# VLAN Network Topology Visual representation of your segmented home network architecture. ## High-Level Topology ``` ┌─────────────────┐ │ Internet │ │ (WAN) │ └────────┬────────┘ │ ┌──────────┴──────────┐ │ │ ┌────▼─────────────────────▼────┐ │ pfSense Router │ │ (172.27.0.1) │ │ │ │ • DHCP Server │ │ • DNS Resolver │ │ • Firewall │ │ • VLAN Gateway │ └────┬────────┬────────┬────────┘ │ │ │ ┌───────────┘ │ └──────────┐ │ │ │ ┌──────▼──────┐ ┌──────▼──────┐ ┌──────▼──────┐ │ VLAN 1 │ │ VLAN 2 │ │ VLAN 3 │ │ LAN_SECURE │ │ AIWORKLOAD │ │ IOT │ │ 172.27.0.0 │ │ 172.27.2.0 │ │ 172.27.3.0 │ └──────┬──────┘ └──────┬──────┘ └──────┬──────┘ │ │ │ │ │ │ ┌──────▼────────┐ ┌──────▼────────┐ ┌──────▼────────┐ │ │ │ │ │ │ │ Trusted Devices│ │ Openclaw │ │ IoT Devices │ │ │ │ GPU Workload │ │ │ │ • Laptop │ │ │ │ • Cameras │ │ • Desktop │ │ (Sandbox/ │ │ • Sensors │ │ • Phone │ │ Experiment) │ │ • Thermostat │ │ │ │ │ │ • Smart Outlets│ └────────────────┘ └────────────────┘ └────────────────┘ ``` ## Detailed Dataflow ### Device to Internet (All VLANs) ``` Device (VLAN X) ↓ Gateway (172.27.X.1) ↓ pfSense Firewall ↓ WAN Interface ↓ Internet Router/Modem ↓ Internet ✓ ``` ### Trusted to Untrusted (Blocked) ``` LAN_SECURE Device (172.27.0.100) ↓ Request to VLAN_AIWORKLOAD (172.27.2.X) ↓ pfSense Firewall Rule: BLOCK ↓ X Connection Refused ``` ## Firewall Rule Chain ``` ┌─────────────────────────────────────────────────────┐ │ Inbound Packet on Interface (e.g., LAN_SECURE) │ └────────────────────┬────────────────────────────────┘ │ ▼ ┌────────────────────────┐ │ Source IP in subnet? │ │ (172.27.0.0/24) │ └────────┬───────┬────────┘ │ │ YES│ │NO → Block (rule 1) │ │ ▼ │ ┌────────────────────────┐ │ Destination Subnet? │ └────────┬───────┬────────┘ │ │ 172.27.0.0/24 172.27.2.0/24 172.27.3.0/24 │ │ │ ▼ ▼ ▼ Same VLAN ALLOW (rule 2) BLOCK (rule 3) │ │ │ ▼ ▼ ▼ ✓ PASS ✓ PASS ✗ BLOCK ``` ## Port Connectivity (Example with 4-Port Switch) ``` ┌──────────────────────────────────────────┐ │ Managed Network Switch │ │ (or pfSense internal if no switch) │ ├──────────────────────────────────────────┤ │ │ │ Port 1 (Access, VLAN 1) │ │ ├─ Trusted Device 1 │ │ └─ Trusted Device 2 │ │ │ │ Port 2 (Access, VLAN 2) │ │ ├─ Openclaw Server │ │ └─ GPU Workstation │ │ │ │ Port 3 (Access, VLAN 3) │ │ ├─ Smart Camera 1 │ │ ├─ Smart Camera 2 │ │ ├─ IoT Sensor │ │ └─ Smart Thermostat │ │ │ │ Port 4 (Trunk - All VLANs Tagged) │ │ └─ pfSense Router │ │ (Receives VLAN-tagged frames) │ │ │ └──────────────────────────────────────────┘ ``` ## Traffic Examples ### ✓ Allowed Traffic Paths ``` 1. Trusted Device → Internet 172.27.0.100 → 8.8.8.8:53 Gateway: 172.27.0.1 → pfSense → WAN → Internet ✓ 2. AI Workload → Internet 172.27.2.50 → updates.example.com:443 Gateway: 172.27.2.1 → pfSense → WAN → Internet ✓ 3. IoT Device → NTP Server 172.27.3.102 → pool.ntp.org:123 Gateway: 172.27.3.1 → pfSense → WAN → Internet ✓ 4. Trusted Device → Trusted Device (same VLAN) 172.27.0.100 → 172.27.0.150 (same broadcast domain) ✓ ``` ### ✗ Blocked Traffic Paths ``` 1. Trusted → AI Workload 172.27.0.100 → 172.27.2.50 Firewall Rule: BLOCK ✗ (Prevents lateral movement if AI workload is compromised) 2. Trusted → IoT Device 172.27.0.100 → 172.27.3.100 Firewall Rule: BLOCK ✗ (Prevents IoT compromise affecting trusted devices) 3. AI Workload → Trusted Device (reverse) 172.27.2.50 → 172.27.0.100 Firewall Rule: BLOCK ✗ (Prevents compromised workload from scanning trusted network) 4. IoT → AI Workload 172.27.3.102 → 172.27.2.50 Firewall Rule: BLOCK ✗ (Reduces attack surface between untrusted zones) ``` ## VLAN 802.1Q Tagging (Switch-Level) If using a managed switch with VLAN support: ``` Frame from pfSense Port 4 (Trunk): ┌─────────────────────────────────────────────────────┐ │ Ethernet Header │ ├─────────────────────────────────────────────────────┤ │ Destination MAC | Source MAC | 802.1Q Tag | Type │ ├─────────────────────────────────────────────────────┤ │ AA:BB:CC:DD:EE | 11:22:33:44:55:66 | VLAN: 2 | IPv4│ ├─────────────────────────────────────────────────────┤ │ IPv4 Payload (IP Header + Data) │ └─────────────────────────────────────────────────────┘ When frame arrives at Port 2 (Access, VLAN 2): ├─ Switch removes 802.1Q tag ├─ Delivers untagged frame to device └─ Device sees: AA:BB:CC:DD:EE → 11:22:33:44:55:66 [IPv4 Data] ``` ## Isolation Guarantees ``` ┌─────────────────────────────────────────────────────┐ │ VLAN Isolation Mechanisms │ ├─────────────────────────────────────────────────────┤ │ │ │ 1. Layer 2 (Link Layer) │ │ └─ VLANs have separate broadcast domains │ │ └─ ARP packets don't cross VLAN boundaries │ │ └─ Broadcast storms are contained │ │ │ │ 2. Layer 3 (Network Layer) │ │ └─ Different subnets per VLAN │ │ └─ Devices can't directly route between VLANs│ │ └─ Must go through Layer 3 gateway (pfSense) │ │ │ │ 3. Firewall Rules (pfSense) │ │ └─ Explicit deny between VLANs (unless allowed) │ │ └─ Stateful inspection prevents spoofing │ │ └─ Rate limiting and IDS possible │ │ │ │ 4. Switch-Level Isolation (if applicable) │ │ └─ 802.1Q VLAN tags ensure switch-level routing │ │ └─ Malformed frames or tag injection blocked │ │ │ └─────────────────────────────────────────────────────┘ ``` ## Routing Summary ``` Routing Table on pfSense: Destination Next Hop Interface Metric ──────────────────────────────────────────────────────────── 0.0.0.0/0 192.168.1.1 WAN 1 172.27.0.0/24 direct LAN (VLAN 1) 0 172.27.2.0/24 direct OPT1 (VLAN 2) 0 172.27.3.0/24 direct OPT2 (VLAN 3) 0 ``` ### How Routing Works 1. **Packet from LAN_SECURE to VLAN_AIWORKLOAD:** - Source: 172.27.0.100, Dest: 172.27.2.50 - pfSense checks routing table - Destination 172.27.2.0/24 → exists on OPT1 - pfSense checks firewall rule for LAN → OPT1 - Rule says: BLOCK - Packet is dropped ✗ 2. **Packet from VLAN_AIWORKLOAD to Internet:** - Source: 172.27.2.50, Dest: 8.8.8.8 - pfSense checks routing table - Destination 8.8.8.8 → matches 0.0.0.0/0 (default route) - Next hop: WAN gateway (192.168.1.1) - pfSense checks firewall rule for OPT1 → WAN - Rule says: ALLOW - Packet forwarded to WAN ✓ --- **Last Updated:** 2026-04-22