https://homelab.nbkelley.com/tags/dmz/ Recent content in Dmz on homelab Hugo en Thu, 30 Apr 2026 00:00:00 +0000 https://homelab.nbkelley.com/docs/networking/opnsense_dmz_iot_firewall/ Thu, 30 Apr 2026 00:00:00 +0000 https://homelab.nbkelley.com/docs/networking/opnsense_dmz_iot_firewall/ <h1 id="opnsense-dmz-firewall-rules-for-iot">OPNsense DMZ Firewall Rules for IoT<a class="anchor" href="#opnsense-dmz-firewall-rules-for-iot">#</a></h1> <h2 id="what-was-established">What Was Established<a class="anchor" href="#what-was-established">#</a></h2> <p>A structured firewall rule set for isolating IoT devices in a DMZ zone. The rules enforce a &ldquo;high-to-low trust&rdquo; flow, ensuring IoT devices can reach the internet for cloud services while preventing them from initiating connections to the trusted LAN. This pattern is critical for preventing lateral movement from compromised IoT devices.</p> <h2 id="key-decisions">Key Decisions<a class="anchor" href="#key-decisions">#</a></h2> <ul> <li><strong>Explicit Allow / Implicit Deny</strong>: Only allow necessary outbound traffic (HTTP/HTTPS, DNS, NTP) from DMZ to WAN.</li> <li><strong>Strict Containment</strong>: Explicitly block all DMZ-initiated traffic to the LAN zone.</li> <li><strong>Controlled LAN Access</strong>: Default deny for LAN-to-DMZ, with specific allow rules only for administration or required services.</li> <li><strong>WAN Isolation</strong>: Block all unsolicited inbound traffic from WAN to DMZ.</li> </ul> <h2 id="current-configuration">Current Configuration<a class="anchor" href="#current-configuration">#</a></h2> <p><em>Note: The homelab currently uses VLANs (Gandalf 192.168.1.x, Mithrandir 192.168.2.x, Tharkûn 192.168.3.x, Rivendell 192.168.4.x) managed by a UniFi Express gateway (&ldquo;Olorín&rdquo;, 192.168.1.1). These OPNsense zone-based rules should be adapted to the homelab&rsquo;s VLAN structure or applied to a dedicated IoT VLAN (e.g., 192.168.50.x).</em></p>