kavren/proxmox-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: Add DHCP-based network isolation strategy

Browse Source 
- Document OPNsense WAN configuration (pm4 vmbr1 with USB NIC)
- Add DHCP-based isolation workaround for unmanaged Gigabyte switches
- Plan subnet scheme: LAN (10.4.2.0/24), IoT (10.4.10.0/24), Guest (10.4.20.0/24)
- Document planned OPNsense firewall rules for isolation
- Update tasks with OPNsense migration and isolation steps
- Fix Claude Code hooks settings (remove matcher from Stop hook)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
kavren
2025-12-21 19:20:07 -05:00
parent 9e050d4677
commit e0a64b1b92
6 changed files with 154 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
docs/INFRASTRUCTURE.md
View File

@@ -45,7 +45,7 @@
| **Gitea** | 10.4.2.7:3000 | LXC 127 (pm4) | git.kavcorp.com | Built-in |
| **Pi-hole** | 10.4.2.129 | LXC 103 (pm4) | pihole.kavcorp.com | Built-in |
| **UniFi Controller** | 10.4.2.242:8443 | LXC 111 (pm4) | - | Built-in |
| **OPNsense (KavSense)** | 10.4.2.1 | VM 130 (pm4) | - | Built-in |
| **OPNsense (KavSense)** | 10.4.2.1 | VM 130 (pm4) | - | Built-in (net0: vmbr0/LAN, net1: vmbr1/WAN) |
| **KavNas** | 10.4.2.13 | Synology NAS | - | NAS auth |
## Storage Architecture
@@ -90,12 +90,33 @@
All `*.kavcorp.com` subdomains route through Traefik reverse proxy (10.4.2.10) for SSL termination and routing.
### Standard Bridge
### Bridges
**Bridge**: vmbr0
**Physical Interface**: eno1
**CIDR**: 10.4.2.0/24
**Gateway**: 10.4.2.254
#### All Nodes (vmbr0)
| Setting | Value |
|---------|-------|
| Bridge | vmbr0 |
| Physical Interface | eno1 |
| CIDR | 10.4.2.0/24 |
| Gateway | 10.4.2.254 |
#### pm4 Only (vmbr1 - WAN for OPNsense)
| Setting | Value |
|---------|-------|
| Bridge | vmbr1 |
| Physical Interface | enx6c1ff76e4d47 (USB 2.5G NIC) |
| Purpose | WAN uplink to AT&T modem |
| Used by | VM 130 (OPNsense) net1 |
### Planned Subnets (DHCP-based Isolation)
| Subnet | Range | Purpose | Gateway |
|--------|-------|---------|---------|
| Main LAN | 10.4.2.0/24 | Trusted devices, Proxmox, services | 10.4.2.1 (OPNsense) |
| IoT | 10.4.10.0/24 | KavCorp-IOT WiFi devices | 10.4.10.1 (OPNsense) |
| Guest | 10.4.20.0/24 | KavCorp-Guest WiFi devices | 10.4.20.1 (OPNsense) |
*Note: Using DHCP-based isolation due to unmanaged Gigabyte switches (no VLAN support). See DECISIONS.md for details.*
## Access & Credentials