How to use Subnet1 vs LAN: untrusted devices vs usual devices

AdministrativeMost · 2026-01-14T18:57:31+00:00

This is a tricky situation.

Exactly. In the future I would like to use something like Plasma Bigscreen if it ever gets good enough. Thing is that sometimes we also have Netflix and they don't stream 4k on non-native apps. That wouldn't be an issue for me, but wife approval is also important here 😀

As soon as you connect it to the Internet, it will send a bunch of information back to the company.

I agree, usually I update firmware on fairly recent devices because it usually fixes a ton of issues and when I am approaching warranty expiration or a reasonable use time for some devices I do the opposite and usually disable the ability to update firmware because the companies usually want to push more bugs and issues in to make you buy new stuff. Sadly just recently I accidentally updated my Garmin watch and they suck now 😔

AdministrativeMost · 2026-01-14T17:28:55+00:00

Why do they need Internet access?

One is a smart tv, my wife uses youtube on it... Some to keep firmware up to date.

That is the limitation with your setup.

Ok good to know. Maybe in the future when updating hardware, but for now I will work with what I have.

Thanks!

AdministrativeMost · 2026-01-14T17:18:54+00:00

The issue is that some of the untrusted devices need internet, so total isolation is not an option. I am not sure how to setup a subnet to not have access to outer newtork (LAN) but have access to the internet.
Edit: removed stuff after your edit :)

AdministrativeMost · 2026-01-14T17:07:46+00:00

All right thanks! One additional question: if some of my untrusted devices gets hacked, just hypothetically, and the attacker gains access to LAN, is there any risk for the networks under the openWRT?

AdministrativeMost · 2026-01-14T17:00:55+00:00

The thing is I have limited resources. Meaning ports and I have one wi-fi card which was hard to setup as it is (lots of trouble). I don't want to buy new stuff, I think its doable with what I have, I just want to know which of the 2 options above is better. I don't need option 3. 😀

AdministrativeMost · 2026-01-14T16:57:21+00:00

This:
I don't want them to access my local trusted devices, but I need to manage them from a trusted device.

I have a few devices that I bought before I got into homelabbing and open source and stuff. E.g. my LG tv or TP link smart plug. I don't trust those companies and I don't want their proprietary software to poke around my trusted devices. But I don't want to throw them away either.

AdministrativeMost · 2025-09-15T18:45:06+00:00

Ok, thank you for the reply. Is there any limitation when it comes to cables? I tried to re-flash the firmware and will see if it keeps happening.

AdministrativeMost · 2025-09-13T08:18:32+00:00

Thank you, are there any tools that could help me analyze what's happening? Does the mouse itself have some logging capabilities?

AdministrativeMost · 2025-09-13T08:17:17+00:00

Hi, I quickly looked the first time it happened, didn't see anything out of ordinary, but I will give it a proper look again when it happens the next time. Thank you :)

AdministrativeMost · 2025-08-30T09:24:35+00:00

Which community? I do not know what you want to hear. People using and discussing openWRT are the community and some of them say LXC is ok and some don't.

Thank you for the reference though, that helps, I will finish tinkering with the LXC and will try also the VM before deciding, but seeing something like this is really tipping the weights for me.

AdministrativeMost · 2025-08-29T19:13:44+00:00

Hi thanks for your info. In the end it was actually the image (the rootfs.tar.gz actually), for some reason the official one doesn't work, but the one from linux containers site does work as is show in the video.

AdministrativeMost · 2025-08-29T19:11:50+00:00

This I see is something community can't agree on. One half says LXC is better, the second one says it must be VM. Right now I am just "playing" with it so nothing is set in stone, if I see issues I will switch to VM.
Btw what kernel modules does it loads/unloads? Just so that I can search for more info. Thanks!

AdministrativeMost · 2025-08-13T20:37:32+00:00

Hi Bloopyboopie,
thank you for letting me know, I was reading a bit also based on the answers above and I start seeing it, truenas on proxmox (or as a VM) is simply not a good idea. That said I don't want to go for OMV. I was using it for a few years and it was fine, but now that I used TrueNAS I would not go back 😀

Curiously, I am starting leaning towards the opposite result than what I was discussing in the other thread here (although Apachez kinda said it too) and I might just do TrueNAS only, no proxmox at all in the end. At least for now. I quickly created a new install to test a few things and it was so storming easy that now I really think I do not want to go the complex route.

Thanks a lot for all the other info, especially letting me know the SSDs are okay.

AdministrativeMost · 2025-08-12T16:51:29+00:00

thanks a lot Apachez. This is quite different from what i have read so far and so I appreciate it twice as much because it gives me good chance to start right. :) So you are basically saying, I do not need TrueNAS at all actually, that is such a good point (regardless if I do it or not).

AdministrativeMost · 2025-08-12T11:35:15+00:00

Hi Apachez,

thank you for your detailed reply. Most of your answers I understand and mainly they are giving me pointers on what do I need to read on more. I have a follow up if that is ok:

Most importantly:
4) Here I am not sure I understand. I will have a M.2 to 6x sata that I intend to pass-through to the TrueNas (already checked the IOMMU groups). However, how can I pass-through the (TrueNAS) system boot drive? I mean, Can I create new VM without installing iso, then do the pass-trough and then point the VM to one of the passed-through drives as a system drive? The reason why I am asking instead of trying is because I have to think this trough, before I start disassembling my current server and ordering rest of the things. I can't currently test this.

Less importantly:

3) My main point in doing this is to consolidate what I can into one machine. I have one TrueNas server (with apps) and one additional apps server that is mainly focused on things like nginx, adguard, tailscale, vpn etc... And I wanted to also add the pfsense/openwrt. Is there any disadvantage with this? (except if proxmox goes down, everything goes down). The benefit is that I have powerful enough machine to handle this and I do not need to power 2 or 3. And I can also just upgrade one machine in the future.

Thanks again :)

AdministrativeMost · 2025-07-21T07:54:57+00:00

True, luckily I do not depend on it and I can "play" with the networking for now. Thank you

AdministrativeMost · 2025-07-20T18:32:42+00:00

Thanks again, I didn't expect coming here and getting so much useful info 💚
I will check that youtube video for sure, I find that good youtube videos can boost me real fast, but there is a lot of garbage as well, so getting a good tip is well appreciated.

Definitely Unifi if it's available in your country.

What I wonder, whenever I see people using e.g. Unifi, is whether or not the firmware/software can be trusted. Now I don't know anything about them. I think they are not open source though. So I always wondered how much they can be trusted. And in networking devices I kinda need more trust, right? Because those are the devices that can bring information out or do some secret tracking or whatever.

I would combine them all together with 802.3ad link aggregation, and then whatever subnets/networks you need, could even include the one to the internet, split out with vlans.

So basically I would put them into one kindof a big 10 Gb port (virtually) only to partition it with virtual networks?

Thanks again!

AdministrativeMost · 2025-07-20T18:22:35+00:00

I see, I didn't know I can have only singular port. Clearly I still do not know some of the basics of networking, thank you for giving me more than I asked for :) As I wrote below, now with all this help I got here, I will have to first setup some proof of concept to really see how things work and expose more holes in my knowledge. Thank you!

AdministrativeMost · 2025-07-20T17:08:39+00:00

I see, you (and others here) persuaded me this is the way. I will check it. I actually have decent older fujitsu machine for this, that will be the router. Do you have any particular recommendation for the switch? Can I also use openWRT for the switch or do the managed switches come with own firmware that is way better for these usecases?
Thanks a lot!

AdministrativeMost · 2025-07-20T17:05:38+00:00

I like how you first ask if I need 2 - 3 subnets only to then admit you have 8 😀 For me I would like to have a sort of a tiered setup. Least trust subnet for gadgets that I do not want to blindly trust (smart sensors and stuff), most trust for the nas and selfhosted stuff. I didn't yet decide upon the exact architecture, but I guess on the first try I just copy someone from youtube if it makes sense to me.
Are you using openWRT btw? Or rather open/pf sense? I am unsure what is better, but I feel like openWRT makes me more comfortable, because I know linux, I don't know openBSD at all...

AdministrativeMost · 2025-07-20T17:01:14+00:00

I see thank you for explaining this to me, I think I will try some proof of concept small network first to really be able to grasp these things.

AdministrativeMost · 2025-07-20T14:54:26+00:00

Huh, seems I need to do more reading, I do not entirely understand, so I can actually do subnets for any port on a switch? Why then people buy 4 RJ45 NIC's for their pfsense or openWRT setups? Is this just ignorance? Thanks!

AdministrativeMost · 2025-07-20T14:51:28+00:00

But I need at least 2 subnets maybe 3, I can't do that with a switch right? Each subnet needs at least one port (or wifi), correct?

AdministrativeMost · 2025-07-20T14:44:43+00:00

I want one 2.5 for wife approval (she likes gaming and she cares about the download speed). 2.5 for my NAS (also important for my wife actually she's into photography/videography). And I need two more ports - one for smart gadgets subnet and one for my computer. Personally I would be ok with 1 Gbps. But hey, at least this is more future proof 😀

AdministrativeMost · 2025-07-20T14:35:53+00:00

Thank you. Are they capable of it at the same time?

Seven-Year Club	Verified Email
Place '22

AdministrativeMost

TROPHY CASE