Should I physical seperate VMs exposed to the internet from LAN VMs? And some security questions

runevn

I'm a homelab'er enjoying learning and tinkering with networking and servers, and still learning a lot so please bear over with my trivial question.

Now the time has come where I might want to create some VMs that I would like to expose to the internet, if I do not put my whole network into a huge security risk.

My kids plays minecraft and I think it would a fun project to give them a server for them and their friends to join. Furthermore I would like to host a simpel webserver for a presentation site (wordpress).

My setup is as follows:

• pfSense (Dell Poweredge r210ii)
• XCP-NG host (Dell Poweredge r630)
• Truenas (Dell Poweredge 720xd)

However, before I proceed my project I have the following question/considerations:
What I understand is that I should create a DMZ for servers exposed to the internet and that these servers should be on a separat physical network.

So I guess that having the server VMs on a separated VLAN in XCP-NG is not secure enough? Or would you consider having the server VMs on the same XCP-NG host secure enough as long as their NIC are separated on VLANS? Or should I purchase another host for the exposed servers? Or is it even the recommendation that I acutally get another WAN connection into my home to compeletely separate the networks?

I understand that nothing is 100% secure but would you please share your thoughts and considerations on exposing servers as a homelab'er provides a significant security risk? Is this something other homelab'ers do or is hosting servers only a thing established and professional companies should do?

I know that this question could be posted on other forums but I thought that as I'm running XCP-NG I might as well ask here.

Thanks in advance for comments and replies.

jedimarcus

@runevn if you aware that there is no 100% security, that's a good start.

You can have VMs in different networks on the same XCP-ng hosts, that's why you have VLANs and stuff.

Just create a VLAN "DMZ" for your publicly exposed VMs and route and firewall that in pfsense accordingly.

Since your dom0 and other VMs will be in another VLAN "Home Network" or whatever, there will not be a major issue.

I'm not sure what's the main "security" concern you want to address with your question.

2 VM's on the same XCP-ng Hosts in 2 different VLAN => not a security issue (unless a zero day flaw is found I guess).

Your pfsense might be a security issue too, if that's compromised, no matter what the setup behind looks like is exposed.

So final words on your question in the topic:
"No"

runevn

@jedimarcus Thanks for your reply. Yes, you answer my question. I don't need to physical separated hosts VLAN is sufficient.

Thanks a lot for taken your time to answer my questions.

runevn

@jedimarcus By the way, my pfSense box has an intel 4x1Gb ethernet card. Would it be preferred/best practice to connect one of the pfSense NICs directly to an available NIC on my XCP-NG host and then assign this specific NIC to the exposed VMs? Or shouldn't I bother?

Thanks

jedimarcus

@runevn I think that comes down to personal preference... my XCP-ng boxes have 9 NICs XD

Any solution is OK if bandwidth is not the issue.

runevn

@jedimarcus Okay - and once again. Thanks for your help.