docs: Complete OPNsense VLAN and firewall configuration
- Updated CHANGELOG with implemented VLAN config (VLANs 10, 20, 30) - Updated DECISIONS with complete VLAN architecture and firewall rules - Updated INFRASTRUCTURE with VLANs/subnets table and bridge configs - Updated TASKS to mark VLAN/firewall work complete, add UniFi VLAN tasks - Updated README last updated date 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
@@ -45,45 +45,52 @@
|
||||
|
||||
**Goal**: Isolate IoT (KavCorp-IOT) and Guest (KavCorp-Guest) WiFi networks from the main LAN, while allowing Smart Home VMs to access IoT devices.
|
||||
|
||||
#### Constraint: Unmanaged Gigabyte Switches
|
||||
**Status**: Implemented via OPNsense VLANs and firewall rules.
|
||||
|
||||
The Gigabyte 10G switches provide 10G backhaul and 2.5G PoE to UniFi APs, but they are **unmanaged** and don't support VLAN tagging. This means VLAN tags from UniFi APs are stripped when traffic passes through.
|
||||
#### VLAN Architecture
|
||||
|
||||
**Workaround**: DHCP-based isolation (L3 firewall rules instead of L2 VLANs)
|
||||
Unmanaged Gigabyte switches pass VLAN tags through (they just don't understand them). UniFi APs tag traffic per SSID, OPNsense receives tagged traffic on VLAN interfaces.
|
||||
|
||||
#### IP Subnet Scheme
|
||||
| VLAN | Interface | Subnet | Gateway | Purpose |
|
||||
|------|-----------|--------|---------|---------|
|
||||
| - | vtnet0 (LAN) | 10.4.2.0/24 | 10.4.2.1 | Infrastructure (Proxmox, core services) |
|
||||
| 10 | vlan01 | 10.4.10.0/24 | 10.4.10.1 | Trusted (user devices) |
|
||||
| 20 | vlan02 | 10.4.20.0/24 | 10.4.20.1 | IoT (KavCorp-IOT SSID) |
|
||||
| 30 | vlan03 | 10.4.30.0/24 | 10.4.30.1 | Guest (KavCorp-Guest SSID) |
|
||||
|
||||
| Subnet | Range | Purpose | DHCP Source |
|
||||
|--------|-------|---------|-------------|
|
||||
| Main LAN | 10.4.2.0/24 | Trusted devices, Proxmox hosts, services | OPNsense |
|
||||
| IoT | 10.4.10.0/24 | KavCorp-IOT SSID devices | OPNsense or UniFi |
|
||||
| Guest | 10.4.20.0/24 | KavCorp-Guest SSID devices | OPNsense or UniFi |
|
||||
#### DHCP Configuration
|
||||
|
||||
#### OPNsense Firewall Rules (Planned)
|
||||
All DHCP served by OPNsense:
|
||||
- LAN: 10.4.2.100-200, DNS: 10.4.2.129 (Pi-hole)
|
||||
- Trusted: 10.4.10.100-200, DNS: 10.4.2.129
|
||||
- IoT: 10.4.20.100-200, DNS: 10.4.2.129
|
||||
- Guest: 10.4.30.100-200, DNS: 10.4.2.129
|
||||
|
||||
| Source | Destination | Action | Notes |
|
||||
|--------|-------------|--------|-------|
|
||||
| 10.4.10.0/24 (IoT) | 10.4.2.0/24 (LAN) | **Block** | Isolate IoT from LAN |
|
||||
| 10.4.20.0/24 (Guest) | 10.4.2.0/24 (LAN) | **Block** | Isolate Guest from LAN |
|
||||
| 10.4.20.0/24 (Guest) | 10.4.10.0/24 (IoT) | **Block** | Isolate Guest from IoT |
|
||||
| Smart Home VMs | 10.4.10.0/24 (IoT) | **Allow** | Home Assistant → IoT devices |
|
||||
| 10.4.10.0/24 (IoT) | Internet | **Allow** | IoT internet access |
|
||||
| 10.4.20.0/24 (Guest) | Internet | **Allow** | Guest internet access |
|
||||
#### OPNsense Firewall Rules (Implemented)
|
||||
|
||||
#### Limitations of DHCP Workaround
|
||||
| Rule | Source | Destination | Action |
|
||||
|------|--------|-------------|--------|
|
||||
| Allow DNS | IoT/Guest | 10.4.2.129:53 | Pass |
|
||||
| Block IoT→LAN | 10.4.20.0/24 | 10.4.2.0/24 | Block |
|
||||
| Block Guest→LAN | 10.4.30.0/24 | 10.4.2.0/24 | Block |
|
||||
| Block Guest→IoT | 10.4.30.0/24 | 10.4.20.0/24 | Block |
|
||||
| Allow Home Assistant→IoT | 10.4.2.62 | 10.4.20.0/24 | Pass |
|
||||
| Allow IoT Internet | 10.4.20.0/24 | any | Pass |
|
||||
| Allow Guest Internet | 10.4.30.0/24 | any | Pass |
|
||||
|
||||
- **Not true L2 isolation**: All traffic on same broadcast domain
|
||||
- **IP spoofing possible**: Malicious device could use LAN IP range
|
||||
- **Sufficient for**: IoT devices and guests (low threat actors)
|
||||
- **Future upgrade**: Replace Gigabyte switches with managed 2.5G PoE switches for proper VLANs
|
||||
#### Network Segmentation Philosophy
|
||||
|
||||
#### VLAN IDs (For Future Reference)
|
||||
| Network | Contains | Access Level |
|
||||
|---------|----------|--------------|
|
||||
| 10.4.2.0/24 (LAN) | Proxmox hosts, OPNsense, Pi-hole, Traefik, NAS | Full infrastructure access |
|
||||
| 10.4.10.0/24 (Trusted) | User PCs, laptops | Full access to LAN and services |
|
||||
| 10.4.20.0/24 (IoT) | Smart devices, cameras | Internet + DNS only, no LAN access |
|
||||
| 10.4.30.0/24 (Guest) | Guest WiFi | Internet + DNS only, no local access |
|
||||
|
||||
| VLAN | Name | Subnet | Purpose |
|
||||
|------|------|--------|---------|
|
||||
| 1 | Default | 10.4.2.0/24 | Management, trusted PCs, Proxmox hosts |
|
||||
| 10 | IoT | 10.4.10.0/24 | IoT devices, cameras, smart home |
|
||||
| 20 | Guest | 10.4.20.0/24 | Guest WiFi, isolated |
|
||||
#### Future Considerations
|
||||
|
||||
- Consider adding a **Servers VLAN** to isolate services (media stack, Bitwarden) from infrastructure
|
||||
- Consider OPNsense HA (CARP) with second USB NIC on another node for failover
|
||||
|
||||
### Router/Firewall
|
||||
|
||||
|
||||
Reference in New Issue
Block a user