kavren/proxmox-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: VLAN isolation working, OPNsense WAN cutover complete

Browse Source 
- Updated INFRASTRUCTURE.md with VLAN traffic path and required configs
- Updated CHANGELOG.md with WAN cutover and VLAN troubleshooting fixes
- Updated TASKS.md to reflect completed network work
- pm4 bridge VLAN config made persistent via post-up commands
- Pi-hole listeningMode changed to ALL for multi-subnet DNS

Key fixes:
- pm4 vmbr0 bridge-vlan-aware with VLANs 10,20,30 on eno1
- Pi-hole veth added to VLANs for routed traffic
- Pi-hole gateway set to OPNsense (10.4.2.1)
- OPNsense default route fixed to use WAN gateway

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
kavren
2025-12-21 22:29:19 -05:00
parent e93030ba9b
commit ae071a5064
3 changed files with 45 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
docs/CHANGELOG.md
View File

@@ -59,6 +59,29 @@
- DECISIONS.md: Complete VLAN architecture and firewall rules
- INFRASTRUCTURE.md: VLANs and subnets table, pm4 bridges
### OPNsense WAN Cutover (Completed)
- Connected USB NIC (vmbr1) to AT&T modem
- WAN IP: 192.168.1.183 (DHCP from AT&T gateway 192.168.1.254)
- Fixed default route to use WAN gateway instead of Asus
- Internet working through OPNsense
### VLAN Troubleshooting & Fixes
- **pm4 vmbr0**: Added `bridge-vlan-aware yes` to enable VLAN filtering
- **Bridge VLAN Memberships**: Added VLANs 10, 20, 30 to eno1 and tap130i0
- Made persistent via `post-up` commands in /etc/network/interfaces
- **Pi-hole veth**: Added VLANs 10, 20, 30 to veth103i0 for routed traffic
- **OPNsense VLANs**: Rebooted to fix broken vlan02/vlan03 parent interface
- **Trusted VLAN Firewall**: Added allow-all rule for opt2 (Trusted)
- **Pi-hole listeningMode**: Changed from "LOCAL" to "ALL" in pihole.toml
- Required for Pi-hole to accept DNS queries from non-local subnets
- **Pi-hole Gateway**: Set to 10.4.2.1 (OPNsense) for proper return routing
### Verified Working
- All VLANs (10, 20, 30) receiving DHCP from OPNsense
- DNS resolution via Pi-hole from all VLANs
- Internet access from all VLANs
- Firewall isolation rules in place
## 2025-12-19
### Network Upgrade Progress