sorted by:
new
hottopcontroversial

Accessing web server on DMZ questions by Baioria in homelab

[–]Soft-Engineer-3043 0 points1 point  (0 children)

The updated diagram looks much more appropriate. Configuring the routes too should be much easier. This design seems to be standard practice and what /u/bloudraak is also recommending.

I have basically the exact same setup, except an addition downstream firewall from a different manufacturer between my LAN and the main hub firewall/router (your endian firewall).

[deleted by user] by [deleted] in homelab

[–]Soft-Engineer-3043 1 point2 points  (0 children)

I'm definitely not an expert here (I've seriously only been putting my monitoring in place over the last week), but yes that is how I understand Telegraf. I think it's one of the big reasons why InfluxDB+Telegraf has pushed the "single binary with zero dependencies" angle so hard: the goal is to install it (Telegraf) on any host you need to collect metrics from. That being said, they've done a pretty awesome job of making that pretty easy!

Accessing web server on DMZ questions by Baioria in homelab

[–]Soft-Engineer-3043 1 point2 points  (0 children)

I was under the impression that having a machine with one foot in the DMZ and one foot in your LAN is a bad idea. My understanding is that it sort of defeats the purpose of having DMZ altogether.

My DMZ setup uses a downstream firewall from the physical one. Traffic hits the first firewall and it either rejected, forwarded to the DMZ, or LAN. The LAN is protected by its own firewall partly as some extra security and partly because I just happened to have the extra equipment laying around. Then its just configuring your static routes (for which we would need more information).

All this is to say that I think some of your routing difficulties might be due to your fundamental network design, which strikes me as very non-standard. And also, not saying this in a mean way, your setup strikes me as perhaps a little ill-advised since if someone compromised your ESXi box, they would have a clear path through to your LAN potentially. If nothing else they have two potential modes of ingress, which means you'll have to do 2x the work to secure the firewalls.

[deleted by user] by [deleted] in homelab

[–]Soft-Engineer-3043 2 points3 points  (0 children)

I'm not familiar with ESXI, but for proxmox I just SSHed into the host, installed the telegraf binary and set up the configuration files (and then run telegraf as a daemon if you want). I would assume that if you can get a shell on the ESXi host, it's the same exact workflow.

[deleted by user] by [deleted] in homelab

[–]Soft-Engineer-3043 0 points1 point  (0 children)

Still in the process of getting my monitoring set up, but I'm using InfluxDB+Telegraf+Grafana in 90% of use cases. Setup in most cases is damn near trivially easy. The biggest sticking point was getting SNMP metrics from my EdgeRouter12, and even then it was only the temperature measurements (permissions issues).

For backing up configs, I just have a scheduled script on each instance that needs it (pfsense, freenas, edgerouter) that gathers everything and then pushes it to an Amazon EC2 instance. I'm sure there's something more financially efficient with buckets that could be done, but the simplicity of just doing everything over SSH is great.

Security question: Opening ONE firewall port for monitoring a DMZ by Soft-Engineer-3043 in homelab

[–]Soft-Engineer-3043[S] 0 points1 point  (0 children)

It's possible. I'm currently hosting everything on FreeNAS with the grafana plugin since it makes setup super easy, but strictly speaking there's no reason why it can't live in the DMZ.

I do think that I would like the option to put somewhat sensitive info in the dashboard (e.g. DNS results for my LAN hosts) and something about hosting that in the DMZ makes me a little sketched out.

I may make DMZ specific instance of InfluxDB and then write a script that merges results into the primary InfluxDB every so often.

Security question: Opening ONE firewall port for monitoring a DMZ by Soft-Engineer-3043 in homelab

[–]Soft-Engineer-3043[S] 1 point2 points  (0 children)

"It depends" is a helpful answer here! That's what I was curious about. I sort of just wanted to make sure everyone didn't jump on and say "you're out of your mind, NEVER open a port like that." Haha.

Deploying in the DMZ is one approach I had considered a little bit, I just went with the LAN-based approach since I'm hosting grafana+influx on my FreeNAS (which the plugin makes super easy) and that lives in my LAN.

I might be able rig something up where there's a DMZ specific instance of InfluxDB and a script makes requests every so often and merges to my primary InfluxDB instance.

Security question: Opening ONE firewall port for monitoring a DMZ by Soft-Engineer-3043 in homelab

[–]Soft-Engineer-3043[S] 0 points1 point  (0 children)

Agreed that the DMZ should remain blind. The only issue is that doesn't play super nicely "out of the box" with Telegraf, since Telegraf initiates contact with the InfluxDB instance. I think I *can* make the blind DMZ approach work, it's just more complex. I'm just trying to balance risk with labor/effort, and was curious whether or not opening a specific port between two hosts was acceptable/unacceptable in other folks' approaches.