Vlan on homelab

OPNsense DMZ Firewall Rules for IoT

Thu, 30 Apr 2026 00:00:00 +0000

OPNsense DMZ Firewall Rules for IoT#

What Was Established#

A structured firewall rule set for isolating IoT devices in a DMZ zone. The rules enforce a “high-to-low trust” flow, ensuring IoT devices can reach the internet for cloud services while preventing them from initiating connections to the trusted LAN. This pattern is critical for preventing lateral movement from compromised IoT devices.

Key Decisions#

Explicit Allow / Implicit Deny: Only allow necessary outbound traffic (HTTP/HTTPS, DNS, NTP) from DMZ to WAN.
Strict Containment: Explicitly block all DMZ-initiated traffic to the LAN zone.
Controlled LAN Access: Default deny for LAN-to-DMZ, with specific allow rules only for administration or required services.
WAN Isolation: Block all unsolicited inbound traffic from WAN to DMZ.

Current Configuration#

Note: The homelab currently uses VLANs (Gandalf 192.168.1.x, Mithrandir 192.168.2.x, Tharkûn 192.168.3.x, Rivendell 192.168.4.x) managed by a UniFi Express gateway (“Olorín”, 192.168.1.1). These OPNsense zone-based rules should be adapted to the homelab’s VLAN structure or applied to a dedicated IoT VLAN (e.g., 192.168.50.x).

UniFi UX7 & Netgear MS308E VLAN Setup

Thu, 30 Apr 2026 00:00:00 +0000

UniFi UX7 & Netgear MS308E VLAN Setup#

What Was Established#

Multi-switch VLAN topology using UniFi UCG Express (UX7) and Netgear MS308E switches.
Netgear MS308E 802.1Q Advanced configuration pattern for trunks and access ports.
Troubleshooting methodology for multi-switch chains (isolate to inter-switch trunks vs. device-specific vs. firewall).
UX7 firewall rule correction for IoT isolation (Tharkûn VLAN 3).

Key Decisions#

VLAN 1 (Gandalf): Untagged on trunks, PVID 1. Used for servers and switch management.
VLAN 2 (Mithrandir): Tagged on trunks, Untagged on access. PVID 2. Routes through UX7 VPN.
VLAN 3 (Tharkûn): Tagged on trunks, Untagged on access. PVID 3. Isolated IoT network.
Native VLAN set to 1 on trunks to ensure management traffic passes untagged and remains accessible.
UX7 Firewall: Tharkûn (VLAN 3) placed in DMZ zone. Required explicit “Allow DMZ to Internet” rule to restore IoT connectivity.

Current Configuration#

UX7 (Olorín): 192.168.1.1
- Port 1 (to Netgear Switch 1): Trunk, Native VLAN 1, Allowed VLANs 1, 2, 3.
Netgear MS308E (Switch 1): 192.168.1.239
- Port 1 (to UX7): VLAN 1 Untagged (PVID 1), VLAN 2 Tagged, VLAN 3 Tagged.
- Ports 2, 3 (to downstream switches): Same as Port 1.
- Access Ports (e.g., Port 8 to U7 AP): VLAN 3 Untagged, PVID 3.
Netgear MS308E (Switch 2):
- Trunk ports: VLAN 1 Untagged (PVID 1), VLAN 2 Tagged, VLAN 3 Tagged.
- Access Ports: VLAN 2 Untagged (PVID 2) for PCs, VLAN 3 Untagged (PVID 3) for IoT (e.g., Hue Hub).
UX7 Firewall Rules (Tharkûn/DMZ):
- Allow DMZ to Internet
- Allow DMZ to Gateway
- Block DMZ to Internal
- Block DMZ to VPN

Historical Notes#

Initial attempts to set trunk ports to “No Native VLAN” (all tagged) caused lockout because management traffic (VLAN 1) became untagged and was dropped. Reverted to Native VLAN = 1.
VLAN 2 (Mithrandir) initially failed on downstream switches due to missing tagged configuration on inter-switch trunks.
VLAN 3 (Tharkûn) failed due to missing firewall rule in UX7 Site Manager for the DMZ zone.

Open Questions#

How to handle Rivendell (VLAN 4) when deployed?
Will U7 APs require specific VLAN tagging configurations for Tharkûn WiFi?

wiki/networking/vlan_setup.md (Legacy OPNsense context)
wiki/infrastructure/network.md
wiki/networking/opnsense_dmz_iot_firewall.md

Uptime Kuma - Configuration & Integrations

Network Infrastructure & VLANs

Tue, 14 Apr 2026 00:00:00 +0000

Network Infrastructure & VLANs#

What Was Established#

The network uses a UniFi UCG Express with a multi-VLAN setup. A recent incident involving a VPN expiry caused a routing failure on specific VLANs due to policy-based routing (PBR) without a fallback mechanism.

Key Decisions#

VLAN Segmentation:
- Gandalf: Server network (Always-on, stable, no VPN).
- Mithrandir (VLAN 2): Client/AI network. Traffic is routed through ProtonVPN via WireGuard.
- Harken (VLAN 3): General usage.
- Tharkûn (DMZ): Restricted zone (DMZ $\rightarrow$ Internal is Blocked).
- Rivendell (VLAN 4): Unused.
VPN Configuration: ProtonVPN WireGuard Client 1 is used for Mithrand/VLAN 2. Critical: Ensure “Block traffic if WireGuard is down” is enabled to prevent IP leaks.
IP Management: Use DHCP Reservations (Fixed IPs) in the UniFi Controller rather than configuring static IPs on individual hosts to prevent port-forward breakage during DHCP lease renewals.

Current Configuration#

Known Fixed IPs (DHCP Reservations):

VLAN Configuration: OPNsense & Netgear MS308E

Tue, 25 Mar 2025 00:00:00 +0000

VLAN Configuration: OPNsense & Netgear MS308E#

What Was Established#

Configuration pattern for implementing tagged (trunk) and untagged (access) VLANs using OPNsense as the router and a Netgear MS308E managed switch.

Key Decisions#

VLAN Naming/ID: Example VLAN “Incánus” assigned ID 20.
Trunking Strategy: The port connecting OPNsense to the Netgear switch must be configured as a Tagged port for all active VLANs.
Access Port Strategy: Ports for end-devices must be Untagged for the specific VLAN, with the PVID (Port VLAN ID) set to match that VLAN.

Current Configuration#

OPNsense Setup#

Create VLAN: Interfaces → Other Types → VLAN (Assign Parent Interface and Tag ID).
Assign Interface: Interfaces → Assignments (Add the new VLAN interface).
Configure IP: Set a static IPv4 address (e.g., 192.168.20.1/24 for VLAN 20).
DHCP: Enable DHCPv4 under Services → DHCPv4 → [VLAN Interface].

Netgear MS308E Setup#

VLAN Membership:
- Trunk Port (to OPNsense): Set as Tagged for all VLANs (e.g., VLAN 20, 30).
- Access Port (to Device): Set as Untagged for the target VLAN.
PVID Configuration:
- For Access Ports, the PVID must be updated to match the VLAN ID (e.g., Port 1: PVID 20).

Historical Notes#

Configuration established during the rollout of the “Incánus” network segment.

Vlan on homelab

OPNsense DMZ Firewall Rules for IoT

OPNsense DMZ Firewall Rules for IoT#

What Was Established#

Key Decisions#

Current Configuration#

UniFi UX7 & Netgear MS308E VLAN Setup

UniFi UX7 & Netgear MS308E VLAN Setup#

What Was Established#

Key Decisions#

Current Configuration#

Historical Notes#

Open Questions#

Related Pages#

Network Infrastructure & VLANs

Network Infrastructure & VLANs#

What Was Established#

Key Decisions#

Current Configuration#

VLAN Configuration: OPNsense & Netgear MS308E

VLAN Configuration: OPNsense & Netgear MS308E#

What Was Established#

Key Decisions#

Current Configuration#

OPNsense Setup#

Netgear MS308E Setup#

Historical Notes#