OPNsense DMZ Firewall Rules for IoT#
What Was Established#
A structured firewall rule set for isolating IoT devices in a DMZ zone. The rules enforce a “high-to-low trust” flow, ensuring IoT devices can reach the internet for cloud services while preventing them from initiating connections to the trusted LAN. This pattern is critical for preventing lateral movement from compromised IoT devices.
Key Decisions#
- Explicit Allow / Implicit Deny: Only allow necessary outbound traffic (HTTP/HTTPS, DNS, NTP) from DMZ to WAN.
- Strict Containment: Explicitly block all DMZ-initiated traffic to the LAN zone.
- Controlled LAN Access: Default deny for LAN-to-DMZ, with specific allow rules only for administration or required services.
- WAN Isolation: Block all unsolicited inbound traffic from WAN to DMZ.
Current Configuration#
Note: The homelab currently uses VLANs (Gandalf 192.168.1.x, Mithrandir 192.168.2.x, Tharkûn 192.168.3.x, Rivendell 192.168.4.x) managed by a UniFi Express gateway (“Olorín”, 192.168.1.1). These OPNsense zone-based rules should be adapted to the homelab’s VLAN structure or applied to a dedicated IoT VLAN (e.g., 192.168.50.x).
1. Traffic FROM the DMZ (IoT Devices)#
| Rule # | Source Zone | Dest. Zone | Source IP | Dest. IP | Service / Port | Action | Purpose |
|---|---|---|---|---|---|---|---|
| DMZ-Out-10 | DMZ | WAN | DMZ Net | any | HTTP/HTTPS (80, 443) | Accept | Cloud communication, updates |
| DMZ-Out-20 | DMZ | WAN | DMZ Net | any | NTP (123) | Accept | Time synchronization |
| DMZ-Out-30 | DMZ | WAN | DMZ Net | any | DNS (53) | Accept | Domain resolution |
| DMZ-Out-40 | DMZ | LAN | DMZ Net | LAN Net | any | Deny/Reject | Primary containment rule |
| DMZ-Out-99 | DMZ | any | DMZ Net | any | any | Deny | Default catch-all |
2. Traffic TO the DMZ (From Other Zones)#
| Rule # | Source Zone | Dest. Zone | Source IP | Dest. IP | Service / Port | Action | Purpose |
|---|---|---|---|---|---|---|---|
| LAN-ToDMZ-10 | LAN | DMZ | LAN Net | DMZ Net | any | Deny/Reject | Default deny |
| LAN-ToDMZ-20 | LAN | DMZ | 192.168.1.x (Admin) | DMZ Net | SSH (22), HTTPS (443) | Accept | Administration access |
| LAN-ToDMZ-30 | LAN | DMZ | 192.168.1.x (Device) | 192.168.50.x | TCP/32400 | Accept | Example: Plex streaming |
| WAN-ToDMZ-40 | WAN | DMZ | any | DMZ Net | any | Deny/Reject | Block unsolicited inbound |
| WAN-ToDMZ-50 | WAN | DMZ | any | 192.168.50.x | TCP/443 | Accept | Only if hosting public services |
Historical Notes#
- Conversation dated 2025-11-09 focused on OPNsense zone-based firewall rules.
- The homelab currently uses a UniFi Express gateway (“Olorín”, 192.168.1.1) for routing. Verify whether OPNsense is deployed as a dedicated firewall/router or if UniFi’s built-in network segmentation should be used instead.
- Ensure DHCP is enabled for the DMZ subnet to prevent “stranded” IoT devices.
- Enable logging on deny rules to monitor for unauthorized lateral movement.
Open Questions#
- Which VLAN in the homelab should be designated as the IoT DMZ?
- Are any current IoT devices currently on a trusted VLAN that should be migrated?
- Does the UniFi Express gateway support equivalent zone-based isolation, or is OPNsense required for this level of control?
Related Pages#
- VLAN Configuration: OPNsense & Netgear MS308E
- OPNsense DHCP Configuration
- OPNsense Interface Reassignment & NIC Troubleshooting
- UniFi Express VPN & Network Management
Sources#
ingested/chats/093-Secure DMZ Firewall Rules for IoT Devices.mdingested/chats/024-Choosing VPN for Secure Browsing and Downloading.md