38f2aefecd
- Add backup-pfsense-config.sh script for automated config backups via SSH - Auto-commits backups to git with timestamped filenames - Includes validation, error handling, and troubleshooting guides - Add scripts/README.md with detailed usage and crontab examples - Add BACKUP-QUICKSTART.md for quick reference commands - Update README.md to reference automated backup workflow - Create backups/ directory structure The script tests SSH connectivity successfully to pfSense.
12 KiB
12 KiB
VLAN Network Topology
Visual representation of your segmented home network architecture.
High-Level Topology
┌─────────────────┐
│ Internet │
│ (WAN) │
└────────┬────────┘
│
┌──────────┴──────────┐
│ │
┌────▼─────────────────────▼────┐
│ pfSense Router │
│ (172.27.0.1) │
│ │
│ • DHCP Server │
│ • DNS Resolver │
│ • Firewall │
│ • VLAN Gateway │
└────┬────────┬────────┬────────┘
│ │ │
┌───────────┘ │ └──────────┐
│ │ │
┌──────▼──────┐ ┌──────▼──────┐ ┌──────▼──────┐
│ VLAN 1 │ │ VLAN 2 │ │ VLAN 3 │
│ LAN_SECURE │ │ AIWORKLOAD │ │ IOT │
│ 172.27.0.0 │ │ 172.27.2.0 │ │ 172.27.3.0 │
└──────┬──────┘ └──────┬──────┘ └──────┬──────┘
│ │ │
│ │ │
┌──────▼────────┐ ┌──────▼────────┐ ┌──────▼────────┐
│ │ │ │ │ │
│ Trusted Devices│ │ Openclaw │ │ IoT Devices │
│ │ │ GPU Workload │ │ │
│ • Laptop │ │ │ │ • Cameras │
│ • Desktop │ │ (Sandbox/ │ │ • Sensors │
│ • Phone │ │ Experiment) │ │ • Thermostat │
│ │ │ │ │ • Smart Outlets│
└────────────────┘ └────────────────┘ └────────────────┘
Detailed Dataflow
Device to Internet (All VLANs)
Device (VLAN X)
↓
Gateway (172.27.X.1)
↓
pfSense Firewall
↓
WAN Interface
↓
Internet Router/Modem
↓
Internet ✓
Trusted to Untrusted (Blocked)
LAN_SECURE Device (172.27.0.100)
↓
Request to VLAN_AIWORKLOAD (172.27.2.X)
↓
pfSense Firewall Rule: BLOCK
↓
X Connection Refused
Firewall Rule Chain
┌─────────────────────────────────────────────────────┐
│ Inbound Packet on Interface (e.g., LAN_SECURE) │
└────────────────────┬────────────────────────────────┘
│
▼
┌────────────────────────┐
│ Source IP in subnet? │
│ (172.27.0.0/24) │
└────────┬───────┬────────┘
│ │
YES│ │NO → Block (rule 1)
│ │
▼ │
┌────────────────────────┐
│ Destination Subnet? │
└────────┬───────┬────────┘
│ │
172.27.0.0/24 172.27.2.0/24 172.27.3.0/24
│ │ │
▼ ▼ ▼
Same VLAN ALLOW (rule 2) BLOCK (rule 3)
│ │ │
▼ ▼ ▼
✓ PASS ✓ PASS ✗ BLOCK
Port Connectivity (Example with 4-Port Switch)
┌──────────────────────────────────────────┐
│ Managed Network Switch │
│ (or pfSense internal if no switch) │
├──────────────────────────────────────────┤
│ │
│ Port 1 (Access, VLAN 1) │
│ ├─ Trusted Device 1 │
│ └─ Trusted Device 2 │
│ │
│ Port 2 (Access, VLAN 2) │
│ ├─ Openclaw Server │
│ └─ GPU Workstation │
│ │
│ Port 3 (Access, VLAN 3) │
│ ├─ Smart Camera 1 │
│ ├─ Smart Camera 2 │
│ ├─ IoT Sensor │
│ └─ Smart Thermostat │
│ │
│ Port 4 (Trunk - All VLANs Tagged) │
│ └─ pfSense Router │
│ (Receives VLAN-tagged frames) │
│ │
└──────────────────────────────────────────┘
Traffic Examples
✓ Allowed Traffic Paths
1. Trusted Device → Internet
172.27.0.100 → 8.8.8.8:53
Gateway: 172.27.0.1 → pfSense → WAN → Internet ✓
2. AI Workload → Internet
172.27.2.50 → updates.example.com:443
Gateway: 172.27.2.1 → pfSense → WAN → Internet ✓
3. IoT Device → NTP Server
172.27.3.102 → pool.ntp.org:123
Gateway: 172.27.3.1 → pfSense → WAN → Internet ✓
4. Trusted Device → Trusted Device (same VLAN)
172.27.0.100 → 172.27.0.150 (same broadcast domain) ✓
✗ Blocked Traffic Paths
1. Trusted → AI Workload
172.27.0.100 → 172.27.2.50
Firewall Rule: BLOCK ✗
(Prevents lateral movement if AI workload is compromised)
2. Trusted → IoT Device
172.27.0.100 → 172.27.3.100
Firewall Rule: BLOCK ✗
(Prevents IoT compromise affecting trusted devices)
3. AI Workload → Trusted Device (reverse)
172.27.2.50 → 172.27.0.100
Firewall Rule: BLOCK ✗
(Prevents compromised workload from scanning trusted network)
4. IoT → AI Workload
172.27.3.102 → 172.27.2.50
Firewall Rule: BLOCK ✗
(Reduces attack surface between untrusted zones)
VLAN 802.1Q Tagging (Switch-Level)
If using a managed switch with VLAN support:
Frame from pfSense Port 4 (Trunk):
┌─────────────────────────────────────────────────────┐
│ Ethernet Header │
├─────────────────────────────────────────────────────┤
│ Destination MAC | Source MAC | 802.1Q Tag | Type │
├─────────────────────────────────────────────────────┤
│ AA:BB:CC:DD:EE | 11:22:33:44:55:66 | VLAN: 2 | IPv4│
├─────────────────────────────────────────────────────┤
│ IPv4 Payload (IP Header + Data) │
└─────────────────────────────────────────────────────┘
When frame arrives at Port 2 (Access, VLAN 2):
├─ Switch removes 802.1Q tag
├─ Delivers untagged frame to device
└─ Device sees: AA:BB:CC:DD:EE → 11:22:33:44:55:66 [IPv4 Data]
Isolation Guarantees
┌─────────────────────────────────────────────────────┐
│ VLAN Isolation Mechanisms │
├─────────────────────────────────────────────────────┤
│ │
│ 1. Layer 2 (Link Layer) │
│ └─ VLANs have separate broadcast domains │
│ └─ ARP packets don't cross VLAN boundaries │
│ └─ Broadcast storms are contained │
│ │
│ 2. Layer 3 (Network Layer) │
│ └─ Different subnets per VLAN │
│ └─ Devices can't directly route between VLANs│
│ └─ Must go through Layer 3 gateway (pfSense) │
│ │
│ 3. Firewall Rules (pfSense) │
│ └─ Explicit deny between VLANs (unless allowed) │
│ └─ Stateful inspection prevents spoofing │
│ └─ Rate limiting and IDS possible │
│ │
│ 4. Switch-Level Isolation (if applicable) │
│ └─ 802.1Q VLAN tags ensure switch-level routing │
│ └─ Malformed frames or tag injection blocked │
│ │
└─────────────────────────────────────────────────────┘
Routing Summary
Routing Table on pfSense:
Destination Next Hop Interface Metric
────────────────────────────────────────────────────────────
0.0.0.0/0 192.168.1.1 WAN 1
172.27.0.0/24 direct LAN (VLAN 1) 0
172.27.2.0/24 direct OPT1 (VLAN 2) 0
172.27.3.0/24 direct OPT2 (VLAN 3) 0
How Routing Works
-
Packet from LAN_SECURE to VLAN_AIWORKLOAD:
- Source: 172.27.0.100, Dest: 172.27.2.50
- pfSense checks routing table
- Destination 172.27.2.0/24 → exists on OPT1
- pfSense checks firewall rule for LAN → OPT1
- Rule says: BLOCK
- Packet is dropped ✗
-
Packet from VLAN_AIWORKLOAD to Internet:
- Source: 172.27.2.50, Dest: 8.8.8.8
- pfSense checks routing table
- Destination 8.8.8.8 → matches 0.0.0.0/0 (default route)
- Next hop: WAN gateway (192.168.1.1)
- pfSense checks firewall rule for OPT1 → WAN
- Rule says: ALLOW
- Packet forwarded to WAN ✓
Last Updated: 2026-04-22