and find the one at the bottom, your new VLAN and click Add. Then Click OPT or whatever the Description is. Once you click Description change the fields below. Pick an IPv4 address for the new subnet, I chose 192.168.60.1 Go to Services -> DHCP Server and find your new VLAN at the top and click that. We now want an IP range to hand out. I like to choose between 100-200 like below. Go to Firewall -> Rules. A quick firewall rule to to allow traffic and also block traffic to the rest of the network which will look like this. Allow All Rule Block LAN Rule Then go into your Switch to configure the Tag Port, this is going to vary but here's an example on my Port 20. So you already have Proxmox setup with a static IP on one of the NICS. Now lets use the 2nd NIC to bring the VLANs through. The above shows I have my management Proxmox port on 19, and the 2nd VM NIC will be in Port 20. This is the goal of what we are about to change. enp4s0 is plugged into port 19 like normal and was setup through Proxmox as vmbr0 when I setup the server. So then I would click create Linux Bridge and make a vmbr1 with VLAN aware and bridge port of the other NIC, enp6s0 like this. Now create a container using vmbr1 and use VLAN ID of 600 or whatever number you used and the container will get the new IP range from DHCP and can't ping any other IP's outside of the range. On the Container creation, it would look like this for Network tab. For DNS tab, I am using my pihole IP address which I made 2 separate rules for, otherwise I could not get out to the internet because of the above rules and basically blocking my pfsense IP. Looks like this below. Eventually would tune everything down to correct ports only, so I am not passing everything to the pihole. Or just use 8.8.8.8 or whatever you use in the DNS tab. And a successful ping to google.com so big brother knows we are here, but can't ping internal network. Good enough for a somewhat quick Pfsense VLAN into a Proxmox Container to start locking things down.

I have been wanting to separate out my FPGA's from my network into VLAN's for a while and decided today was the day. And before I forget how to do this, maybe this setup helps someone else as I found this confusing AF. My network is piecemeal over the years, if something broke, get a new one. If I needed more ports, get another switch. So nothing matches up to the current Ubiquiti unifi lineup. Good or bad, I didn't come across a guide to throw it all together for a newb like myself. If anyone has better setup please tell me what can be done better. Does any of the listed gear matter? Not really except the controller for the USG and would suggest any recent Ubiquiti AP's as they are flawless. Pro, Lite, and LR are amazing. My FPGA's are wired so they will get a miner VLAN and we will setup an IoT Wifi VLAN so we can test from a phone back to the main network and the miner VLAN. With this setup I would break up each group of miners. Like hashaltcoin FPGA gets their own VLAN, brand1 of ASIC gets its own VLAN, brand2 of ASIC gets it own VLAN, AMD GPU's get their own VLAN, NVidia GPU's get their own VLAN, shady wallet you downloaded from a bot on Discord on its own malware PC, its own VLAN. Let all that garbage talk to each other in their own zone of spam, but not me. I am getting too old for the shady shenanigans. Blockstream, Asicboost bois and all you spammers hearing me? Maybe a your favorite crypto laptop gets its own VLAN that nothing can talk to? Gear Ubiquiti USG Router Ubiquiti 8-Port Toughswitch POE Ubiquiti EdgeSwitch 24 Lite Ubiquiti Cloudkey Gen 1 Ubiquiti AC-Lite Ubiquiti AC-Pro Diagram of what I am setting up. Using draw.io and Vizio stencils from the UBNT community mega link https://mega.nz/folder/ctdX2IiY#y3vZx3xp5KUevei3vDpquQ First we assume you already have the USG, a managed switche(s), and Access Point(s) setup and know how to login to everything. Since my switches aren't the unifi line you can figure out your random brand of switch VLAN config, and its basically the same idea. Lets get an IoT wireless network setup as a test network and see how this works for wifi. Bottom Left Gear Icon -> Networks -> + Create New Network When you type in the IP address I am matching the VLAN to the IP number. After that click Update DHCP Range to automatically fill in the rest. Click Save. Now create a Wifi network to test our new VLAN on. Wireless Networks -> + Create New Wireless Network Settings below are basically the same as a typical Wifi SSID setup, except we clicked the Advanced Options and selected VLAN with our new VLAN number. My toughswitch port 8 is connected to my EdgeSwitch Lite port 24 and then EdgeSwitch Lite port 23 is connected to my USG router. Now because I have a Mickey Mouse setup. I need to tag all of this back to where the Access Points are. So first I went into my ToughSwitch. Under VLANS tab I added a VLAN ID 30 with comment IoT put port 8 as T and checkmarked enable. Save this and wait for the switch to interface to pop up again. Now to the EdgeSwitch which gave me pure misery since I wasn't sure how to tag untag and exclude, turns out its very simple. #REKT Basically I tagged [T] the ports connecting the devices together. Port 23 and 24 like mentioned above how the ToughSwitch and USG router connect to the EdgeSwitch. Now you should be able to connect a phone to the IoT wifi and get internet. If not either you did something wrong or I missed something, and most likely I missed something since that was very easy so far, a bit too easy. Next what I wanted was to put the FPGA miners on their own hard wired VLAN which are on my EdgeSwitch port 14 and 16. Lets do another VLAN Corporate Network but this time use VLAN 40 and 192.168.40.1. Because we aren't using wifi this time, no need to bother with another SSID. Now we have our shiny new VLAN 40, but we still need to change the EdgeSwitch to Exclude and Untag. This would be whichever switch your Miner spam thing is connected to. Notice we Exclude port 14 and 16 in the default VLAN 1. And then untag port 14 and 16 in VLAN 40. I am keeping the Tags [T] all the way through, but I don't think this has to really travel to the ToughSwitch, only from the EdgesSwitch to the USG router. But I am tired and would rather write this guide. Now reboot or disconnect your miner so it grabs the new dhcp addresses. In the left Icon of a laptop in the USG [Clients], click that and see if you thing is showing up after maybe 5-10 minutes of waiting. When it does show up try going to the IP address from the main PC/Laptop you are setting this up from, to make sure you can logon. Also double check from your phone on the IoT Wifi if you can login. Right now everything can still talk to each other. Let's stop that. Go to the Gear -> Routing & Firewall -> Firewall -> Groups -> + Create New Group And lets create some useful stuff. The main thing we want is a private network full address group to block. Below to easy copy and paste them in if you type too slow. RFC1918 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 Then we want to create the Firewall rules to allow things to happen and then block the rest. Your final order should look something like this once you finish the next steps. Routing & Firewall -> Firewall -> LAN IN -> + Create New Rule Just copy the settings, this blocks IoT VLAN from talking to anything else. Now we block the miner VLAN to everything else. Now try from the IoT Wifi on your phone to connect to anything. If it doesn't connect to a PC or your miners, this is a good sign that the setup is starting to come together. Now lets create one more rule so you can login to your stuff from the PC you are setting this up from. Now your junk will stay spamming itself but you can still login to them. You can then start messing around with that allow rule. Such as source -> Only from a specific IP address and Destination -> Only specific set of ports. Play around in the Groups tab to add more groups like a Group called 80, 443 since those are probably the only ports you need for most everything. make a group called Master and input a couple IP's to be your only controlling devices. Hopefully this helps someone trying to connect a spaghetti of switches, access points, and random devices together and block the stuff inside the VLAN's from talking too much BS. If you like the guide, consider donating to Carsen's patreon in my signature.