Incorporating a DMZ within a multiple VLAN setup built around a HP Procurve 2824 switch
I am a n00b to networking and I need help trying to figure out the steps I need to setup my topology. I have the following requirements:
(1) A Secure VPN which will be my Primary LAN network where all traffic which exits is encrypted via OpenVPN and exits to the internet via an AirVPN end point disguising my location.
(2) DMZ - Used to provide a de-restricted zone for servers and other devices which need to be accessed remotely. I wish to run Nextcloud on Debian behind my DMZ (accessible also to the secure VPN) and think it should be sufficient to get a free SSL/TLS certificate from Let's Encrypt and enforce MFA rather than putting it behind the VPN and forcing users to fire-up their VPN client before gaining access.
(3) A Guest network - Effectively this will expose my native unencrypted unsecured ISP line complete with their DNS servers. I would like to grant access primarily to visitors who require internet access but also have it act as a backup if AirVPN goes down for any reason. Its primary purpose is to prevent access to my all local resources such as file servers etc.
I have the following hardware / service: • A static IP address from my ISP and a VLAN capable switch (HP Procurve 2824). (I got as far as resetting it but realized I bought the wrong console cable. I’m waiting for the right one to arrive). • A Huawei ONT WIFI modem / router provided by my ISP • An ASUS ADSL WIFI router than I wish to use purely for my internal network. • An NUC8i5BEK mini PC for Hosting Nextcloud and anything else suggested
I would appreciate suggestions as to the feasible and wisdom of what I am attempting. I see that many others network configurations also include a Management VLAN. Am I right to dismiss this as overkill since individuals with access to the secure VLAN will most likely also have physical access to these server anyway?
Setting up the VLAN on the Procurve switch is what I find most daunting part and so any tips or keys steps I should ensure would be much appreciated.
The Nextcloud setup I assume to be simple but all other networking related technologies such as AirVPN and Open VPN are what I’ve been led by searches to assume are suitable for my needs and should not be taken to indicate that I am remotely competent to configure them. I would therefore welcome all advice, hints and pitfalls to avoid.
Solution 1:
I would appreciate suggestions as to the feasible and wisdom of what I am attempting.
You can do that. True wisdom lies within ourselves; all we need to do is glance within and search for it.
I see that many others network configurations also include a Management VLAN.
Most likely, you will not need one. As long as you don't have to protect your management infrastructure, you don't have to separate it.
Setting up the VLAN on the Procurve switch is what I find most daunting part
You will be enlightend by the simplicity and efficiency of the switches CLI. SSH would be a good tool to do that. Get the shell online, change your context to enable
and just type your desires.
Name your interfaces (starting from the configure
context)
interface 1
name "Server1"
exit
interface 2
name "Server2"
exit
Create your VLANs and add some ports (starting from the configure
context)
vlan 3
name "VPN-LAN"
untagged 10-20
tagged 1
exit
vlan 4
name "DMZ"
tagged 1
untagged 20-24
exit
The spell of untagged
ness will connect devices on those ports with each other - cutting the switch into multiple ones, as you please.
Multiple VLANs on one port would require a tagged
configuration. A connected device which is able to speak the language of VLANs would be able to talk to them.
A Port can be untagged
in one VLAN (packets without vlan ID will get one this way) and tagged
in multiple ones (which will pass traffic only if it's already tagged).
The Nextcloud setup I assume to be simple [...]
This may be the case, but you will need a router - or as the masters of networking in most cases would imply to use - a firewall. Such a device should be able to connect (and most likely L3-Separate) your network kingdoms through tagging it's own traffic.
We wish you a exciting journey to mastering the deeper secrets of network topology management and design.