Conversation

Notices

1. Embed this notice
   Mauricio Teixeira 🇧🇷🇺🇲 (badnetmask@hachyderm.io)'s status on Thursday, 20-Feb-2025 07:21:50 JST Mauricio Teixeira 🇧🇷🇺🇲

   Question to the home lab/self-hosted community. I'm not asking one person specifically, because nobody needs to defend/justify themselves. Feel free to ignore the question.

   I've seen some people posting that they cross-connect their servers/services using Tailscale. That basically throws everything in the same network/VLAN. So, except when the hosts are outside your home network, or you need remote access, how is that better/more secure than just throwing everything in the same local VLAN isolated from your main/personal devices?

   Full disclosure: this is just for my understanding/learning. I run all my stuff across multiple VLANs, and only stand up Tailscale for very specific cases.

   #HomeLab #SelfHosted #Tailscale

   • Embed this notice
     jordantilus (jordan@sometimes.social)'s status on Thursday, 20-Feb-2025 07:26:04 JST jordantilus

     in reply to

     @badnetmask Not everything has to have access to everything else within a tailnet, you can write an ACL to permit host A to only access port X on host B for example

   • Embed this notice
     Mauricio Teixeira 🇧🇷🇺🇲 (badnetmask@hachyderm.io)'s status on Thursday, 20-Feb-2025 07:26:04 JST Mauricio Teixeira 🇧🇷🇺🇲

     in reply to

     • jordantilus

     @jordan
     And how's that different from throwing firewall rules in every host?

   • Embed this notice
     Mauricio Teixeira 🇧🇷🇺🇲 (badnetmask@hachyderm.io)'s status on Thursday, 20-Feb-2025 07:41:14 JST Mauricio Teixeira 🇧🇷🇺🇲

     in reply to

     • jordantilus

     @jordan
     Hm. I see. Thanks!

   • Embed this notice
     jordantilus (jordan@sometimes.social)'s status on Thursday, 20-Feb-2025 07:41:15 JST jordantilus

     in reply to

     @badnetmask Philosophically not too different, except that the whole set of ACLs for the network is defined centrally in one document, and it is as if the switch is enforcing the ACL rather than each host doing it themselves

   • Embed this notice
     slamp (slamp@hachyderm.io)'s status on Thursday, 20-Feb-2025 07:50:47 JST slamp

     in reply to

     @badnetmask 2 uses case: allow my daughter to access resources from home as she is studying in a foreign country
     Backup on a nas installed at my parents house

   • Embed this notice
     Mauricio Teixeira 🇧🇷🇺🇲 (badnetmask@hachyderm.io)'s status on Thursday, 20-Feb-2025 07:55:16 JST Mauricio Teixeira 🇧🇷🇺🇲

     in reply to

     • slamp

     @slamp
     Sure. Like I said, except in those cases that you need remote access.

   • Embed this notice
     Rune 🇨🇦 (rune@social.intothecloud.net)'s status on Thursday, 20-Feb-2025 09:55:24 JST Rune 🇨🇦

     in reply to

     @badnetmask
     Depending on how you use it, it can be a step towards Zero Trust networking, where being physically on the LAN doesn't automatically give you access to things. If you bind services to the Tailnet interface instead, then it doesn't matter where you are, you can only access it if allowed by the ACL. It also acts as encryption in transit for all traffic, even plaintext protocols.

   • Embed this notice
     Mauricio Teixeira 🇧🇷🇺🇲 (badnetmask@hachyderm.io)'s status on Thursday, 20-Feb-2025 09:55:24 JST Mauricio Teixeira 🇧🇷🇺🇲

     in reply to

     • Rune 🇨🇦

     @rune
     Oh, you make very good points! Thank you!