kavren/proxmox-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: Complete OPNsense VLAN and firewall configuration

Browse Source 
- Updated CHANGELOG with implemented VLAN config (VLANs 10, 20, 30)
- Updated DECISIONS with complete VLAN architecture and firewall rules
- Updated INFRASTRUCTURE with VLANs/subnets table and bridge configs
- Updated TASKS to mark VLAN/firewall work complete, add UniFi VLAN tasks
- Updated README last updated date

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
kavren
2025-12-21 20:52:38 -05:00
parent b69435bd57
commit e93030ba9b
5 changed files with 84 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
docs/TASKS.md
View File

@@ -8,30 +8,23 @@ None currently.
## Pending
### OPNsense Migration (Priority)
OPNsense VM 130 deployed on pm4 with vmbr1 (USB NIC) for WAN.
### OPNsense WAN Cutover (Priority)
OPNsense VM 130 configured with VLANs and firewall rules. Ready for WAN cutover.
**Pending:**
- [ ] Connect USB NIC to AT&T modem (WAN cutover)
- [ ] Connect USB NIC (vmbr1) to AT&T modem
- [ ] Configure OPNsense WAN interface (DHCP or PPPoE from AT&T)
- [ ] Configure OPNsense as DHCP server for LAN (10.4.2.0/24)
- [ ] Test internet connectivity through OPNsense
- [ ] Update gateway on all devices from 10.4.2.254 → 10.4.2.1
### Network Isolation (DHCP Workaround)
Using DHCP-based isolation due to unmanaged Gigabyte switches. See DECISIONS.md.
### UniFi VLAN Configuration
VLANs configured on OPNsense. Need to configure UniFi APs to tag traffic.
**Pending:**
- [ ] Configure OPNsense DHCP scope for IoT (10.4.10.0/24)
- [ ] Configure OPNsense DHCP scope for Guest (10.4.20.0/24)
- [ ] Configure UniFi to assign IoT/Guest clients to correct subnets (via DHCP options or UniFi DHCP)
- [ ] Create OPNsense firewall rules:
- Block IoT → LAN
- Block Guest → LAN
- Block Guest → IoT
- Allow Smart Home VMs → IoT
- [ ] Configure KavCorp-IOT SSID with VLAN 20 tag
- [ ] Configure KavCorp-Guest SSID with VLAN 30 tag
- [ ] Test isolation (IoT device cannot ping LAN device)
- [ ] Test Smart Home access (Home Assistant can reach IoT)
- [ ] Test Smart Home access (Home Assistant can reach IoT devices)
### Future Network Upgrades
- [ ] Order hardware (2× GiGaPlus 10G PoE, 2× U7 Pro) for 10G backhaul
@@ -54,9 +47,14 @@ Using DHCP-based isolation due to unmanaged Gigabyte switches. See DECISIONS.md.
## Completed (Recent)
- [x] Configured OPNsense VLANs (10, 20, 30) on vtnet0
- [x] Configured VLAN interfaces with IPs (10.4.10.1, 10.4.20.1, 10.4.30.1)
- [x] Configured DHCP on all VLAN interfaces
- [x] Implemented firewall rules for IoT/Guest isolation
- [x] Added Traefik routes for UniFi Controller and OPNsense
- [x] Resized Traefik LXC 104 rootfs from 2GB to 4GB
- [x] Configured pm4 vmbr1 bridge with USB 2.5G NIC for OPNsense WAN
- [x] Added net1 (vmbr1) to OPNsense VM 130
- [x] Documented DHCP-based network isolation strategy
- [x] Deployed UniFi Controller LXC 111 on pm4
- [x] Fixed SSH access between cluster nodes (pm2 can access all nodes)
- [x] Fixed NZBGet permissions (UMask=0000 for 777 files)