foundation:networking
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| foundation:networking [2025/12/19 22:21] – privacyl0st | foundation:networking [2025/12/19 23:05] (current) – privacyl0st | ||
|---|---|---|---|
| Line 4: | Line 4: | ||
| Restricting access to just your home network is an option — but it defeats much of your media center’s value. Remote access and sharing are powerful features. Proper design means exposing services hosted within your home to the internet doesn' | Restricting access to just your home network is an option — but it defeats much of your media center’s value. Remote access and sharing are powerful features. Proper design means exposing services hosted within your home to the internet doesn' | ||
| - | Before exposing anything to the internet though the network must be designed correctly to minimize risks - elimination of risk is not possible but minimizing it is well within our capability. | + | Before exposing anything to the internet though the network must be designed correctly to minimize risks - elimination of risk is not possible but minimizing it is well within our capability.\\ |
| + | |||
| + | ==== LAN Design Strategy ==== | ||
| + | Long before we even consider opening path in our gateway/ | ||
| + | * NFS VLAN - Dedicated to communication between the NAS and the servers requiring high speed access to the content library.\\ | ||
| + | |||
| + | * DMZ VLAN - An isolated space where we will deploy our servers providing internet facing services.\\ | ||
| + | |||
| + | * LAN VLAN - Our primary internal network where our general use computers and printers are deployed.\\ | ||
| + | |||
| + | It is important to note that your network should probably be as segmented as possible, isolating Internet of Things (IoT) devices, Guest devices, mobile devices, etc., but for the purposes of this guide we'll focus on the three needed to securely deploy a high performing Plex ecosystem. | ||
| + | When it comes time to put all the pieces together for our ecosystem we'll be accessing our content library via an NFS link between our Plex Media Server and our NAS device.\\ | ||
| + | |||
| + | In the remainder of this page we will discuss // | ||
| + | |||
| + | ==== NFS VLAN ==== | ||
| + | Switch ports tagged for NFS VLAN traffic should not be configured as trunk or span ports and should only be connected to endpoint NICs that are dedicated to NFS communication. These ports and the NICs connected to them should be configured for Jumbo Frames (9000 mtu), be statically assigned IP addresses, and not have a gateway configured. No switches or gateways on the network should have virtual interfaces configured on this network segment.\\ | ||
| + | |||
| + | ==== DMZ VLAN ==== | ||
| + | Switch ports tagged for the DMZ VLAN should not be configured as trunk or span ports and should only be connected to endpoints that will host internet facing services. Endpoints such as your reverse proxy, Plex Media Server, and/or your content request server. Switches and gateways can be configured with virtual interfaces for this VLAN and access control lists should be configured on both the gateway and switches to permit any internal routing necessary for connectivity to local devices and automation services that may be running in a different VLAN. It is important to note though that ACLs should be configured to allow internal services to initiate communication with devices in the DMZ VLAN, but devices deployed in the DMZ VLAN should not be able to initiate traffic into the LAN VLAN. This VLAN should not have the ability to communicate with anything in the NFS VLAN and there should be no configured routes to allow this type of traffic.\\ | ||
| + | |||
| + | ==== LAN VLAN ==== | ||
| + | The LAN VLAN, or sometimes configured as the default VLAN, will be where all your general-purpose devices are deployed. | ||
foundation/networking.1766182880.txt.gz · Last modified: by privacyl0st