diff --git a/docs/DECISIONS.md b/docs/DECISIONS.md index 196c14a..3c7a1f2 100644 --- a/docs/DECISIONS.md +++ b/docs/DECISIONS.md @@ -61,17 +61,26 @@ ### Router/Firewall (Planned) -**Decision**: OPNsense VM on Elantris +**Decision**: OPNsense VM on pm4 (server closet) **Reason**: - Free, full-featured firewall/router - VLAN routing and inter-VLAN firewall rules - IDS/IPS capability -- Elantris has ample resources (128GB RAM) +- pm4 is in server closet next to AT&T modem (avoids routing WAN over backhaul) +- pm4 has Intel I226-V (2.5G) + USB 3.1 for second NIC + +**Network Interfaces**: +- WAN: USB 2.5G NIC (~$25) → AT&T modem +- LAN: Intel I226-V → GiGaPlus switch (VLAN trunk) **Alternative Considered**: Ubiquiti Dream Machine - Rejected due to cost and ecosystem lock-in - OPNsense more flexible for homelab +**Alternative Considered**: OPNsense on Elantris (basement) +- Rejected because WAN would need to traverse 10G backhaul +- Would require managed switches for WAN VLAN isolation + ### 10G Backhaul (Planned) **Decision**: 10G RJ45 between server closet and basement diff --git a/docs/NETWORK-UPGRADE-PLAN.md b/docs/NETWORK-UPGRADE-PLAN.md index 4c6d479..df200e0 100644 --- a/docs/NETWORK-UPGRADE-PLAN.md +++ b/docs/NETWORK-UPGRADE-PLAN.md @@ -14,7 +14,13 @@ Upgrade from consumer Asus mesh WiFi to enterprise-grade UniFi APs with proper V |------|-----|------------|-------| | GiGaPlus 6-Port 10G PoE Switch | 2 | $101 | $202 | | UniFi U7 Pro AP | 2 | $189 | $378 | -| **Total** | | | **$580** | +| USB 2.5G NIC (for OPNsense WAN) | 1 | ~$25 | $25 | +| **Total** | | | **~$605** | + +### USB 2.5G NIC Options +- Plugable USBC-E2500 (~$30) +- Cable Matters 2.5G USB-C (~$25) +- UGREEN 2.5G USB-C (~$20) ### GiGaPlus Switch Specs - 4× 2.5G Base-T PoE ports @@ -39,18 +45,31 @@ Upgrade from consumer Asus mesh WiFi to enterprise-grade UniFi APs with proper V ## Physical Topology ``` -AT&T Modem (Server Closet - Upstairs) - │ - ▼ + AT&T Modem + │ + │ 2.5G (ethernet) + ▼ +┌──────────────────────────────────────────────────────────┐ +│ pm4 (Server Closet) - OPNsense Host │ +│ │ +│ [USB 3.1 2.5G NIC] ◄── AT&T Modem (WAN) │ +│ [Intel I226-V 2.5G] ──► GiGaPlus switch (LAN) │ +│ │ +│ OPNsense VM: │ +│ - vtnet0 (WAN) ← USB NIC │ +│ - vtnet1 (LAN) ← Intel NIC, VLAN trunk │ +└──────────────────────────────────────────────────────────┘ + │ + ▼ ┌──────────────────────────────────────────────────────────┐ │ SERVER CLOSET - GiGaPlus 10G PoE │ │ │ │ [10G RJ45] ─────────── Cat6 to basement │ │ [10G RJ45] spare │ +│ [2.5G PoE] pm4 (OPNsense LAN) │ │ [2.5G PoE] U6 Enterprise AP (upstairs coverage) │ │ [2.5G PoE] spare │ │ [2.5G PoE] spare │ -│ [2.5G PoE] spare │ │ │ │ Netgear GS308EP ◄── cameras via attic runs │ │ Unmanaged switches ◄── wired PCs │ @@ -150,20 +169,43 @@ net0: name=eth0,bridge=vmbr0,tag=10,type=veth ## OPNsense VM Setup ### Location -- **Host**: Elantris (most stable, 128GB RAM) -- **Resources**: 2-4 vCPU, 4GB RAM -- **Network**: VLAN trunk (all VLANs) +- **Host**: pm4 (server closet, next to AT&T modem) +- **Resources**: 2 vCPU, 2-4GB RAM +- **Why pm4**: Proximity to AT&T modem, avoids routing WAN over backhaul -### Interfaces +### Network Interfaces + +| Physical | Device | Purpose | +|----------|--------|---------| +| USB 2.5G NIC | enxXXXXXX | WAN (AT&T modem) | +| Intel I226-V | eno1/vmbr0 | LAN (to GiGaPlus switch) | + +### OPNsense Interface Config | Interface | VLAN | IP | Role | |-----------|------|-----|------| -| vtnet0 | - | DHCP from AT&T | WAN | +| vtnet0 (USB) | - | DHCP from AT&T | WAN | | vtnet1.1 | 1 | 10.4.2.1 | LAN - Management | | vtnet1.10 | 10 | 10.4.10.1 | LAN - Servers | | vtnet1.20 | 20 | 10.4.20.1 | LAN - IoT | | vtnet1.30 | 30 | 10.4.30.1 | LAN - Guest | +### Proxmox Setup on pm4 + +1. Create bridge for USB NIC (WAN): + ```bash + # /etc/network/interfaces on pm4 + auto vmbr1 + iface vmbr1 inet manual + bridge-ports enxXXXXXX # USB NIC device name + bridge-stp off + bridge-fd 0 + ``` + +2. Passthrough bridges to OPNsense VM: + - vmbr1 → WAN + - vmbr0 → LAN (VLAN-aware) + ### Firewall Rules (High Level) | From | To | Action |