STUN/TURN is literally designed to bypass network boundaries. Its necessity comes from the evil of NAT and allowing RFC1918 IP addresses behind firewalls to poke holes so that direct P2P connections can be established for VOIP.
By virtue of being technology designed to step around boundaries, you should be weary of controls around this. STUN can be used to relay from the external STUN record to other servers within the same broadcast domain. We’ll add some controls here to limit this, but it would behoove you to place this server in an isolated DMZ without connectivity to other, potentially privileged, internal hosts. Never forget network segmentation.```
Would a VLAN be enough?
Yes, absolutely. It all depends on implementation. I am using VLANs for L2 isolation. I have a specific DMZ VLAN that has my XMPP server and only my XMPP server on it. My network core applies ACLs that prevent any inter-VLAN traffic from there, so even if STUN/TURN pokes holes, the most that is accessible is that single VLAN, which happens to contain only the single host that I want to be accessible.
Yes, absolutely. It all depends on implementation. I am using VLANs for L2 isolation. I have a specific DMZ VLAN that has my XMPP server and only my XMPP server on it. My network core applies ACLs that prevent any inter-VLAN traffic from there, so even if STUN/TURN pokes holes, the most that is accessible is that single VLAN, which happens to contain only the single host that I want to be accessible.
Great question.