OPNsense DMZ Firewall Rules for IoT#

What Was Established#

A structured firewall rule set for isolating IoT devices in a DMZ zone. The rules enforce a “high-to-low trust” flow, ensuring IoT devices can reach the internet for cloud services while preventing them from initiating connections to the trusted LAN. This pattern is critical for preventing lateral movement from compromised IoT devices.

Key Decisions#

• Explicit Allow / Implicit Deny: Only allow necessary outbound traffic (HTTP/HTTPS, DNS, NTP) from DMZ to WAN.
• Strict Containment: Explicitly block all DMZ-initiated traffic to the LAN zone.
• Controlled LAN Access: Default deny for LAN-to-DMZ, with specific allow rules only for administration or required services.
• WAN Isolation: Block all unsolicited inbound traffic from WAN to DMZ.

Current Configuration#

Note: The homelab currently uses VLANs (Gandalf 192.168.1.x, Mithrandir 192.168.2.x, Tharkûn 192.168.3.x, Rivendell 192.168.4.x) managed by a UniFi Express gateway (“Olorín”, 192.168.1.1). These OPNsense zone-based rules should be adapted to the homelab’s VLAN structure or applied to a dedicated IoT VLAN (e.g., 192.168.50.x).

UniFi UX7 & Netgear MS308E VLAN Setup#

What Was Established#

• Multi-switch VLAN topology using UniFi UCG Express (UX7) and Netgear MS308E switches.
• Netgear MS308E 802.1Q Advanced configuration pattern for trunks and access ports.
• Troubleshooting methodology for multi-switch chains (isolate to inter-switch trunks vs. device-specific vs. firewall).
• UX7 firewall rule correction for IoT isolation (Tharkûn VLAN 3).

Key Decisions#

• VLAN 1 (Gandalf): Untagged on trunks, PVID 1. Used for servers and switch management.
• VLAN 2 (Mithrandir): Tagged on trunks, Untagged on access. PVID 2. Routes through UX7 VPN.
• VLAN 3 (Tharkûn): Tagged on trunks, Untagged on access. PVID 3. Isolated IoT network.
• Native VLAN set to 1 on trunks to ensure management traffic passes untagged and remains accessible.
• UX7 Firewall: Tharkûn (VLAN 3) placed in DMZ zone. Required explicit “Allow DMZ to Internet” rule to restore IoT connectivity.

Current Configuration#

• UX7 (Olorín): 192.168.1.1
  • Port 1 (to Netgear Switch 1): Trunk, Native VLAN 1, Allowed VLANs 1, 2, 3.
• Netgear MS308E (Switch 1): 192.168.1.239
  • Port 1 (to UX7): VLAN 1 Untagged (PVID 1), VLAN 2 Tagged, VLAN 3 Tagged.
  • Ports 2, 3 (to downstream switches): Same as Port 1.
  • Access Ports (e.g., Port 8 to U7 AP): VLAN 3 Untagged, PVID 3.
• Netgear MS308E (Switch 2):
  • Trunk ports: VLAN 1 Untagged (PVID 1), VLAN 2 Tagged, VLAN 3 Tagged.
  • Access Ports: VLAN 2 Untagged (PVID 2) for PCs, VLAN 3 Untagged (PVID 3) for IoT (e.g., Hue Hub).
• UX7 Firewall Rules (Tharkûn/DMZ):
  • Allow DMZ to Internet
  • Allow DMZ to Gateway
  • Block DMZ to Internal
  • Block DMZ to VPN

Historical Notes#

• Initial attempts to set trunk ports to “No Native VLAN” (all tagged) caused lockout because management traffic (VLAN 1) became untagged and was dropped. Reverted to Native VLAN = 1.
• VLAN 2 (Mithrandir) initially failed on downstream switches due to missing tagged configuration on inter-switch trunks.
• VLAN 3 (Tharkûn) failed due to missing firewall rule in UX7 Site Manager for the DMZ zone.

Open Questions#

• How to handle Rivendell (VLAN 4) when deployed?
• Will U7 APs require specific VLAN tagging configurations for Tharkûn WiFi?

Related Pages#

• wiki/networking/vlan_setup.md (Legacy OPNsense context)
• wiki/infrastructure/network.md
• wiki/networking/opnsense_dmz_iot_firewall.md

Uptime Kuma - Configuration & Integrations