38f2aefecd
- Add backup-pfsense-config.sh script for automated config backups via SSH - Auto-commits backups to git with timestamped filenames - Includes validation, error handling, and troubleshooting guides - Add scripts/README.md with detailed usage and crontab examples - Add BACKUP-QUICKSTART.md for quick reference commands - Update README.md to reference automated backup workflow - Create backups/ directory structure The script tests SSH connectivity successfully to pfSense.
5.1 KiB
5.1 KiB
VLAN Configuration Reference
Network segmentation configuration for pfsense.home.arpa router.
VLAN Definitions
vlans:
lan_secure:
vlan_id: 1
description: "Main trusted network"
subnet: "172.27.0.0/24"
gateway: "172.27.0.1"
dhcp_start: "172.27.0.100"
dhcp_end: "172.27.0.200"
purpose: "Primary network for personal/trusted devices"
isolation: "Gateway to WAN, can access VLANs as configured"
firewall_default: "allow_outbound"
vlan_aiworkload:
vlan_id: 2
description: "AI/ML Workload (Dangerous/OpenClaw)"
subnet: "172.27.2.0/24"
gateway: "172.27.2.1"
dhcp_start: "172.27.2.100"
dhcp_end: "172.27.2.200"
purpose: "Isolated workload for AI/ML experiments, sandbox for untrusted code"
isolation: "Blocked from LAN_SECURE, can access WAN"
firewall_default: "deny_incoming, allow_outbound_to_wan"
access_from_secure: "none" # LAN_SECURE cannot reach this VLAN
vlan_iot:
vlan_id: 3
description: "IoT Devices"
subnet: "172.27.3.0/24"
gateway: "172.27.3.1"
dhcp_start: "172.27.3.100"
dhcp_end: "172.27.3.200"
purpose: "Smart home devices (cameras, sensors, thermostats, etc.)"
isolation: "Blocked from LAN_SECURE, can access WAN for updates/APIs"
firewall_default: "deny_incoming, allow_outbound_to_wan"
access_from_secure: "none" # LAN_SECURE cannot reach this VLAN
Firewall Rule Summary
From LAN_SECURE (172.27.0.0/24)
- ✓ To Internet (WAN)
- ✗ To VLAN_AIWORKLOAD (blocked)
- ✗ To VLAN_IOT (blocked)
- ✓ Internal (same subnet)
From VLAN_AIWORKLOAD (172.27.2.0/24)
- ✓ To Internet (WAN)
- ✗ To LAN_SECURE (blocked)
- ✗ To VLAN_IOT (blocked)
- ✓ Internal (same subnet)
From VLAN_IOT (172.27.3.0/24)
- ✓ To Internet (WAN)
- ✗ To LAN_SECURE (blocked)
- ✗ To VLAN_AIWORKLOAD (blocked)
- ✓ Internal (same subnet)
DHCP Configuration
Each VLAN has its own DHCP server:
VLAN_SECURE: 172.27.0.100 - 172.27.0.200 (Gateway: 172.27.0.1)
VLAN_AIWORKLOAD: 172.27.2.100 - 172.27.2.200 (Gateway: 172.27.2.1)
VLAN_IOT: 172.27.3.100 - 172.27.3.200 (Gateway: 172.27.3.1)
DNS Server (for all VLANs): 172.27.0.1 (pfSense resolver)
Physical Switch Configuration (If Applicable)
If using a managed switch, configure VLAN tagging:
Port 1 (LAN_SECURE):
- Mode: Access
- VLAN: 1 (untagged, native)
- Devices: Personal computers, laptops
Port 2 (VLAN_AIWORKLOAD):
- Mode: Access
- VLAN: 2 (untagged)
- Devices: Openclaw server, GPU workstations
- OR: Trunk (if pfSense applies tags)
Port 3 (VLAN_IOT):
- Mode: Access
- VLAN: 3 (untagged)
- Devices: Smart home devices, cameras, sensors
- OR: Trunk (if pfSense applies tags)
Port 4 (Uplink to pfSense):
- Mode: Trunk
- VLANs: 1, 2, 3
- Tagged: 2, 3 (VLAN 1 typically untagged on trunk)
Device Assignments
Assign devices to VLANs using DHCP static mappings or by setting up switch port VLANs.
Planned Devices
VLAN_SECURE (LAN_SECURE):
- Your personal laptop/desktop
- Network printer (if any)
- Home automation controller (if trusted)
VLAN_AIWORKLOAD (VLAN_AIWORKLOAD):
- Openclaw server / AI workstation
- GPU compute server
- Experimental machine learning environment
VLAN_IOT (VLAN_IOT):
- Smart home cameras
- Temperature/humidity sensors
- Smart thermostat
- IoT gateway (if not trusted)
- Smart switches/outlets
Implementation Checklist
- Create VLAN 2 (VLAN_AIWORKLOAD) on parent interface
- Create VLAN 3 (VLAN_IOT) on parent interface
- Apply VLAN changes
- Create virtual interface for VLAN_AIWORKLOAD (OPT1)
- Set IP: 172.27.2.1/24
- Enable interface
- Apply changes
- Create virtual interface for VLAN_IOT (OPT2)
- Set IP: 172.27.3.1/24
- Enable interface
- Apply changes
- Configure DHCP for VLAN_AIWORKLOAD
- Configure DHCP for VLAN_IOT
- Configure firewall rules for LAN_SECURE
- Configure firewall rules for VLAN_AIWORKLOAD
- Configure firewall rules for VLAN_IOT
- Test DHCP on each VLAN
- Test inter-VLAN isolation
- Backup pfSense configuration
- Commit configuration to git
Notes & Decisions
Why These Subnets?
- 172.27.x.x/16: Private RFC 1918 range (172.16.0.0 - 172.31.255.255)
- Each VLAN gets a /24 subnet (254 usable IPs per VLAN)
- Easy to route and remember (VLAN ID = third octet)
Why This Isolation?
- LAN_SECURE ↔ VLAN_AIWORKLOAD: Complete isolation prevents compromised AI workload from reaching trusted devices
- LAN_SECURE ↔ VLAN_IOT: IoT devices have broader vulnerabilities; isolation prevents lateral movement
- VLAN_AIWORKLOAD ↔ VLAN_IOT: Reduces attack surface between untrusted zones
- All VLANs → WAN: Allows devices to update, phone home, or reach cloud services
Future Enhancements
- Add guest VLAN for visitors
- Configure VPN access to VLAN_SECURE only
- Implement QoS rules per VLAN
- Add Intrusion Detection (Suricata) on VLAN boundaries
- Monitor inter-VLAN traffic in firewall logs
Last Updated: 2026-04-22