The goal here is a simple but secure home network that minimizes risk while keeping administration and everyday usage smooth.
Design principles
Some rules I try to follow with my setup:
- Services should have the least amount of access possible.
- Infrastructure should be isolated from regular clients.
- Guests should not be able to reach internal resources.
- Infrastructure should be easy to understand and debug.
Network overview
Internet -> OPNsense -> Managed Switch
The managed switch separates clients into different VLANs based on function. IP addresses follow the same numbering as the VLANs.
| VLAN | Gateway | Name | Purpose |
|---|---|---|---|
| 10 | 192.168.10.1/24 | MGMT | Infrastructure and administration |
| 20 | 192.168.20.1/24 | LAN | Trusted clients |
| 30 | 192.168.30.1/24 | GUESTS | Wifi and WAN / internet only |
| 40 | 192.168.40.1/24 | SERVICES | Virtual machines, containers, lab etc. |
| 50 | 192.168.50.1/24 | IOT | IOT devices |
Managed Switch
Got a Netgear GS108Ev3 managed switch at home to handle VLANs.
T = Trunked, U = Unassigned
| Port | Device | VLANs | PVID |
|---|---|---|---|
| 1 | OPNsense | 10T, 20T, 30T, 40T, 50T | - |
| 2 | CalDigit TS4 | 20U | 20 |
| 3 | Ubiquiti Unifi AP AC LITE | 10T, 20T, 30T, 40T, 50T | - |
| 4 | Ikea Gateway | 50U | 50 |
| 5 | Telia IPTV | 50U | 50 |
| 6 | Proxmox | 10T, 20T, 40T | - |
| 7 | Empty | - | - |
| 8 | Empty | - | - |
Traffic flow
- LAN -> MGMT = Allowed
- LAN -> SERVICES = Allowed
- LAN -> IOT = Allowed
- IOT -> LAN = Block
- IOT -> SERVICES = Block
- GUEST -> Internet only
Other configurations
- IKEA Gateway: Requires
mDNS Repeaterto be enabled in OPNsense.Listen interfacesshould be configured to listen on both LAN and IOT. Unboundis configured with an override for my custom domain. It overrides*.mydomain.comto my reverse proxy for internal domain resolution.