kenjim/appa-net
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
appa-net/pfsense.home.arpa/VLAN-CONFIG.md
Kenji Morishige 38f2aefecd Add pfSense backup utility and documentation 
- Add backup-pfsense-config.sh script for automated config backups via SSH
- Auto-commits backups to git with timestamped filenames
- Includes validation, error handling, and troubleshooting guides
- Add scripts/README.md with detailed usage and crontab examples
- Add BACKUP-QUICKSTART.md for quick reference commands
- Update README.md to reference automated backup workflow
- Create backups/ directory structure

The script tests SSH connectivity successfully to pfSense.
2026-04-22 14:42:43 -05:00

174 lines
5.1 KiB
Markdown
Raw Permalink Blame History

# VLAN Configuration Reference
Network segmentation configuration for pfsense.home.arpa router.
## VLAN Definitions
```yaml
vlans:
lan_secure:
vlan_id: 1
description: "Main trusted network"
subnet: "172.27.0.0/24"
gateway: "172.27.0.1"
dhcp_start: "172.27.0.100"
dhcp_end: "172.27.0.200"
purpose: "Primary network for personal/trusted devices"
isolation: "Gateway to WAN, can access VLANs as configured"
firewall_default: "allow_outbound"
vlan_aiworkload:
vlan_id: 2
description: "AI/ML Workload (Dangerous/OpenClaw)"
subnet: "172.27.2.0/24"
gateway: "172.27.2.1"
dhcp_start: "172.27.2.100"
dhcp_end: "172.27.2.200"
purpose: "Isolated workload for AI/ML experiments, sandbox for untrusted code"
isolation: "Blocked from LAN_SECURE, can access WAN"
firewall_default: "deny_incoming, allow_outbound_to_wan"
access_from_secure: "none" # LAN_SECURE cannot reach this VLAN
vlan_iot:
vlan_id: 3
description: "IoT Devices"
subnet: "172.27.3.0/24"
gateway: "172.27.3.1"
dhcp_start: "172.27.3.100"
dhcp_end: "172.27.3.200"
purpose: "Smart home devices (cameras, sensors, thermostats, etc.)"
isolation: "Blocked from LAN_SECURE, can access WAN for updates/APIs"
firewall_default: "deny_incoming, allow_outbound_to_wan"
access_from_secure: "none" # LAN_SECURE cannot reach this VLAN
```
## Firewall Rule Summary
### From LAN_SECURE (172.27.0.0/24)
- ✓ To Internet (WAN)
- ✗ To VLAN_AIWORKLOAD (blocked)
- ✗ To VLAN_IOT (blocked)
- ✓ Internal (same subnet)
### From VLAN_AIWORKLOAD (172.27.2.0/24)
- ✓ To Internet (WAN)
- ✗ To LAN_SECURE (blocked)
- ✗ To VLAN_IOT (blocked)
- ✓ Internal (same subnet)
### From VLAN_IOT (172.27.3.0/24)
- ✓ To Internet (WAN)
- ✗ To LAN_SECURE (blocked)
- ✗ To VLAN_AIWORKLOAD (blocked)
- ✓ Internal (same subnet)
## DHCP Configuration
Each VLAN has its own DHCP server:
```
VLAN_SECURE: 172.27.0.100 - 172.27.0.200 (Gateway: 172.27.0.1)
VLAN_AIWORKLOAD: 172.27.2.100 - 172.27.2.200 (Gateway: 172.27.2.1)
VLAN_IOT: 172.27.3.100 - 172.27.3.200 (Gateway: 172.27.3.1)
```
**DNS Server** (for all VLANs): 172.27.0.1 (pfSense resolver)
## Physical Switch Configuration (If Applicable)
If using a managed switch, configure VLAN tagging:
```
Port 1 (LAN_SECURE):
- Mode: Access
- VLAN: 1 (untagged, native)
- Devices: Personal computers, laptops
Port 2 (VLAN_AIWORKLOAD):
- Mode: Access
- VLAN: 2 (untagged)
- Devices: Openclaw server, GPU workstations
- OR: Trunk (if pfSense applies tags)
Port 3 (VLAN_IOT):
- Mode: Access
- VLAN: 3 (untagged)
- Devices: Smart home devices, cameras, sensors
- OR: Trunk (if pfSense applies tags)
Port 4 (Uplink to pfSense):
- Mode: Trunk
- VLANs: 1, 2, 3
- Tagged: 2, 3 (VLAN 1 typically untagged on trunk)
```
## Device Assignments
Assign devices to VLANs using DHCP static mappings or by setting up switch port VLANs.
### Planned Devices
**VLAN_SECURE (LAN_SECURE):**
- [ ] Your personal laptop/desktop
- [ ] Network printer (if any)
- [ ] Home automation controller (if trusted)
**VLAN_AIWORKLOAD (VLAN_AIWORKLOAD):**
- [ ] Openclaw server / AI workstation
- [ ] GPU compute server
- [ ] Experimental machine learning environment
**VLAN_IOT (VLAN_IOT):**
- [ ] Smart home cameras
- [ ] Temperature/humidity sensors
- [ ] Smart thermostat
- [ ] IoT gateway (if not trusted)
- [ ] Smart switches/outlets
## Implementation Checklist
- [ ] Create VLAN 2 (VLAN_AIWORKLOAD) on parent interface
- [ ] Create VLAN 3 (VLAN_IOT) on parent interface
- [ ] Apply VLAN changes
- [ ] Create virtual interface for VLAN_AIWORKLOAD (OPT1)
- [ ] Set IP: 172.27.2.1/24
- [ ] Enable interface
- [ ] Apply changes
- [ ] Create virtual interface for VLAN_IOT (OPT2)
- [ ] Set IP: 172.27.3.1/24
- [ ] Enable interface
- [ ] Apply changes
- [ ] Configure DHCP for VLAN_AIWORKLOAD
- [ ] Configure DHCP for VLAN_IOT
- [ ] Configure firewall rules for LAN_SECURE
- [ ] Configure firewall rules for VLAN_AIWORKLOAD
- [ ] Configure firewall rules for VLAN_IOT
- [ ] Test DHCP on each VLAN
- [ ] Test inter-VLAN isolation
- [ ] Backup pfSense configuration
- [ ] Commit configuration to git
## Notes & Decisions
### Why These Subnets?
- **172.27.x.x/16**: Private RFC 1918 range (172.16.0.0 - 172.31.255.255)
- Each VLAN gets a /24 subnet (254 usable IPs per VLAN)
- Easy to route and remember (VLAN ID = third octet)
### Why This Isolation?
- **LAN_SECURE** ↔ **VLAN_AIWORKLOAD**: Complete isolation prevents compromised AI workload from reaching trusted devices
- **LAN_SECURE** ↔ **VLAN_IOT**: IoT devices have broader vulnerabilities; isolation prevents lateral movement
- **VLAN_AIWORKLOAD** ↔ **VLAN_IOT**: Reduces attack surface between untrusted zones
- All VLANs → WAN: Allows devices to update, phone home, or reach cloud services
### Future Enhancements
- Add guest VLAN for visitors
- Configure VPN access to VLAN_SECURE only
- Implement QoS rules per VLAN
- Add Intrusion Detection (Suricata) on VLAN boundaries
- Monitor inter-VLAN traffic in firewall logs
---
**Last Updated:** 2026-04-22
Reference in New Issue View Git Blame Copy Permalink