kavren/proxmox-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: Update network plan - OPNsense on pm4 with USB NIC

Browse Source 
- OPNsense moves to pm4 (server closet, next to AT&T modem)
- USB 2.5G NIC for WAN (~$25), Intel I226-V for LAN
- pm4 has USB 3.1 (10Gbps) - verified
- Updated topology diagram with pm4/OPNsense placement
- Total cost now ~$605

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
kavren
2025-12-18 12:41:38 -05:00
parent ef02ff5eb6
commit 3674bcc147
2 changed files with 63 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
docs/DECISIONS.md
View File

@@ -61,17 +61,26 @@
### Router/Firewall (Planned) ### Router/Firewall (Planned)
**Decision**: OPNsense VM on Elantris **Decision**: OPNsense VM on pm4 (server closet)
**Reason**: **Reason**:
- Free, full-featured firewall/router - Free, full-featured firewall/router
- VLAN routing and inter-VLAN firewall rules - VLAN routing and inter-VLAN firewall rules
- IDS/IPS capability - IDS/IPS capability
- Elantris has ample resources (128GB RAM) - pm4 is in server closet next to AT&T modem (avoids routing WAN over backhaul)
- pm4 has Intel I226-V (2.5G) + USB 3.1 for second NIC
**Network Interfaces**:
- WAN: USB 2.5G NIC (~$25) → AT&T modem
- LAN: Intel I226-V → GiGaPlus switch (VLAN trunk)
**Alternative Considered**: Ubiquiti Dream Machine **Alternative Considered**: Ubiquiti Dream Machine
- Rejected due to cost and ecosystem lock-in - Rejected due to cost and ecosystem lock-in
- OPNsense more flexible for homelab - OPNsense more flexible for homelab
**Alternative Considered**: OPNsense on Elantris (basement)
- Rejected because WAN would need to traverse 10G backhaul
- Would require managed switches for WAN VLAN isolation
### 10G Backhaul (Planned) ### 10G Backhaul (Planned)
**Decision**: 10G RJ45 between server closet and basement **Decision**: 10G RJ45 between server closet and basement

62
docs/NETWORK-UPGRADE-PLAN.md
View File

@@ -14,7 +14,13 @@ Upgrade from consumer Asus mesh WiFi to enterprise-grade UniFi APs with proper V
|------|-----|------------|-------| |------|-----|------------|-------|
| GiGaPlus 6-Port 10G PoE Switch | 2 | $101 | $202 | | GiGaPlus 6-Port 10G PoE Switch | 2 | $101 | $202 |
| UniFi U7 Pro AP | 2 | $189 | $378 | | UniFi U7 Pro AP | 2 | $189 | $378 |
| **Total** | | | **$580** | | USB 2.5G NIC (for OPNsense WAN) | 1 | ~$25 | $25 |
| **Total** | | | **~$605** |
### USB 2.5G NIC Options
- Plugable USBC-E2500 (~$30)
- Cable Matters 2.5G USB-C (~$25)
- UGREEN 2.5G USB-C (~$20)
### GiGaPlus Switch Specs ### GiGaPlus Switch Specs
- 4× 2.5G Base-T PoE ports - 4× 2.5G Base-T PoE ports
@@ -39,18 +45,31 @@ Upgrade from consumer Asus mesh WiFi to enterprise-grade UniFi APs with proper V
## Physical Topology ## Physical Topology
``` ```
AT&T Modem (Server Closet - Upstairs) AT&T Modem
│ 2.5G (ethernet)
┌──────────────────────────────────────────────────────────┐
│ pm4 (Server Closet) - OPNsense Host │
│ │
│ [USB 3.1 2.5G NIC] ◄── AT&T Modem (WAN) │
│ [Intel I226-V 2.5G] ──► GiGaPlus switch (LAN) │
│ │
│ OPNsense VM: │
│ - vtnet0 (WAN) ← USB NIC │
│ - vtnet1 (LAN) ← Intel NIC, VLAN trunk │
└──────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────┐ ┌──────────────────────────────────────────────────────────┐
│ SERVER CLOSET - GiGaPlus 10G PoE │ │ SERVER CLOSET - GiGaPlus 10G PoE │
│ │ │ │
│ [10G RJ45] ─────────── Cat6 to basement │ │ [10G RJ45] ─────────── Cat6 to basement │
│ [10G RJ45] spare │ │ [10G RJ45] spare │
│ [2.5G PoE] pm4 (OPNsense LAN) │
│ [2.5G PoE] U6 Enterprise AP (upstairs coverage) │ │ [2.5G PoE] U6 Enterprise AP (upstairs coverage) │
│ [2.5G PoE] spare │ │ [2.5G PoE] spare │
│ [2.5G PoE] spare │ │ [2.5G PoE] spare │
│ [2.5G PoE] spare │
│ │ │ │
│ Netgear GS308EP ◄── cameras via attic runs │ │ Netgear GS308EP ◄── cameras via attic runs │
│ Unmanaged switches ◄── wired PCs │ │ Unmanaged switches ◄── wired PCs │
@@ -150,20 +169,43 @@ net0: name=eth0,bridge=vmbr0,tag=10,type=veth
## OPNsense VM Setup ## OPNsense VM Setup
### Location ### Location
- **Host**: Elantris (most stable, 128GB RAM) - **Host**: pm4 (server closet, next to AT&T modem)
- **Resources**: 2-4 vCPU, 4GB RAM - **Resources**: 2 vCPU, 2-4GB RAM
- **Network**: VLAN trunk (all VLANs) - **Why pm4**: Proximity to AT&T modem, avoids routing WAN over backhaul
### Interfaces ### Network Interfaces
| Physical | Device | Purpose |
|----------|--------|---------|
| USB 2.5G NIC | enxXXXXXX | WAN (AT&T modem) |
| Intel I226-V | eno1/vmbr0 | LAN (to GiGaPlus switch) |
### OPNsense Interface Config
| Interface | VLAN | IP | Role | | Interface | VLAN | IP | Role |
|-----------|------|-----|------| |-----------|------|-----|------|
| vtnet0 | - | DHCP from AT&T | WAN | | vtnet0 (USB) | - | DHCP from AT&T | WAN |
| vtnet1.1 | 1 | 10.4.2.1 | LAN - Management | | vtnet1.1 | 1 | 10.4.2.1 | LAN - Management |
| vtnet1.10 | 10 | 10.4.10.1 | LAN - Servers | | vtnet1.10 | 10 | 10.4.10.1 | LAN - Servers |
| vtnet1.20 | 20 | 10.4.20.1 | LAN - IoT | | vtnet1.20 | 20 | 10.4.20.1 | LAN - IoT |
| vtnet1.30 | 30 | 10.4.30.1 | LAN - Guest | | vtnet1.30 | 30 | 10.4.30.1 | LAN - Guest |
### Proxmox Setup on pm4
1. Create bridge for USB NIC (WAN):
```bash
# /etc/network/interfaces on pm4
auto vmbr1
iface vmbr1 inet manual
bridge-ports enxXXXXXX # USB NIC device name
bridge-stp off
bridge-fd 0
```
2. Passthrough bridges to OPNsense VM:
- vmbr1 → WAN
- vmbr0 → LAN (VLAN-aware)
### Firewall Rules (High Level) ### Firewall Rules (High Level)
| From | To | Action | | From | To | Action |