# VLAN Configuration Reference

Network segmentation configuration for pfsense.home.arpa router.

## VLAN Definitions

```yaml
vlans:
  lan_secure:
    vlan_id: 1
    description: "Main trusted network"
    subnet: "172.27.0.0/24"
    gateway: "172.27.0.1"
    dhcp_start: "172.27.0.100"
    dhcp_end: "172.27.0.200"
    purpose: "Primary network for personal/trusted devices"
    isolation: "Gateway to WAN, can access VLANs as configured"
    firewall_default: "allow_outbound"

  vlan_aiworkload:
    vlan_id: 2
    description: "AI/ML Workload (Dangerous/OpenClaw)"
    subnet: "172.27.2.0/24"
    gateway: "172.27.2.1"
    dhcp_start: "172.27.2.100"
    dhcp_end: "172.27.2.200"
    purpose: "Isolated workload for AI/ML experiments, sandbox for untrusted code"
    isolation: "Blocked from LAN_SECURE, can access WAN"
    firewall_default: "deny_incoming, allow_outbound_to_wan"
    access_from_secure: "none"  # LAN_SECURE cannot reach this VLAN

  vlan_iot:
    vlan_id: 3
    description: "IoT Devices"
    subnet: "172.27.3.0/24"
    gateway: "172.27.3.1"
    dhcp_start: "172.27.3.100"
    dhcp_end: "172.27.3.200"
    purpose: "Smart home devices (cameras, sensors, thermostats, etc.)"
    isolation: "Blocked from LAN_SECURE, can access WAN for updates/APIs"
    firewall_default: "deny_incoming, allow_outbound_to_wan"
    access_from_secure: "none"  # LAN_SECURE cannot reach this VLAN
```

## Firewall Rule Summary

### From LAN_SECURE (172.27.0.0/24)
- ✓ To Internet (WAN)
- ✗ To VLAN_AIWORKLOAD (blocked)
- ✗ To VLAN_IOT (blocked)
- ✓ Internal (same subnet)

### From VLAN_AIWORKLOAD (172.27.2.0/24)
- ✓ To Internet (WAN)
- ✗ To LAN_SECURE (blocked)
- ✗ To VLAN_IOT (blocked)
- ✓ Internal (same subnet)

### From VLAN_IOT (172.27.3.0/24)
- ✓ To Internet (WAN)
- ✗ To LAN_SECURE (blocked)
- ✗ To VLAN_AIWORKLOAD (blocked)
- ✓ Internal (same subnet)

## DHCP Configuration

Each VLAN has its own DHCP server:

```
VLAN_SECURE:      172.27.0.100   - 172.27.0.200   (Gateway: 172.27.0.1)
VLAN_AIWORKLOAD:  172.27.2.100   - 172.27.2.200   (Gateway: 172.27.2.1)
VLAN_IOT:         172.27.3.100   - 172.27.3.200   (Gateway: 172.27.3.1)
```

**DNS Server** (for all VLANs): 172.27.0.1 (pfSense resolver)

## Physical Switch Configuration (If Applicable)

If using a managed switch, configure VLAN tagging:

```
Port 1 (LAN_SECURE):
  - Mode: Access
  - VLAN: 1 (untagged, native)
  - Devices: Personal computers, laptops

Port 2 (VLAN_AIWORKLOAD):
  - Mode: Access
  - VLAN: 2 (untagged)
  - Devices: Openclaw server, GPU workstations
  - OR: Trunk (if pfSense applies tags)

Port 3 (VLAN_IOT):
  - Mode: Access
  - VLAN: 3 (untagged)
  - Devices: Smart home devices, cameras, sensors
  - OR: Trunk (if pfSense applies tags)

Port 4 (Uplink to pfSense):
  - Mode: Trunk
  - VLANs: 1, 2, 3
  - Tagged: 2, 3 (VLAN 1 typically untagged on trunk)
```

## Device Assignments

Assign devices to VLANs using DHCP static mappings or by setting up switch port VLANs.

### Planned Devices

**VLAN_SECURE (LAN_SECURE):**
- [ ] Your personal laptop/desktop
- [ ] Network printer (if any)
- [ ] Home automation controller (if trusted)

**VLAN_AIWORKLOAD (VLAN_AIWORKLOAD):**
- [ ] Openclaw server / AI workstation
- [ ] GPU compute server
- [ ] Experimental machine learning environment

**VLAN_IOT (VLAN_IOT):**
- [ ] Smart home cameras
- [ ] Temperature/humidity sensors
- [ ] Smart thermostat
- [ ] IoT gateway (if not trusted)
- [ ] Smart switches/outlets

## Implementation Checklist

- [ ] Create VLAN 2 (VLAN_AIWORKLOAD) on parent interface
- [ ] Create VLAN 3 (VLAN_IOT) on parent interface
- [ ] Apply VLAN changes
- [ ] Create virtual interface for VLAN_AIWORKLOAD (OPT1)
  - [ ] Set IP: 172.27.2.1/24
  - [ ] Enable interface
  - [ ] Apply changes
- [ ] Create virtual interface for VLAN_IOT (OPT2)
  - [ ] Set IP: 172.27.3.1/24
  - [ ] Enable interface
  - [ ] Apply changes
- [ ] Configure DHCP for VLAN_AIWORKLOAD
- [ ] Configure DHCP for VLAN_IOT
- [ ] Configure firewall rules for LAN_SECURE
- [ ] Configure firewall rules for VLAN_AIWORKLOAD
- [ ] Configure firewall rules for VLAN_IOT
- [ ] Test DHCP on each VLAN
- [ ] Test inter-VLAN isolation
- [ ] Backup pfSense configuration
- [ ] Commit configuration to git

## Notes & Decisions

### Why These Subnets?
- **172.27.x.x/16**: Private RFC 1918 range (172.16.0.0 - 172.31.255.255)
- Each VLAN gets a /24 subnet (254 usable IPs per VLAN)
- Easy to route and remember (VLAN ID = third octet)

### Why This Isolation?
- **LAN_SECURE** ↔ **VLAN_AIWORKLOAD**: Complete isolation prevents compromised AI workload from reaching trusted devices
- **LAN_SECURE** ↔ **VLAN_IOT**: IoT devices have broader vulnerabilities; isolation prevents lateral movement
- **VLAN_AIWORKLOAD** ↔ **VLAN_IOT**: Reduces attack surface between untrusted zones
- All VLANs → WAN: Allows devices to update, phone home, or reach cloud services

### Future Enhancements
- Add guest VLAN for visitors
- Configure VPN access to VLAN_SECURE only
- Implement QoS rules per VLAN
- Add Intrusion Detection (Suricata) on VLAN boundaries
- Monitor inter-VLAN traffic in firewall logs

---

**Last Updated:** 2026-04-22