docs: Complete OPNsense VLAN and firewall configuration

- Updated CHANGELOG with implemented VLAN config (VLANs 10, 20, 30) - Updated DECISIONS with complete VLAN architecture and firewall rules - Updated INFRASTRUCTURE with VLANs/subnets table and bridge configs - Updated TASKS to mark VLAN/firewall work complete, add UniFi VLAN tasks - Updated README last updated date 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-21 20:52:38 -05:00
parent b69435bd57
commit e93030ba9b
5 changed files with 84 additions and 68 deletions
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -28,26 +28,36 @@
  - net1: vmbr1 (WAN - to AT&T modem)
  - Ready for WAN cutover when AT&T modem is connected

-### Network Isolation Strategy
- **Decision**: Use DHCP-based isolation instead of VLANs
-  - Constraint: Gigabyte 10G switches are unmanaged (no VLAN support)
-  - Workaround: Assign different subnets via DHCP, use OPNsense firewall rules
+### OPNsense VLAN Configuration (Implemented)
+- **VLANs Created** on vtnet0 (LAN interface):
+  - VLAN 10 (vlan01): Trusted network - 10.4.10.0/24
+  - VLAN 20 (vlan02): IoT network - 10.4.20.0/24
+  - VLAN 30 (vlan03): Guest network - 10.4.30.0/24

- **Planned Subnets**:
-  - Main LAN: 10.4.2.0/24 (existing)
-  - IoT (KavCorp-IOT): 10.4.10.0/24
-  - Guest (KavCorp-Guest): 10.4.20.0/24
+- **VLAN Interfaces Configured**:
+  - vlan01: 10.4.10.1/24 (gateway for Trusted)
+  - vlan02: 10.4.20.1/24 (gateway for IoT)
+  - vlan03: 10.4.30.1/24 (gateway for Guest)

- **Planned Firewall Rules**:
-  - Block IoT/Guest → LAN
-  - Block Guest → IoT
-  - Allow Smart Home VMs → IoT
+- **DHCP Configured** on all interfaces:
+  - LAN: 10.4.2.100-200, DNS: 10.4.2.129 (Pi-hole)
+  - Trusted: 10.4.10.100-200
+  - IoT: 10.4.20.100-200
+  - Guest: 10.4.30.100-200
+
+- **Firewall Rules Implemented**:
+  - Allow DNS: IoT/Guest → 10.4.2.129:53 (Pi-hole)
+  - Block IoT → LAN: 10.4.20.0/24 → 10.4.2.0/24
+  - Block Guest → LAN: 10.4.30.0/24 → 10.4.2.0/24
+  - Block Guest → IoT: 10.4.30.0/24 → 10.4.20.0/24
+  - Allow Home Assistant → IoT: 10.4.2.62 → 10.4.20.0/24
  - Allow IoT/Guest → Internet

+- **Note**: Unmanaged Gigabyte switches pass VLAN tags through (they just don't understand them). UniFi APs tag traffic per SSID, OPNsense receives tagged traffic on VLAN interfaces.
+
 - **Documentation Updated**:
-  - DECISIONS.md: Network isolation strategy and constraints
-  - INFRASTRUCTURE.md: pm4 bridges and subnet plan
-  - TASKS.md: OPNsense migration and isolation tasks
+  - DECISIONS.md: Complete VLAN architecture and firewall rules
+  - INFRASTRUCTURE.md: VLANs and subnets table, pm4 bridges

 ## 2025-12-19