38f2aefecd
- Add backup-pfsense-config.sh script for automated config backups via SSH - Auto-commits backups to git with timestamped filenames - Includes validation, error handling, and troubleshooting guides - Add scripts/README.md with detailed usage and crontab examples - Add BACKUP-QUICKSTART.md for quick reference commands - Update README.md to reference automated backup workflow - Create backups/ directory structure The script tests SSH connectivity successfully to pfSense.
263 lines
12 KiB
Markdown
263 lines
12 KiB
Markdown
# VLAN Network Topology
|
|
|
|
Visual representation of your segmented home network architecture.
|
|
|
|
## High-Level Topology
|
|
|
|
```
|
|
┌─────────────────┐
|
|
│ Internet │
|
|
│ (WAN) │
|
|
└────────┬────────┘
|
|
│
|
|
┌──────────┴──────────┐
|
|
│ │
|
|
┌────▼─────────────────────▼────┐
|
|
│ pfSense Router │
|
|
│ (172.27.0.1) │
|
|
│ │
|
|
│ • DHCP Server │
|
|
│ • DNS Resolver │
|
|
│ • Firewall │
|
|
│ • VLAN Gateway │
|
|
└────┬────────┬────────┬────────┘
|
|
│ │ │
|
|
┌───────────┘ │ └──────────┐
|
|
│ │ │
|
|
┌──────▼──────┐ ┌──────▼──────┐ ┌──────▼──────┐
|
|
│ VLAN 1 │ │ VLAN 2 │ │ VLAN 3 │
|
|
│ LAN_SECURE │ │ AIWORKLOAD │ │ IOT │
|
|
│ 172.27.0.0 │ │ 172.27.2.0 │ │ 172.27.3.0 │
|
|
└──────┬──────┘ └──────┬──────┘ └──────┬──────┘
|
|
│ │ │
|
|
│ │ │
|
|
┌──────▼────────┐ ┌──────▼────────┐ ┌──────▼────────┐
|
|
│ │ │ │ │ │
|
|
│ Trusted Devices│ │ Openclaw │ │ IoT Devices │
|
|
│ │ │ GPU Workload │ │ │
|
|
│ • Laptop │ │ │ │ • Cameras │
|
|
│ • Desktop │ │ (Sandbox/ │ │ • Sensors │
|
|
│ • Phone │ │ Experiment) │ │ • Thermostat │
|
|
│ │ │ │ │ • Smart Outlets│
|
|
└────────────────┘ └────────────────┘ └────────────────┘
|
|
```
|
|
|
|
## Detailed Dataflow
|
|
|
|
### Device to Internet (All VLANs)
|
|
```
|
|
Device (VLAN X)
|
|
↓
|
|
Gateway (172.27.X.1)
|
|
↓
|
|
pfSense Firewall
|
|
↓
|
|
WAN Interface
|
|
↓
|
|
Internet Router/Modem
|
|
↓
|
|
Internet ✓
|
|
```
|
|
|
|
### Trusted to Untrusted (Blocked)
|
|
```
|
|
LAN_SECURE Device (172.27.0.100)
|
|
↓
|
|
Request to VLAN_AIWORKLOAD (172.27.2.X)
|
|
↓
|
|
pfSense Firewall Rule: BLOCK
|
|
↓
|
|
X Connection Refused
|
|
```
|
|
|
|
## Firewall Rule Chain
|
|
|
|
```
|
|
┌─────────────────────────────────────────────────────┐
|
|
│ Inbound Packet on Interface (e.g., LAN_SECURE) │
|
|
└────────────────────┬────────────────────────────────┘
|
|
│
|
|
▼
|
|
┌────────────────────────┐
|
|
│ Source IP in subnet? │
|
|
│ (172.27.0.0/24) │
|
|
└────────┬───────┬────────┘
|
|
│ │
|
|
YES│ │NO → Block (rule 1)
|
|
│ │
|
|
▼ │
|
|
┌────────────────────────┐
|
|
│ Destination Subnet? │
|
|
└────────┬───────┬────────┘
|
|
│ │
|
|
172.27.0.0/24 172.27.2.0/24 172.27.3.0/24
|
|
│ │ │
|
|
▼ ▼ ▼
|
|
Same VLAN ALLOW (rule 2) BLOCK (rule 3)
|
|
│ │ │
|
|
▼ ▼ ▼
|
|
✓ PASS ✓ PASS ✗ BLOCK
|
|
```
|
|
|
|
## Port Connectivity (Example with 4-Port Switch)
|
|
|
|
```
|
|
┌──────────────────────────────────────────┐
|
|
│ Managed Network Switch │
|
|
│ (or pfSense internal if no switch) │
|
|
├──────────────────────────────────────────┤
|
|
│ │
|
|
│ Port 1 (Access, VLAN 1) │
|
|
│ ├─ Trusted Device 1 │
|
|
│ └─ Trusted Device 2 │
|
|
│ │
|
|
│ Port 2 (Access, VLAN 2) │
|
|
│ ├─ Openclaw Server │
|
|
│ └─ GPU Workstation │
|
|
│ │
|
|
│ Port 3 (Access, VLAN 3) │
|
|
│ ├─ Smart Camera 1 │
|
|
│ ├─ Smart Camera 2 │
|
|
│ ├─ IoT Sensor │
|
|
│ └─ Smart Thermostat │
|
|
│ │
|
|
│ Port 4 (Trunk - All VLANs Tagged) │
|
|
│ └─ pfSense Router │
|
|
│ (Receives VLAN-tagged frames) │
|
|
│ │
|
|
└──────────────────────────────────────────┘
|
|
```
|
|
|
|
## Traffic Examples
|
|
|
|
### ✓ Allowed Traffic Paths
|
|
|
|
```
|
|
1. Trusted Device → Internet
|
|
172.27.0.100 → 8.8.8.8:53
|
|
Gateway: 172.27.0.1 → pfSense → WAN → Internet ✓
|
|
|
|
2. AI Workload → Internet
|
|
172.27.2.50 → updates.example.com:443
|
|
Gateway: 172.27.2.1 → pfSense → WAN → Internet ✓
|
|
|
|
3. IoT Device → NTP Server
|
|
172.27.3.102 → pool.ntp.org:123
|
|
Gateway: 172.27.3.1 → pfSense → WAN → Internet ✓
|
|
|
|
4. Trusted Device → Trusted Device (same VLAN)
|
|
172.27.0.100 → 172.27.0.150 (same broadcast domain) ✓
|
|
```
|
|
|
|
### ✗ Blocked Traffic Paths
|
|
|
|
```
|
|
1. Trusted → AI Workload
|
|
172.27.0.100 → 172.27.2.50
|
|
Firewall Rule: BLOCK ✗
|
|
(Prevents lateral movement if AI workload is compromised)
|
|
|
|
2. Trusted → IoT Device
|
|
172.27.0.100 → 172.27.3.100
|
|
Firewall Rule: BLOCK ✗
|
|
(Prevents IoT compromise affecting trusted devices)
|
|
|
|
3. AI Workload → Trusted Device (reverse)
|
|
172.27.2.50 → 172.27.0.100
|
|
Firewall Rule: BLOCK ✗
|
|
(Prevents compromised workload from scanning trusted network)
|
|
|
|
4. IoT → AI Workload
|
|
172.27.3.102 → 172.27.2.50
|
|
Firewall Rule: BLOCK ✗
|
|
(Reduces attack surface between untrusted zones)
|
|
```
|
|
|
|
## VLAN 802.1Q Tagging (Switch-Level)
|
|
|
|
If using a managed switch with VLAN support:
|
|
|
|
```
|
|
Frame from pfSense Port 4 (Trunk):
|
|
|
|
┌─────────────────────────────────────────────────────┐
|
|
│ Ethernet Header │
|
|
├─────────────────────────────────────────────────────┤
|
|
│ Destination MAC | Source MAC | 802.1Q Tag | Type │
|
|
├─────────────────────────────────────────────────────┤
|
|
│ AA:BB:CC:DD:EE | 11:22:33:44:55:66 | VLAN: 2 | IPv4│
|
|
├─────────────────────────────────────────────────────┤
|
|
│ IPv4 Payload (IP Header + Data) │
|
|
└─────────────────────────────────────────────────────┘
|
|
|
|
When frame arrives at Port 2 (Access, VLAN 2):
|
|
├─ Switch removes 802.1Q tag
|
|
├─ Delivers untagged frame to device
|
|
└─ Device sees: AA:BB:CC:DD:EE → 11:22:33:44:55:66 [IPv4 Data]
|
|
```
|
|
|
|
## Isolation Guarantees
|
|
|
|
```
|
|
┌─────────────────────────────────────────────────────┐
|
|
│ VLAN Isolation Mechanisms │
|
|
├─────────────────────────────────────────────────────┤
|
|
│ │
|
|
│ 1. Layer 2 (Link Layer) │
|
|
│ └─ VLANs have separate broadcast domains │
|
|
│ └─ ARP packets don't cross VLAN boundaries │
|
|
│ └─ Broadcast storms are contained │
|
|
│ │
|
|
│ 2. Layer 3 (Network Layer) │
|
|
│ └─ Different subnets per VLAN │
|
|
│ └─ Devices can't directly route between VLANs│
|
|
│ └─ Must go through Layer 3 gateway (pfSense) │
|
|
│ │
|
|
│ 3. Firewall Rules (pfSense) │
|
|
│ └─ Explicit deny between VLANs (unless allowed) │
|
|
│ └─ Stateful inspection prevents spoofing │
|
|
│ └─ Rate limiting and IDS possible │
|
|
│ │
|
|
│ 4. Switch-Level Isolation (if applicable) │
|
|
│ └─ 802.1Q VLAN tags ensure switch-level routing │
|
|
│ └─ Malformed frames or tag injection blocked │
|
|
│ │
|
|
└─────────────────────────────────────────────────────┘
|
|
```
|
|
|
|
## Routing Summary
|
|
|
|
```
|
|
Routing Table on pfSense:
|
|
|
|
Destination Next Hop Interface Metric
|
|
────────────────────────────────────────────────────────────
|
|
0.0.0.0/0 192.168.1.1 WAN 1
|
|
172.27.0.0/24 direct LAN (VLAN 1) 0
|
|
172.27.2.0/24 direct OPT1 (VLAN 2) 0
|
|
172.27.3.0/24 direct OPT2 (VLAN 3) 0
|
|
```
|
|
|
|
### How Routing Works
|
|
|
|
1. **Packet from LAN_SECURE to VLAN_AIWORKLOAD:**
|
|
- Source: 172.27.0.100, Dest: 172.27.2.50
|
|
- pfSense checks routing table
|
|
- Destination 172.27.2.0/24 → exists on OPT1
|
|
- pfSense checks firewall rule for LAN → OPT1
|
|
- Rule says: BLOCK
|
|
- Packet is dropped ✗
|
|
|
|
2. **Packet from VLAN_AIWORKLOAD to Internet:**
|
|
- Source: 172.27.2.50, Dest: 8.8.8.8
|
|
- pfSense checks routing table
|
|
- Destination 8.8.8.8 → matches 0.0.0.0/0 (default route)
|
|
- Next hop: WAN gateway (192.168.1.1)
|
|
- pfSense checks firewall rule for OPT1 → WAN
|
|
- Rule says: ALLOW
|
|
- Packet forwarded to WAN ✓
|
|
|
|
---
|
|
|
|
**Last Updated:** 2026-04-22
|