docs: Add DHCP-based network isolation strategy
- Document OPNsense WAN configuration (pm4 vmbr1 with USB NIC) - Add DHCP-based isolation workaround for unmanaged Gigabyte switches - Plan subnet scheme: LAN (10.4.2.0/24), IoT (10.4.10.0/24), Guest (10.4.20.0/24) - Document planned OPNsense firewall rules for isolation - Update tasks with OPNsense migration and isolation steps - Fix Claude Code hooks settings (remove matcher from Stop hook) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
@@ -41,37 +41,78 @@
|
||||
|
||||
## Network Architecture
|
||||
|
||||
### VLAN Strategy (Planned)
|
||||
### Network Isolation Strategy
|
||||
|
||||
**Decision**: Segment network into 4 VLANs
|
||||
**See**: [NETWORK-UPGRADE-PLAN.md](NETWORK-UPGRADE-PLAN.md)
|
||||
**Goal**: Isolate IoT (KavCorp-IOT) and Guest (KavCorp-Guest) WiFi networks from the main LAN, while allowing Smart Home VMs to access IoT devices.
|
||||
|
||||
#### Constraint: Unmanaged Gigabyte Switches
|
||||
|
||||
The Gigabyte 10G switches provide 10G backhaul and 2.5G PoE to UniFi APs, but they are **unmanaged** and don't support VLAN tagging. This means VLAN tags from UniFi APs are stripped when traffic passes through.
|
||||
|
||||
**Workaround**: DHCP-based isolation (L3 firewall rules instead of L2 VLANs)
|
||||
|
||||
#### IP Subnet Scheme
|
||||
|
||||
| Subnet | Range | Purpose | DHCP Source |
|
||||
|--------|-------|---------|-------------|
|
||||
| Main LAN | 10.4.2.0/24 | Trusted devices, Proxmox hosts, services | OPNsense |
|
||||
| IoT | 10.4.10.0/24 | KavCorp-IOT SSID devices | OPNsense or UniFi |
|
||||
| Guest | 10.4.20.0/24 | KavCorp-Guest SSID devices | OPNsense or UniFi |
|
||||
|
||||
#### OPNsense Firewall Rules (Planned)
|
||||
|
||||
| Source | Destination | Action | Notes |
|
||||
|--------|-------------|--------|-------|
|
||||
| 10.4.10.0/24 (IoT) | 10.4.2.0/24 (LAN) | **Block** | Isolate IoT from LAN |
|
||||
| 10.4.20.0/24 (Guest) | 10.4.2.0/24 (LAN) | **Block** | Isolate Guest from LAN |
|
||||
| 10.4.20.0/24 (Guest) | 10.4.10.0/24 (IoT) | **Block** | Isolate Guest from IoT |
|
||||
| Smart Home VMs | 10.4.10.0/24 (IoT) | **Allow** | Home Assistant → IoT devices |
|
||||
| 10.4.10.0/24 (IoT) | Internet | **Allow** | IoT internet access |
|
||||
| 10.4.20.0/24 (Guest) | Internet | **Allow** | Guest internet access |
|
||||
|
||||
#### Limitations of DHCP Workaround
|
||||
|
||||
- **Not true L2 isolation**: All traffic on same broadcast domain
|
||||
- **IP spoofing possible**: Malicious device could use LAN IP range
|
||||
- **Sufficient for**: IoT devices and guests (low threat actors)
|
||||
- **Future upgrade**: Replace Gigabyte switches with managed 2.5G PoE switches for proper VLANs
|
||||
|
||||
#### VLAN IDs (For Future Reference)
|
||||
|
||||
| VLAN | Name | Subnet | Purpose |
|
||||
|------|------|--------|---------|
|
||||
| 1 | Default | 10.4.2.0/24 | Management, trusted PCs, Proxmox hosts |
|
||||
| 10 | Servers | 10.4.10.0/24 | Server containers, NAS |
|
||||
| 20 | IoT | 10.4.20.0/24 | Cameras, smart home, Home Assistant |
|
||||
| 30 | Guest | 10.4.30.0/24 | Guest WiFi, isolated |
|
||||
| 10 | IoT | 10.4.10.0/24 | IoT devices, cameras, smart home |
|
||||
| 20 | Guest | 10.4.20.0/24 | Guest WiFi, isolated |
|
||||
|
||||
**VLAN Tagging Methods**:
|
||||
- WiFi: UniFi APs (SSID → VLAN mapping)
|
||||
- Cameras: GS308EP (port-based VLAN)
|
||||
- Containers: Proxmox (bridge VLAN tag)
|
||||
- Wired PCs: Untagged (VLAN 1 via unmanaged switches)
|
||||
### Router/Firewall
|
||||
|
||||
### Router/Firewall (Planned)
|
||||
**Decision**: OPNsense VM 130 on pm4 (server closet)
|
||||
**Status**: Deployed, pending WAN cutover
|
||||
|
||||
**Decision**: OPNsense VM on pm4 (server closet)
|
||||
**Reason**:
|
||||
- Free, full-featured firewall/router
|
||||
- VLAN routing and inter-VLAN firewall rules
|
||||
- Inter-subnet firewall rules for IoT/Guest isolation
|
||||
- IDS/IPS capability
|
||||
- pm4 is in server closet next to AT&T modem (avoids routing WAN over backhaul)
|
||||
- pm4 has Intel I226-V (2.5G) + USB 3.1 for second NIC
|
||||
|
||||
**Network Interfaces**:
|
||||
- WAN: USB 2.5G NIC (~$25) → AT&T modem
|
||||
- LAN: Intel I226-V → GiGaPlus switch (VLAN trunk)
|
||||
**Network Interfaces (VM 130)**:
|
||||
| Interface | Bridge | Purpose | Status |
|
||||
|-----------|--------|---------|--------|
|
||||
| net0 | vmbr0 | LAN (10.4.2.0/24) | Configured |
|
||||
| net1 | vmbr1 | WAN (to AT&T modem) | Configured |
|
||||
|
||||
**pm4 Bridge Configuration**:
|
||||
| Bridge | Physical NIC | Purpose |
|
||||
|--------|--------------|---------|
|
||||
| vmbr0 | eno1 (Intel I226-V) | LAN - all VMs/LXCs |
|
||||
| vmbr1 | enx6c1ff76e4d47 (USB 2.5G) | WAN - OPNsense only |
|
||||
|
||||
**HA/Failover Consideration**:
|
||||
- Current: Single OPNsense on pm4 (SPOF)
|
||||
- Future options:
|
||||
1. OPNsense HA with CARP (requires second USB NIC on another node)
|
||||
2. Keep current router as cold standby (swap cables if pm4 fails)
|
||||
|
||||
**Alternative Considered**: Ubiquiti Dream Machine
|
||||
- Rejected due to cost and ecosystem lock-in
|
||||
|
||||
Reference in New Issue
Block a user