docs: Update network plan - OPNsense on pm4 with USB NIC

- OPNsense moves to pm4 (server closet, next to AT&T modem) - USB 2.5G NIC for WAN (~$25), Intel I226-V for LAN - pm4 has USB 3.1 (10Gbps) - verified - Updated topology diagram with pm4/OPNsense placement - Total cost now ~$605 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-18 12:41:38 -05:00
parent ef02ff5eb6
commit 3674bcc147
2 changed files with 63 additions and 12 deletions
--- a/docs/DECISIONS.md
+++ b/docs/DECISIONS.md
@@ -61,17 +61,26 @@

 ### Router/Firewall (Planned)

-**Decision**: OPNsense VM on Elantris
+**Decision**: OPNsense VM on pm4 (server closet)
 **Reason**:
 - Free, full-featured firewall/router
 - VLAN routing and inter-VLAN firewall rules
 - IDS/IPS capability
- Elantris has ample resources (128GB RAM)
+- pm4 is in server closet next to AT&T modem (avoids routing WAN over backhaul)
+- pm4 has Intel I226-V (2.5G) + USB 3.1 for second NIC
+
+**Network Interfaces**:
+- WAN: USB 2.5G NIC (~$25) → AT&T modem
+- LAN: Intel I226-V → GiGaPlus switch (VLAN trunk)

 **Alternative Considered**: Ubiquiti Dream Machine
 - Rejected due to cost and ecosystem lock-in
 - OPNsense more flexible for homelab

+**Alternative Considered**: OPNsense on Elantris (basement)
+- Rejected because WAN would need to traverse 10G backhaul
+- Would require managed switches for WAN VLAN isolation
+
 ### 10G Backhaul (Planned)

 **Decision**: 10G RJ45 between server closet and basement
--- a/docs/NETWORK-UPGRADE-PLAN.md
+++ b/docs/NETWORK-UPGRADE-PLAN.md
@@ -14,7 +14,13 @@ Upgrade from consumer Asus mesh WiFi to enterprise-grade UniFi APs with proper V
 |------|-----|------------|-------|
 | GiGaPlus 6-Port 10G PoE Switch | 2 | $101 | $202 |
 | UniFi U7 Pro AP | 2 | $189 | $378 |
-| **Total** | | | **$580** |
+| USB 2.5G NIC (for OPNsense WAN) | 1 | ~$25 | $25 |
+| **Total** | | | **~$605** |
+
+### USB 2.5G NIC Options
+- Plugable USBC-E2500 (~$30)
+- Cable Matters 2.5G USB-C (~$25)
+- UGREEN 2.5G USB-C (~$20)

 ### GiGaPlus Switch Specs
 - 4× 2.5G Base-T PoE ports
@@ -39,18 +45,31 @@ Upgrade from consumer Asus mesh WiFi to enterprise-grade UniFi APs with proper V
 ## Physical Topology

 ```
-AT&T Modem (Server Closet - Upstairs)
-     │
-     ▼
+                          AT&T Modem
+                               │
+                               │ 2.5G (ethernet)
+                               ▼
+┌──────────────────────────────────────────────────────────┐
+│ pm4 (Server Closet) - OPNsense Host                      │
+│                                                          │
+│   [USB 3.1 2.5G NIC] ◄── AT&T Modem (WAN)               │
+│   [Intel I226-V 2.5G] ──► GiGaPlus switch (LAN)         │
+│                                                          │
+│   OPNsense VM:                                           │
+│   - vtnet0 (WAN) ← USB NIC                               │
+│   - vtnet1 (LAN) ← Intel NIC, VLAN trunk                │
+└──────────────────────────────────────────────────────────┘
+                               │
+                               ▼
 ┌──────────────────────────────────────────────────────────┐
 │ SERVER CLOSET - GiGaPlus 10G PoE                         │
 │                                                          │
 │  [10G RJ45] ─────────── Cat6 to basement                 │
 │  [10G RJ45] spare                                        │
+│  [2.5G PoE] pm4 (OPNsense LAN)                           │
 │  [2.5G PoE] U6 Enterprise AP (upstairs coverage)         │
 │  [2.5G PoE] spare                                        │
 │  [2.5G PoE] spare                                        │
-│  [2.5G PoE] spare                                        │
 │                                                          │
 │  Netgear GS308EP ◄── cameras via attic runs              │
 │  Unmanaged switches ◄── wired PCs                        │
@@ -150,20 +169,43 @@ net0: name=eth0,bridge=vmbr0,tag=10,type=veth
 ## OPNsense VM Setup

 ### Location
- **Host**: Elantris (most stable, 128GB RAM)
- **Resources**: 2-4 vCPU, 4GB RAM
- **Network**: VLAN trunk (all VLANs)
+- **Host**: pm4 (server closet, next to AT&T modem)
+- **Resources**: 2 vCPU, 2-4GB RAM
+- **Why pm4**: Proximity to AT&T modem, avoids routing WAN over backhaul

-### Interfaces
+### Network Interfaces
+
+| Physical | Device | Purpose |
+|----------|--------|---------|
+| USB 2.5G NIC | enxXXXXXX | WAN (AT&T modem) |
+| Intel I226-V | eno1/vmbr0 | LAN (to GiGaPlus switch) |
+
+### OPNsense Interface Config

 | Interface | VLAN | IP | Role |
 |-----------|------|-----|------|
-| vtnet0 | - | DHCP from AT&T | WAN |
+| vtnet0 (USB) | - | DHCP from AT&T | WAN |
 | vtnet1.1 | 1 | 10.4.2.1 | LAN - Management |
 | vtnet1.10 | 10 | 10.4.10.1 | LAN - Servers |
 | vtnet1.20 | 20 | 10.4.20.1 | LAN - IoT |
 | vtnet1.30 | 30 | 10.4.30.1 | LAN - Guest |

+### Proxmox Setup on pm4
+
+1. Create bridge for USB NIC (WAN):
+   ```bash
+   # /etc/network/interfaces on pm4
+   auto vmbr1
+   iface vmbr1 inet manual
+       bridge-ports enxXXXXXX  # USB NIC device name
+       bridge-stp off
+       bridge-fd 0
+   ```
+
+2. Passthrough bridges to OPNsense VM:
+   - vmbr1 → WAN
+   - vmbr0 → LAN (VLAN-aware)
+
 ### Firewall Rules (High Level)

 | From | To | Action |