kenjim/appa-net
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add pfSense backup utility and documentation

Browse Source 
- Add backup-pfsense-config.sh script for automated config backups via SSH
- Auto-commits backups to git with timestamped filenames
- Includes validation, error handling, and troubleshooting guides
- Add scripts/README.md with detailed usage and crontab examples
- Add BACKUP-QUICKSTART.md for quick reference commands
- Update README.md to reference automated backup workflow
- Create backups/ directory structure

The script tests SSH connectivity successfully to pfSense.
This commit is contained in:
Kenji Morishige
2026-04-22 14:42:43 -05:00
commit 38f2aefecd
12 changed files with 2122 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

262
pfsense.home.arpa/VLAN-TOPOLOGY.md Normal file
View File

@@ -0,0 +1,262 @@
# VLAN Network Topology
Visual representation of your segmented home network architecture.
## High-Level Topology
```
┌─────────────────┐
│ Internet │
│ (WAN) │
└────────┬────────┘
┌──────────┴──────────┐
│ │
┌────▼─────────────────────▼────┐
│ pfSense Router │
│ (172.27.0.1) │
│ │
│ • DHCP Server │
│ • DNS Resolver │
│ • Firewall │
│ • VLAN Gateway │
└────┬────────┬────────┬────────┘
│ │ │
┌───────────┘ │ └──────────┐
│ │ │
┌──────▼──────┐ ┌──────▼──────┐ ┌──────▼──────┐
│ VLAN 1 │ │ VLAN 2 │ │ VLAN 3 │
│ LAN_SECURE │ │ AIWORKLOAD │ │ IOT │
│ 172.27.0.0 │ │ 172.27.2.0 │ │ 172.27.3.0 │
└──────┬──────┘ └──────┬──────┘ └──────┬──────┘
│ │ │
│ │ │
┌──────▼────────┐ ┌──────▼────────┐ ┌──────▼────────┐
│ │ │ │ │ │
│ Trusted Devices│ │ Openclaw │ │ IoT Devices │
│ │ │ GPU Workload │ │ │
│ • Laptop │ │ │ │ • Cameras │
│ • Desktop │ │ (Sandbox/ │ │ • Sensors │
│ • Phone │ │ Experiment) │ │ • Thermostat │
│ │ │ │ │ • Smart Outlets│
└────────────────┘ └────────────────┘ └────────────────┘
```
## Detailed Dataflow
### Device to Internet (All VLANs)
```
Device (VLAN X)
Gateway (172.27.X.1)
pfSense Firewall
WAN Interface
Internet Router/Modem
Internet ✓
```
### Trusted to Untrusted (Blocked)
```
LAN_SECURE Device (172.27.0.100)
Request to VLAN_AIWORKLOAD (172.27.2.X)
pfSense Firewall Rule: BLOCK
X Connection Refused
```
## Firewall Rule Chain
```
┌─────────────────────────────────────────────────────┐
│ Inbound Packet on Interface (e.g., LAN_SECURE) │
└────────────────────┬────────────────────────────────┘
┌────────────────────────┐
│ Source IP in subnet? │
│ (172.27.0.0/24) │
└────────┬───────┬────────┘
│ │
YES│ │NO → Block (rule 1)
│ │
▼ │
┌────────────────────────┐
│ Destination Subnet? │
└────────┬───────┬────────┘
│ │
172.27.0.0/24 172.27.2.0/24 172.27.3.0/24
│ │ │
▼ ▼ ▼
Same VLAN ALLOW (rule 2) BLOCK (rule 3)
│ │ │
▼ ▼ ▼
✓ PASS ✓ PASS ✗ BLOCK
```
## Port Connectivity (Example with 4-Port Switch)
```
┌──────────────────────────────────────────┐
│ Managed Network Switch │
│ (or pfSense internal if no switch) │
├──────────────────────────────────────────┤
│ │
│ Port 1 (Access, VLAN 1) │
│ ├─ Trusted Device 1 │
│ └─ Trusted Device 2 │
│ │
│ Port 2 (Access, VLAN 2) │
│ ├─ Openclaw Server │
│ └─ GPU Workstation │
│ │
│ Port 3 (Access, VLAN 3) │
│ ├─ Smart Camera 1 │
│ ├─ Smart Camera 2 │
│ ├─ IoT Sensor │
│ └─ Smart Thermostat │
│ │
│ Port 4 (Trunk - All VLANs Tagged) │
│ └─ pfSense Router │
│ (Receives VLAN-tagged frames) │
│ │
└──────────────────────────────────────────┘
```
## Traffic Examples
### ✓ Allowed Traffic Paths
```
1. Trusted Device → Internet
172.27.0.100 → 8.8.8.8:53
Gateway: 172.27.0.1 → pfSense → WAN → Internet ✓
2. AI Workload → Internet
172.27.2.50 → updates.example.com:443
Gateway: 172.27.2.1 → pfSense → WAN → Internet ✓
3. IoT Device → NTP Server
172.27.3.102 → pool.ntp.org:123
Gateway: 172.27.3.1 → pfSense → WAN → Internet ✓
4. Trusted Device → Trusted Device (same VLAN)
172.27.0.100 → 172.27.0.150 (same broadcast domain) ✓
```
### ✗ Blocked Traffic Paths
```
1. Trusted → AI Workload
172.27.0.100 → 172.27.2.50
Firewall Rule: BLOCK ✗
(Prevents lateral movement if AI workload is compromised)
2. Trusted → IoT Device
172.27.0.100 → 172.27.3.100
Firewall Rule: BLOCK ✗
(Prevents IoT compromise affecting trusted devices)
3. AI Workload → Trusted Device (reverse)
172.27.2.50 → 172.27.0.100
Firewall Rule: BLOCK ✗
(Prevents compromised workload from scanning trusted network)
4. IoT → AI Workload
172.27.3.102 → 172.27.2.50
Firewall Rule: BLOCK ✗
(Reduces attack surface between untrusted zones)
```
## VLAN 802.1Q Tagging (Switch-Level)
If using a managed switch with VLAN support:
```
Frame from pfSense Port 4 (Trunk):
┌─────────────────────────────────────────────────────┐
│ Ethernet Header │
├─────────────────────────────────────────────────────┤
│ Destination MAC | Source MAC | 802.1Q Tag | Type │
├─────────────────────────────────────────────────────┤
│ AA:BB:CC:DD:EE | 11:22:33:44:55:66 | VLAN: 2 | IPv4│
├─────────────────────────────────────────────────────┤
│ IPv4 Payload (IP Header + Data) │
└─────────────────────────────────────────────────────┘
When frame arrives at Port 2 (Access, VLAN 2):
├─ Switch removes 802.1Q tag
├─ Delivers untagged frame to device
└─ Device sees: AA:BB:CC:DD:EE → 11:22:33:44:55:66 [IPv4 Data]
```
## Isolation Guarantees
```
┌─────────────────────────────────────────────────────┐
│ VLAN Isolation Mechanisms │
├─────────────────────────────────────────────────────┤
│ │
│ 1. Layer 2 (Link Layer) │
│ └─ VLANs have separate broadcast domains │
│ └─ ARP packets don't cross VLAN boundaries │
│ └─ Broadcast storms are contained │
│ │
│ 2. Layer 3 (Network Layer) │
│ └─ Different subnets per VLAN │
│ └─ Devices can't directly route between VLANs│
│ └─ Must go through Layer 3 gateway (pfSense) │
│ │
│ 3. Firewall Rules (pfSense) │
│ └─ Explicit deny between VLANs (unless allowed) │
│ └─ Stateful inspection prevents spoofing │
│ └─ Rate limiting and IDS possible │
│ │
│ 4. Switch-Level Isolation (if applicable) │
│ └─ 802.1Q VLAN tags ensure switch-level routing │
│ └─ Malformed frames or tag injection blocked │
│ │
└─────────────────────────────────────────────────────┘
```
## Routing Summary
```
Routing Table on pfSense:
Destination Next Hop Interface Metric
────────────────────────────────────────────────────────────
0.0.0.0/0 192.168.1.1 WAN 1
172.27.0.0/24 direct LAN (VLAN 1) 0
172.27.2.0/24 direct OPT1 (VLAN 2) 0
172.27.3.0/24 direct OPT2 (VLAN 3) 0
```
### How Routing Works
1. **Packet from LAN_SECURE to VLAN_AIWORKLOAD:**
- Source: 172.27.0.100, Dest: 172.27.2.50
- pfSense checks routing table
- Destination 172.27.2.0/24 → exists on OPT1
- pfSense checks firewall rule for LAN → OPT1
- Rule says: BLOCK
- Packet is dropped ✗
2. **Packet from VLAN_AIWORKLOAD to Internet:**
- Source: 172.27.2.50, Dest: 8.8.8.8
- pfSense checks routing table
- Destination 8.8.8.8 → matches 0.0.0.0/0 (default route)
- Next hop: WAN gateway (192.168.1.1)
- pfSense checks firewall rule for OPT1 → WAN
- Rule says: ALLOW
- Packet forwarded to WAN ✓
---
**Last Updated:** 2026-04-22