Yes, that does indeed sound like you have all the stuff necessary to make this work.
In my home network this wouldn’t work, as I’m running all my stuff in containers on multi-purpose servers, and therefore I can’t really split things per VLAN. Most other people in the homelab/self host community also use their servers for multiple purposes at the same time, so VLANs alone often doesn’t cut it.
That depends a lot on what you do with them…
VLANs work on a layer where devices can either reach each other or they cannot.
Let’s say you have your main desktop computer in the “main” VLAN, and your Jellyfin server in the “jellyfin” VLAN, and a third server for your home-assistant in the “home-assistant” VLAN, and finally some IOT devices in the “iot” VLAN.
You connect the VLANs as follows:
Remember that all connected VLANs much be bidirectional.
Now someone compromises your Jellyfin. They now control and has access to everything on the Jellyfin server, but they also have network reachability to your main computer, because your “main” and “home-assistant” VLANs are connected. They can now try to exploit your main computer.
If they are successful in exploiting your main computer, then they can use your main computer to jump to the home-assistant server because again, these two VLANs are connected. And you likely have the credentials for accessing home-assistant available on your main computer somewhere.
Now they are on your home-assistant server, and they can now start trying to exploit your IOT devices.
If VLANs are connected, they don’t care which direction the traffic flows.
If you want to control traffic flow directions you need a firewall. A firewall can sit between VLANs and block traffic coming from one to other, but not the other to the one.
If Jellyfin gets compromised, you risk everything else on the same server getting compromised, as well as everything that server can reach.
VLANs can certainly reduce what is at risk, but wouldn’t the machine running the Jellyfin client be reachable from the Jellyfin server? And if they manage to move laterally to the client machine, what could they then reach from there?
Sure… If someone managed to stream some of my media… They probably earned it… But then they exploit a vulnerability to perform arbitrary code execution, and leverage that to hack everything else on my network…
Dunno… Somehow that seems like a feature to me 😉
Well… That depends entirely on your threat model…
In my setup, the backup is encrypted locally, and then uploaded to Backblaze. If I leak my encryption key, then yes, Backblaze and any state actor that can compel Backblaze, might be able to read my backup (and the same goes for an encryption vulnerability). But since the connection to access the backup is also authenticated, the rest of the public would not be able to read my backup. If I leak my access credentials, then everyone could get my encrypted backup data, but not be able to decrypt it. Of course if I leak both the access credentials and the encryption key, then yes anyone that obtains both can read my backup.
Many regular people use Microsoft Onedrive or Google Drive, which offers even less protection, but it’s certainly sufficient and well enough protected to keep your dissertation protected.
In most backup services you have the option to choose what gets backed up, and what does not. But sure, it entirely depends on who you want to protect yourself from.
If your main concern is state actors, then yeah… You probably shouldn’t use something like Backblaze. You should keep everything on your own hardware. And convince a friend or some family to have a NAS sitting somewhere that can host your backup destination.
For my case I’m mostly concerned about data continuity (not losing data). But privacy is certainly also a concern, and here I have chosen to believe that the encryption is sound enough, and that my ability to keep my encryption key safe, is sufficient for the data it protects.
Nice to hear… However I haven’t figured out how to get my HTC Vive to behave nicely on Linux…
I use Backblaze myself… But there are many other straightforward and easy backup solutions out there.
Then against the Factorio devs publicly said they much prefer that you pirate the game over using a shady grey market key seller…
And when you set up a multiplayer server there’s even a checkbox to choose whether it should validate that players have a user account… Untick that and you can play with anyone who pirated the game.
To me it’s a pretty clear from the devs message: If you want the game, and want to support the developers, and can afford it, you buy it at full price. If you don’t want to support the devs or can’t afford it, but still want to play, you pirate it. And they even have a free demo, so you can try the game before making your purchasing decisions.
Or maybe did foresee it, but didn’t feel Loke warning anyone…
You’re probably right that the value density of RAM sticks is better… But NVidia B300 GPUs are still ~$45,000 each. A backpack full is still quite a lot of money.
Or in some cases ONLY allowing them to reach the Internet. So they can’t access your other devices…
How much do you think a weighted blanket weighs?
Why would it be too late?
If the state of things really are that bad, doesn’t it make sense to try to correct things? The best time to start correcting is certainly in the past… But the next best time to start correcting is now.
I realised a while ago that it’s way cheaper to hunt for second-hand intel NUCs, and the resulting machine is way more powerful… And the RAM and storage is upgradeable, if the NUC didn’t come with plenty of storage or RAM already…
The “routing” can still refer to routing to devices attached via a switch. So no need for a third port to qualify as a router.
The containers in my setup are running in a Kubernetes cluster. My Kubernetes cluster consists of 3 physical servers (one old desktop computer and 2 Intel NUCs).
On that cluster I run many different things, Jellyfin, Plex, *arr-stack, downloader, Immich, zigbee2mqtt, home-assistant, audiobookshelf, calibre-web, Forgejo, ArgoCD, Homebox, Paperless, Factorio servers, Velero, and a bunch of other stuff.
Because I run so many different things on the same 3 physical machines, using containers, then there’s no way to split this into VLANs.
I could make a “kubernetes” VLAN, but everything else on my network would need to be connected with it anyway. All my computers, phones and TVs need to access Kubernetes (Jellyfin), and Kubernetes need to access everything else such as EV charger, heat pump, and the power monitoring in my power meter. Therefore I need to control my networking at a different level.