as someone with minimal cybersecurity background (but quickly developing a personal & professional interest in it), this video was incredibly helpful!! thank you!!
What you said in 14:30 was exactly my query. Blocking traffic between hosts on the same VLAN doesn't happen on the L3 router, it rather happens on L2 which is the switch.
Thank you for the video and especially also taking it to further depths. One thing I really like with (corporate grade) Wi-Fi networks is Client Isolation.
This is material I wish I could find covered at this level. I never finished chasing down VLANs and this encourages me to finish setting some up. Would look forward to anything covering Reverse Proxy solutions like NPM or Traefik while running containers on hosts and virtualized systems in Proxmox or another hypervisor. Thank you for your efforts.
Do you have a video specifically about running a virtual firewall on a cluster? Where if you migrate the firewall it continues to function? I know you need the Inter-networking and standard networking but it's a lot
Hello Sir, I just installed pfsense in my pc and everything is working just fine except Captive Portal. I watched many tutorials and setting up things just like them or guided in tutorial but my case is when I enable captive portal it asks for username and passwords and voucher but when I try to input voucher codes it says invalid voucher. I tried to change rsa keys and reconfigured and reinstalled the whole setup but still I am on a same stage. Can you please guide me.
Hey Brandon, I'm digging the channel. I appreciate the details & importance you place on using the correct terminology & restating acronyms & explaining them. I have a request or idea of something that I believe would make for good content. Can you PLEASE do a video on distributed switches from Vcenter. I can't for the life of me understand why I have to move the vmkernel to the distributed switch group. Im starting to think maybe I don't understand what a vmkernel really is used for. But what of I want that interface to be a dedicated interface for ESXi (i.e. no host).. and I want my host on a seperate interfaces (which btw I thought in video of how to protect your ESXi host from ransomware was one of your BP recommendations). And can you please explain why in the WORLD my only option to install Vcenter is on the ESXI host that it's managing?????? Really VMWare???? It makes doing the upgrade from Vcenter on that ESXi host, virtually impossible. There has to be a best practice there I'm missing. Keep up the good work & I look forward to your responses!!!!
Brandon, thanks for the comment and questions! Lots of topics in the questions you posed. Distributed switches place the management of your virtual networking at the vCenter level which makes things a lot easier if you are managing multiple ESXi hosts with the same port groups, etc. So in other words, you don't have to manually create standard port groups on each ESXi host, you can instead simply add the host to the distributed switch and it automatically inherits all the port group settings, etc. However, this is a mixed bag of features vs. disaster recovery. Distributed switches can become a nightmare if you lose vCenter as it houses the configuration for the switches. The switches won't be automatically wiped out, however, you will have a situation with orphaned and ghosted distribusted switches. I still use Distributed switches heavily, however, I usually keep a single standard switch configured with an uplink just for disaster scenarios. Also, it isn't an absolute requirement that vCenter is housed on the same ESXi hosts that it manages. You can house vCenter anywhere as long as it has network connectivity to the hosts it manages. It is common to see vCenter housed on the same ESXi hosts it managed though. The way this works is you have a cluster of ESXi hosts. You vMotion the vcenter SErver to a different host if you are upgrading a host in the cluster. You keep working your way through the hosts until they are all updated. There are also automated processes to take care of this whole process if you want it to be fully automatic. Upgrading vCenter Server itself, is also not bad either as you deploy the new vCenter Appliance and use direct ESXi host connections during the upgrade process instead of connecting to vCenter itself. I hope this helps with most of your questions. let me know! Thanks again.
14:03 this level of detail within proxmox running docker containers would be great...I have my "group" of servers segmented via vlans, but I wanted to micro-segment the containers running within. Docker networking is something made of magic...would be cool if you could share any knowledge on this.
Informative video. Thanks you. Regarding vlans, wasn’t the purpose using only 1 cable? If you close ports for exclusive use to say vlan100, i would need multiple cables i guess? And did the cisco switch provide DHCP or the internet router?
@etienneb4403 thank you for the comment! Yes VLANs have many benefits, including using only a single uplink, but also network segmentation for different traffic types. Let me know if you have more detailed questions, please hop over to the VHT forums here and we can discuss further: www.virtualizationhowto.com/community
I have 3 devices that discover each other on the same network using NDI. I have issue where I am in a large office where devices can't find each other. IT will not fix this. Any work arounds
@codingwithjerry-fn4cv Thank you for the comment! Sign up on the forums and I can give more personalized help here: www.virtualizationhowto.com/community
Microsegmentation is usually handled with a software-defined solution. It allows having a mini firewall protecting every host on the network. You can use virtual firewalls to segment traffic but it does not scale very well.
@@VirtualizationHowto OK, i see what you mean, the scale part. So, if Proxmox can centralize it's VM firewall configuration plus add firewall templates/rules for the VM & allows the template/rules to follow the VM from host to host, then it would scale ???
fbi fido - It is really a limitation of all types of virtual firewalls. As mentioned in the video, traffic needs to be routed through a firewall for the filtering rules to be applied. If you have two VMs on the same VLAN with a pfsense virtual firewall protecting them, the firewall can't intercept traffic between them IP to IP on the same VLAN. You would have to have a pfsense firewall setup for every single virtual machine and each would have to be on their own VLAN to intercept traffic between them. VMware NSX installs specialized VIB files on each ESXi host allowing even layer 2 traffic between two VMs to be filtered and rules set up to filter that traffic which provides a much more efficient and practical way to filter that traffic.
@@VirtualizationHowto "You would have to have a pfsense firewall setup for every single virtual machine", is that not how Proxmox is setup ???, each host has a firewall, each VM has a firewall, even if no routing at the firewall layer.
fbi fido, ah yes, I read pfsense instead of Proxmox in your message. Yes I do believe the Proxmox centralized firewall can protect VMs with rules as well. I haven't delved into testing this, but if so, would be similar. I am not sure how it handles intra-VLAN traffic, etc. From what I see, NSX provides superior capabilties (identity-based rules, etc) but this would be a viable option. I am looking at the documentation here: pve.proxmox.com/wiki/Firewall
This was eye-opening. I have been in tech for 30+ years as a developer and still didn't understand VLANs. With your tutorial, I think I understand them now. So I figured I would segment my lan but I think my switches don't support VLAN, and when I started looking for a switch that does it seems only high-end (read: very expensive) switches support VLAN. For a home lab, what are some switches we can consider getting? Do we need to go with CISCO and learn how to program them? Or are there other acceptable options. Thanks in advance for taking the time to answer. Even better if you can do a video about switches (or point me to one you've already done?)
Mike, this might be a good topic for a video for sure. There are cheaper switch models out there that support VLANs, but I am not sure what your budget is. Cisco is certainly the favorite for those that like the Cisco CLI as it is the industry standard. However, you don't have to go with Cisco, their CLI is just the most popular. ONe thing you run into with cheap switches is they are often what they refer to as unmanaged and not capable of more advanced features. Look for a managed switch with CLI access. The Cisco small business switches are actually not terribly expensive, depending on what port count you need. Unfortunately, the supply chain issues have driven the prices of even those switches much higher.
@@VirtualizationHowto - I am fortunate at this time to have a budget of whatever I can convince myself I should buy if it can help me get better in my career, within reason of course! One idea I had was to get a managed switch with a smaller number of ports and daisy-chain the unmanaged switches I have for different VLANs, maybe?
@@mikeschinkel I might recommend looking at used, corporate take-outs. They provide a way to play with enterprise gear without paying "new" cost. They also generally provide more capacity and reliability than consumer gear. Check with your IT aquaintances.
@@scotta.3866 - Thanks. BTW, since I commented as month ago I have done a lot of research and ended up ordering two new Microtik switches; one with lots of 1GBe ports + 2 SFP+ ports, and another with support for eight SFP+ ports. I decided against used enterprise equipment for a variety of reasons; 1.) noise and power usage, 2.) the hidden gotchas of enterprise licensing that can be discovered *after* purchase (I've been watching Patrick Kennedy discuss that on his ServeTheHome channel), 3.) the uncertainty of buying used, and 4.) because the Microtik switches are a really good deal new. I also like that Microtik switches have both a CLI and a web UI (as well as a Windows GUI but I doubt I'll use that.) Anyway, I haven't set them up yet but will be doing so in the near future.
This is one of the best explanations I've ever heard on this complex topic.
Always a great feeling when someone helps you close a gap in knowledge. Thank you
Christopher, wow that is kind of you to say. Glad it helped! Thanks for watching.
as someone with minimal cybersecurity background (but quickly developing a personal & professional interest in it), this video was incredibly helpful!! thank you!!
What you said in 14:30 was exactly my query. Blocking traffic between hosts on the same VLAN doesn't happen on the L3 router, it rather happens on L2 which is the switch.
Thank you for the video and especially also taking it to further depths. One thing I really like with (corporate grade) Wi-Fi networks is Client Isolation.
This is material I wish I could find covered at this level. I never finished chasing down VLANs and this encourages me to finish setting some up. Would look forward to anything covering Reverse Proxy solutions like NPM or Traefik while running containers on hosts and virtualized systems in Proxmox or another hypervisor. Thank you for your efforts.
Nulatium, glad you liked this! I like doing these deeper dives into networking as it is a core concept that is often missed
The created rule only blocks IPv4 TCP traffic. It's important to change this default. Otherwise the network is fully reachable over UDP or IPv6. 13:35
really good content, thank you for sharing!
Do you have a video specifically about running a virtual firewall on a cluster? Where if you migrate the firewall it continues to function? I know you need the Inter-networking and standard networking but it's a lot
Thanks for the video!
Excellent material!
Glad you enjoyed it!
Hello Sir,
I just installed pfsense in my pc and everything is working just fine except Captive Portal. I watched many tutorials and setting up things just like them or guided in tutorial but my case is when I enable captive portal it asks for username and passwords and voucher but when I try to input voucher codes it says invalid voucher. I tried to change rsa keys and reconfigured and reinstalled the whole setup but still I am on a same stage. Can you please guide me.
Awesome Video sir !
Thanks Jason
@@VirtualizationHowto YES ! :P
Thanks! That's really informative.
Mateusz, thanks for the comment and glad it was helpful!
Great explanation!
Steven, glad it was helpful!
Hey Brandon, I'm digging the channel. I appreciate the details & importance you place on using the correct terminology & restating acronyms & explaining them. I have a request or idea of something that I believe would make for good content. Can you PLEASE do a video on distributed switches from Vcenter. I can't for the life of me understand why I have to move the vmkernel to the distributed switch group. Im starting to think maybe I don't understand what a vmkernel really is used for. But what of I want that interface to be a dedicated interface for ESXi (i.e. no host).. and I want my host on a seperate interfaces (which btw I thought in video of how to protect your ESXi host from ransomware was one of your BP recommendations). And can you please explain why in the WORLD my only option to install Vcenter is on the ESXI host that it's managing?????? Really VMWare???? It makes doing the upgrade from Vcenter on that ESXi host, virtually impossible. There has to be a best practice there I'm missing. Keep up the good work & I look forward to your responses!!!!
Brandon, thanks for the comment and questions! Lots of topics in the questions you posed. Distributed switches place the management of your virtual networking at the vCenter level which makes things a lot easier if you are managing multiple ESXi hosts with the same port groups, etc. So in other words, you don't have to manually create standard port groups on each ESXi host, you can instead simply add the host to the distributed switch and it automatically inherits all the port group settings, etc. However, this is a mixed bag of features vs. disaster recovery. Distributed switches can become a nightmare if you lose vCenter as it houses the configuration for the switches. The switches won't be automatically wiped out, however, you will have a situation with orphaned and ghosted distribusted switches. I still use Distributed switches heavily, however, I usually keep a single standard switch configured with an uplink just for disaster scenarios. Also, it isn't an absolute requirement that vCenter is housed on the same ESXi hosts that it manages. You can house vCenter anywhere as long as it has network connectivity to the hosts it manages. It is common to see vCenter housed on the same ESXi hosts it managed though. The way this works is you have a cluster of ESXi hosts. You vMotion the vcenter SErver to a different host if you are upgrading a host in the cluster. You keep working your way through the hosts until they are all updated. There are also automated processes to take care of this whole process if you want it to be fully automatic. Upgrading vCenter Server itself, is also not bad either as you deploy the new vCenter Appliance and use direct ESXi host connections during the upgrade process instead of connecting to vCenter itself. I hope this helps with most of your questions. let me know! Thanks again.
14:03 this level of detail within proxmox running docker containers would be great...I have my "group" of servers segmented via vlans, but I wanted to micro-segment the containers running within. Docker networking is something made of magic...would be cool if you could share any knowledge on this.
If you thought vlans was crazy cool. You should check out vxlan. Your mind will be blown away.
Informative video. Thanks you. Regarding vlans, wasn’t the purpose using only 1 cable? If you close ports for exclusive use to say vlan100, i would need multiple cables i guess? And did the cisco switch provide DHCP or the internet router?
@etienneb4403 thank you for the comment! Yes VLANs have many benefits, including using only a single uplink, but also network segmentation for different traffic types. Let me know if you have more detailed questions, please hop over to the VHT forums here and we can discuss further: www.virtualizationhowto.com/community
Thank you
7:11 What is the command used here to pick port interface f0/1? The video jumped, didn't show the command.
What software are you using to show us the Cisco command and router interfaces at 9:07?
@ziqif3407, shoot me a message over on the forums here and let's talk shop: www.virtualizationhowto.com/community. Thank you again.
I have 3 devices that discover each other on the same network using NDI. I have issue where I am in a large office where devices can't find each other. IT will not fix this. Any work arounds
@codingwithjerry-fn4cv Thank you for the comment! Sign up on the forums and I can give more personalized help here: www.virtualizationhowto.com/community
First 🥇!!!
Last!!
-what about Proxmox VE 7.2 vm firewall??
--- is that micro-segmentation??
Microsegmentation is usually handled with a software-defined solution. It allows having a mini firewall protecting every host on the network. You can use virtual firewalls to segment traffic but it does not scale very well.
@@VirtualizationHowto OK, i see what you mean, the scale part. So, if Proxmox can centralize it's VM firewall configuration plus add firewall templates/rules for the VM & allows the template/rules to follow the VM from host to host, then it would scale ???
fbi fido - It is really a limitation of all types of virtual firewalls. As mentioned in the video, traffic needs to be routed through a firewall for the filtering rules to be applied. If you have two VMs on the same VLAN with a pfsense virtual firewall protecting them, the firewall can't intercept traffic between them IP to IP on the same VLAN. You would have to have a pfsense firewall setup for every single virtual machine and each would have to be on their own VLAN to intercept traffic between them. VMware NSX installs specialized VIB files on each ESXi host allowing even layer 2 traffic between two VMs to be filtered and rules set up to filter that traffic which provides a much more efficient and practical way to filter that traffic.
@@VirtualizationHowto "You would have to have a pfsense firewall setup for every single virtual machine", is that not how Proxmox is setup ???, each host has a firewall, each VM has a firewall, even if no routing at the firewall layer.
fbi fido, ah yes, I read pfsense instead of Proxmox in your message. Yes I do believe the Proxmox centralized firewall can protect VMs with rules as well. I haven't delved into testing this, but if so, would be similar. I am not sure how it handles intra-VLAN traffic, etc. From what I see, NSX provides superior capabilties (identity-based rules, etc) but this would be a viable option. I am looking at the documentation here: pve.proxmox.com/wiki/Firewall
This was eye-opening. I have been in tech for 30+ years as a developer and still didn't understand VLANs. With your tutorial, I think I understand them now.
So I figured I would segment my lan but I think my switches don't support VLAN, and when I started looking for a switch that does it seems only high-end (read: very expensive) switches support VLAN.
For a home lab, what are some switches we can consider getting? Do we need to go with CISCO and learn how to program them? Or are there other acceptable options.
Thanks in advance for taking the time to answer. Even better if you can do a video about switches (or point me to one you've already done?)
Mike, this might be a good topic for a video for sure. There are cheaper switch models out there that support VLANs, but I am not sure what your budget is. Cisco is certainly the favorite for those that like the Cisco CLI as it is the industry standard. However, you don't have to go with Cisco, their CLI is just the most popular. ONe thing you run into with cheap switches is they are often what they refer to as unmanaged and not capable of more advanced features. Look for a managed switch with CLI access. The Cisco small business switches are actually not terribly expensive, depending on what port count you need. Unfortunately, the supply chain issues have driven the prices of even those switches much higher.
@@VirtualizationHowto - I am fortunate at this time to have a budget of whatever I can convince myself I should buy if it can help me get better in my career, within reason of course!
One idea I had was to get a managed switch with a smaller number of ports and daisy-chain the unmanaged switches I have for different VLANs, maybe?
@@mikeschinkel I might recommend looking at used, corporate take-outs. They provide a way to play with enterprise gear without paying "new" cost. They also generally provide more capacity and reliability than consumer gear. Check with your IT aquaintances.
@@scotta.3866 - Thanks.
BTW, since I commented as month ago I have done a lot of research and ended up ordering two new Microtik switches; one with lots of 1GBe ports + 2 SFP+ ports, and another with support for eight SFP+ ports.
I decided against used enterprise equipment for a variety of reasons; 1.) noise and power usage, 2.) the hidden gotchas of enterprise licensing that can be discovered *after* purchase (I've been watching Patrick Kennedy discuss that on his ServeTheHome channel), 3.) the uncertainty of buying used, and 4.) because the Microtik switches are a really good deal new.
I also like that Microtik switches have both a CLI and a web UI (as well as a Windows GUI but I doubt I'll use that.)
Anyway, I haven't set them up yet but will be doing so in the near future.
Hey Man, nice video but... Your intro tune made me allmost deaf as your voice's volume's is much lower...
Why did you start creating VLANs before giving any explanation of what a vlan is and why you might want to have them?