OPNsense Mastery: Crafting Secure Networks with VLANs and Firewalls


It’s no secret that I’ve plunged headfirst into the world of virtualization. It began innocuously enough—a virtual machine here, a router there, all basking in the virtual goodness. This obsession has grown to the point where I find myself looking at everything, wondering, ‘Can I virtualize it?’ I’ve been staring at my setup so intently that I’m now down to contemplating the wires themselves. Can they be virtualized? The answer, of course, is sort-of. But I’m not talking about using Wi-Fi; we’re talking Firewalls and VLANs.

placeholder for an image

The Intricacies of Network Traffic in a Virtual World

Let’s talk a little about network traffic. In a physical setup, managing traffic is akin to directing cars on a highway. Each vehicle follows a predetermined path, abiding by the rules of the road. However, these lanes are fixed, offering only a handful of options for traversing them. It’s a system that works but is inherently limited in its flexibility and adaptability.

Consider a traditional home network where all devices are connected to a single switch. This setup is similar to a one-lane road where all types of traffic—data from the work computer, game consoles, IoT enabled fridge, and even the security cameras—travel together. While functional, this setup doesn’t allow for prioritization or segregation of sensitive data, much like a single-lane road can’t differentiate between a cargo truck and a sports car.

In contrast, virtualization brings a paradigm shift. It’s like suddenly having the power to dynamically alter the highway itself. Imagine being able to create, merge, or divert lanes based on real-time traffic conditions. That’s the essence of managing network traffic in a virtual environment. With tools like VLANs and virtual firewalls, I have the ability to tailor the network infrastructure to suit specific needs and scenarios.

Now we can really segment our highway, where each lane is dedicated to a specific type of traffic. For instance, one VLAN could be exclusively for the finance department, ensuring sensitive data travels on a separate, secure path, while another VLAN could be for guest Wi-Fi, isolated from the core network. This setup not only enhances security but also improves efficiency.

The firewall being the police officer who oversees and regulates the flow of traffic. Think of it as the checkpoint that scrutinizes every vehicle (data packet) that passes through. In our virtual world, the firewall’s role becomes even more critical. It’s not just about monitoring; it’s actively managing and directing the flow of data based on sophisticated rulesets.

This is where the magic happens. For example, the firewall can be configured to allow only trusted traffic to access sensitive resources, like your work files, while keeping recreational traffic, such as gaming data, confined to its own virtual lane. Our traffic officer not only directs traffic, but intelligently reroutes vehicles based on their destination and importance, ensuring a smooth and secure journey for each data packet.

In the realm of cybersecurity, firewalls serve as more than just gatekeepers regulating the flow of network traffic. They are the robust digital barriers that shield your network from the myriad threats lurking in the vast cyber landscape, both inside and out. Acting as vigilant sentinels, firewalls scrutinize incoming and outgoing data, ensuring that only legitimate traffic is allowed through while blocking malicious or unauthorized attempts to breach your network.

placeholder for an image

Firewall Features: The Digital Arsenal

Firewalls, as commonly understood, function as packet filtering machines, scrutinizing each network packet against a set of predefined rules. For example:

 If the source address is a machine on our LAN, then it's okay for the packet to go to the internet.

or maybe

If the destination of our packet is Port 22 but it's coming from the internet, we should throw it out.

In addition to these basic functions, firewalls are equipped with advanced features such as Network Address Translation (NAT) and Packet Masquerading:

NAT (Network Address Translation): NAT serves as a translator between your private network and the internet. It allows multiple devices on a local network to use a single public IP address. This arrangement facilitates secure and efficient routing of both outgoing and incoming internet traffic.

When a device from our LAN (e.g., accesses the internet, NAT changes the source IP to our public IP (e.g.,

This way, the outside world only sees requests coming from our public IP, not the individual device.

Masquerading: As a specialized form of NAT, masquerading enables one network device to disguise itself as another. This feature is particularly useful for concealing the internal IP addresses of a network when connecting to the internet, enhancing security and privacy by making external sources see only the masquerading device’s IP address.

When a device from VLAN 10 (e.g., accesses resources in VLAN 20 (e.g., 10.0.20.X), masquerading is applied to make the traffic appear as if it's originating from the VLAN 10 gateway ( 

This ensures smooth inter-VLAN communication and keeps individual device identities within VLAN 10 concealed.

Following these features, firewalls also include:

  • Stateful Inspection: This technique involves tracking the state of active connections. The firewall makes decisions based on the context of the traffic, rather than solely on individual packets, allowing for more nuanced and intelligent security measures.
  • Deep Packet Inspection (DPI): Going beyond mere header analysis, DPI examines the data within the packet itself. This thorough inspection ensures adherence to protocol and policy standards, significantly enhancing the detection and prevention of malicious traffic.

Employing these functionalities, firewalls not only identify potentially harmful or malformed packets but also robustly safeguard clients and servers behind the firewall. The combination of hiding internal IPs, managing traffic meticulously, and analyzing packet content elevates the firewall from a simple gatekeeper to a sophisticated guardian of network integrity.

Linux Firewalls: A Quick Overview

Linux offers a variety of firewall options, each with its unique features and levels of complexity.

UFW (Uncomplicated Firewall): Ideal for beginners, UFW provides a user-friendly interface to manage firewall rules. It’s like riding a bicycle with training wheels, offering a straightforward path to network security without the complexities.

IPTables: The classic choice for Linux users, IPTables is powerful but comes with a steep learning curve. It’s like navigating a complex spacecraft – demanding, but incredibly rewarding for those who master it.

nftables: As the modern successor to IPTables, nftables offers a more accessible approach to firewall management while retaining the power of its predecessor. Think of it as piloting a sophisticated spacecraft with a more intuitive control system.

OPNsense: Stands out with its unique blend of IPFW and PF, coupled with an intuitive user interface. It merges the strengths of traditional Linux firewalls into a user-friendly package, making advanced network management accessible to everyone.

In a secure environment we’d deploy something like nftables on each host and then fine tune our rules such that each machine only accepts the traffic it’s designed to handle, however we’re just going to focus on the OPNsense firewall to simplify things a bit.

placeholder for an image

Part 1: OPNsense Commonsense

Let’s walk through the process of adding a new rule on the WAN interface of our router. This setup ensures that as traffic arrives at the WAN interface, it is evaluated by the firewall before potentially being allowed to pass through to our LAN interface or VLANs.

We’ll begin with a straightforward objective: blocking SSH (Secure Shell) connections originating from the internet. By implementing this rule, we aim to prevent external entities from attempting to access our router or any internal device via SSH (typically using port 22) through the WAN interface. This precaution is crucial for safeguarding any servers we might have set up within our network from unauthorized internet access.

While this configuration will indeed restrict our ability to SSH into our servers from outside the network, it’s a deliberate choice. We’re prioritizing security by ensuring our servers are not exposed to potential threats from the wider internet. In a forthcoming post, we plan to establish a VPN (Virtual Private Network). This VPN setup will enable secure remote access to our servers without exposing them directly to the internet, thereby keeping them shielded from malicious actors.

Accessing OPNsense

  1. Log into OPNsense:

    • Open your web browser.
    • Enter the IP address of your OPNsense firewall’s WAN interface.
    • Log in using your administrator credentials.
  1. Open WAN Firewall Rules:

    • In the OPNsense web interface, navigate to Firewall in the top menu.
    • Select Rules and then choose the WAN tab.

Adding a New Rule

  1. Create a New Rule:

    • Click the + icon on the right side to add a new rule.
    • This action will open the rule configuration page.

Configuring the Rule

  1. Set Rule Parameters:

    • Action: Select “Block” to deny SSH traffic.
    • Interface: Ensure “WAN” is selected.
    • Direction: Usually “in”.
    • Protocol: Choose “TCP”.
    • Source: Set to “any” (as SSH attempts can come from any external source).
    • Destination: Choose “WAN address” (since the attempts would be hitting the WAN IP).
    • Destination Port Range: Set “from” and “to” both to “SSH” (Port 22).
    • Description: Add a meaningful description, like “Block WAN SSH attempts”.
  2. Extra Options (Optional):

    • Log: You might want to enable logging for this rule to monitor any attempted SSH connections.

Applying the Rule

  1. Save and Apply:

    • Click “Save” to store the rule.
    • Click “Apply Changes” to activate the rule.

Verifying the Rule

  1. Testing the Rule:

    • Conduct a test by trying to SSH into your router’s WAN IP from an external network (not from your LAN). The attempt should be blocked.
    • Check the firewall logs (under Firewall > Log Files > Live View) to see if the blocked attempts are being logged.

Important Considerations

  • Remember, firewall rules in OPNsense are processed from top to bottom. The new rule should be placed above any more permissive rules that could allow SSH traffic.
  • This rule will prevent SSH access to any device behind the WAN interface of your OPNsense firewall from external sources. Ensure you have alternative means (like local LAN access or VPN) to manage your network devices.

placeholder for an image

Part 2: VLANs Everywhere

Now that we understand the purpose of a firewall and some of its capabilities, it’s time to segment our network using VLANs. To recap, VLANs offer several key benefits:

  • Isolation: Keep different types of network traffic separate and secure.
  • Segmentation: Logically divide your network for better organization.
  • Security: Enhance overall network safety by segregating sensitive data.

It’s essential to consider the types of devices in your network – such as security cameras, servers, work computers, game consoles, and IoT devices. Think about the importance of each device and the nature of the data they handle.

In my setup, I use several VLANs for various purposes. Let’s review these VLANs, their use cases, and some firewall rules I’ve implemented to not only secure but also optimize the performance of my home network.

WAN VLAN (10): This VLAN is my gateway to the internet. It allows me to use a device with a single Ethernet interface as a router and supports a highly available router setup.

LAN VLAN (20): This VLAN is the heart of my home network, including computers, gaming consoles, and smartphones. It features DNS ad-blocking for added security, and its rules allow access to IoT and service VLANs, maintaining a secure yet functional environment.

Services VLAN (30): This VLAN acts as the central hub for my servers, databases, and other critical services. Its configuration allows interaction with IoT and camera VLANs, ensuring smooth operation of these services.

Storage VLAN (40): I established this VLAN to decrease the traffic load between components of my distributed storage network, thereby enhancing overall performance and efficiency.

Cameras VLAN (50): I created this VLAN specifically for my IP cameras. It is accessible by certain services but remains isolated from the general network, enhancing security and privacy.

Guest VLAN (100): I designed this VLAN as a virtual VIP area for guests, providing direct internet access. It is configured for internet-only access, keeping the rest of my network private and secure.

IoT VLAN (110): This is a dedicated VLAN for all my smart devices. It is set up to provide internet access only, preventing these devices from interacting with other network segments, which enhances security.

DMZ VLAN (200): This VLAN hosts internet-accessible devices and is particularly locked down with very specific firewall rules. It allows only defined hosts to communicate while dropping all other traffic. This configuration is crucial for protecting the internal network from potential external threats. Devices in the DMZ are isolated from the rest of the network, ensuring that even if they are compromised, the impact on the broader network is minimized. This VLAN is ideal for servers that need to be accessible from the internet but still require a high level of security.

Placeholder: Visual guides for setting up each VLAN and their respective rules in OPNsense.

placeholder for an image

Creating Vlans in OPNsense

let’s dive into the setup of VLANs in OPNsense. The process is surprisingly straightforward once you get the hang of it.

  1. Login to OPNsense: First things first, fire up your browser and log into your OPNsense dashboard. This is your command center, where all the magic happens.

  2. Head Over to VLANs: Navigate through the interface. Go to “Interfaces” and then select “VLANs”. You’re now in the right spot to start creating your VLANs.

  3. Adding a New VLAN: Here comes the fun part. Click on the “+” sign to add a new VLAN. It’s like opening a new chapter in your network’s life.

  4. Configuring Your VLAN:

    • Parent Interface: This is where you tell the VLAN which physical interface it should cling to. Choose wisely. we’ll go in to a little more detail about different interface options in a little bit.
    • VLAN Tag: Each VLAN needs an identity, a tag that sets it apart. For your WAN VLAN, it’s ‘10’. Simple, right?
    • VLAN Priority: Most of the time, you can skip this. Unless you’re playing in the big leagues with Quality of Service (QoS) needs.
    • Description: Give your VLAN a name that means something to you. “WAN VLAN” is a good start.
  5. Rinse and Repeat: Follow these steps for each VLAN, giving each a unique tag and description. Remember, organization is key in the VLAN world.

  6. Assign Those Interfaces: After creating your VLANs, it’s time to assign them. Go to “Interfaces > Assignments”. Here, you’ll give your VLANs a virtual place to live.

  7. Configuring Interfaces: For each VLAN you’ve assigned, set up the necessary details. Think IP addresses, DHCP settings, and the like.

  8. Apply and Reboot: Hit that apply button and let your network adapt to its new structure. This is where your VLANs come to life.

placeholder for an image

Adding Firewall Rules

Now, let’s set up some rules to keep things orderly and secure.

  1. Cameras VLAN to Services VLAN (NVR) Rule:

    • Purpose: This rule allows your IP cameras on the Cameras VLAN (50) to communicate exclusively with your Network Video Recorder (NVR) on the Services VLAN (30). It’s crucial for security surveillance without exposing your NVR to the entire network.

    • Setup: Go to OPNsense > Firewall > Rules > Cameras VLAN

      • Source: Cameras VLAN (50)
      • Destination: IP of NVR on Services VLAN (30)
      • Action: Pass
  2. IoT VLAN Internet-Only Access Rule:

    • Purpose: IoT devices are notorious for being less secure. This rule restricts your IoT VLAN (110) to accessing only the internet, isolating them from the rest of your network to mitigate potential security risks.

    • Setup: Go to OPNsense > Firewall > Rules > IoT VLAN

      • Source: IoT VLAN (110)
      • Destination: Any (Internet)
      • Action: Pass for Internet, Block for Local Networks
  3. LAN and Services Access to IoT VLAN:

    • Purpose: While IoT devices are isolated from each other, you might still need to access them from your primary devices for management or interaction purposes. This rule allows devices on your LAN and Services VLANs to communicate with IoT devices.

    • Setup: Go to OPNsense > Firewall > Rules > LAN VLAN and repeat for Services VLAN

      • Source: LAN VLAN (20) and Services VLAN (30)
      • Destination: IoT VLAN (110)
      • Action: Pass
  4. DMZ Restricted Ingress and Egress Traffic Rule:

    • Purpose: This rule is designed to tightly control the traffic that enters and exits the DMZ VLAN (200). It ensures that only specific, predefined types of traffic can reach the internet-facing devices hosted in the DMZ, and similarly, that these devices can only initiate certain types of outbound traffic. This is vital for minimizing the risk of external attacks and preventing any compromised DMZ device from being used as a launchpad for attacks on other network segments.

    • Setup: Go to OPNsense > Firewall > Rules > DMZ VLAN

      • Ingress (Incoming Traffic):

        • Source: Any (Internet)
        • Destination: Specified services/ports on DMZ VLAN (200)
        • Action: Pass for specified services/ports, Block all others
      • Egress (Outgoing Traffic):

        • Source: DMZ VLAN (200)
        • Destination: Limited to essential external services (e.g., update servers, specific cloud services)
        • Action: Pass for essential services, Block all other internet traffic
    • Additional Measures: Implement strict NAT rules, intrusion detection and prevention systems, and comprehensive logging and monitoring for the DMZ VLAN traffic to further enhance security.

Additional Rule Ideas:

  1. Guest VLAN Isolation: Keep guests on a separate network for security and privacy, allowing only internet access and blocking entry to your primary network.

  2. Restrict WAN Access for Sensitive Devices: Block certain high-security devices or servers from accessing the internet directly for enhanced security.

  3. Storage VLAN Restricted Access: Allow only specific devices or VLANs to access your Storage VLAN to protect sensitive data.

  4. Prioritize Gaming Traffic on LAN VLAN: Ensure smooth gaming experiences by giving gaming traffic higher priority on your network.

  5. Block Unwanted External Services: Increase security by blocking known malicious IP addresses or unwanted services from connecting to your network.

  6. Logging for Specific VLAN Traffic: Enable detailed logging for certain VLANs to monitor and troubleshoot network issues.

  7. Time-based Access Restrictions for Certain VLANs: Limit access to recreational VLANs (like gaming or streaming) during specific hours, perhaps for parental control or productivity reasons.

placeholder for an image

VLANs in Practice

Earlier when we were setting up our vlans we assigned a tag to a parent interface, the reason we’ve delayed talking about these interfaces is because it really depends on your specific wants, needs, and hardware.

In traditional physical router setups, you typically have a WAN port and at least one LAN port. These ports correlate directly to their interfaces in the router software. However, in a virtualized environment like with a virtual router on a Proxmox host, your options expand significantly:

Trunking with a Single WAN and Multiple LANs: In networking, a “trunk” is a line or link that can carry multiple signals simultaneously to provide network access to many users. Think of it like a main highway with multiple lanes, each lane representing a different VLAN. This setup is particularly versatile: To Another Machine (like Proxmox Host): The trunk can lead directly to another machine, such as a Proxmox host. This allows VMs on that host to communicate on specific VLANs. For example, one VM could be on your private network VLAN, while another could be on a guest network VLAN, all while using the same physical connection. To a Network Switch: You can also connect this trunk to a network switch. The switch can then assign different VLANs to individual ports. For example, port 1 could be assigned to your private network VLAN, while port 2 could be for your IoT devices. To a WiFi Access Point: Another option is to connect the trunk to a WiFi access point. This allows you to create multiple WiFi networks (SSIDs), each corresponding to a different VLAN. For instance, you could have one SSID for your personal devices on one VLAN and another SSID for guest devices on a separate VLAN.

  • Multiple WAN Ports for Redundancy or Aggregation: You can configure more than one WAN port for failover (switching to a backup ISP if the primary drops out), or aggregate multiple WAN connections for increased bandwidth, using two slower, more affordable ISPs to achieve a higher combined speed.
  • Single WAN with VLAN-Assigned LAN Ports: Another option is to have a single WAN port and several LAN ports, each assigned specific VLANs (Direct VLAN Interface Assignment).
  • Single Physical Port with VLAN-Capable Switch: If your machine has only one physical Ethernet port, but you have a VLAN-capable switch, you can separate WAN and LAN traffic using VLANs and firewall rules, all on a single port.
  • Single Physical Port Lab Setup: If you prefer to keep traffic within your lab environment, you can use the physical port as a pseudo WAN port. This allows you to segregate your home LAN from your lab setup. By bridging your physical port to your WAN and then utilizing VLAN IDs, you can effectively manage traffic between your VMs and LXCs on the host. This setup ensures that your lab network remains isolated and secure, while still providing the flexibility to manage and route traffic as needed within your virtual environment.

To get started with this setup, we’ve got a couple of options.

You can either opt for bridging a physical network interface card (NIC) to a virtual interface, which is particularly useful in scenarios where you want to extend the reach of your physical network into the virtual domain. This method is ideal for setups where VMs need direct access to the physical network.

Alternatively, you can create a VLAN bridge on a physical interface. This approach is best suited for scenarios where you want to segregate and manage network traffic more efficiently. By using VLANs on a single physical interface, you can direct traffic to specific VMs or containers based on VLAN tags, offering a streamlined and organized network structure. This setup is especially beneficial in environments where network simplicity and security are paramount.

Understanding Linux Bridges

Linux bridges act like virtual switches within your Linux host. They allow you to connect several network interfaces (physical or virtual) into a single segment, enabling them to communicate as if they were on the same physical network. This is especially useful in virtualized environments for managing traffic between VMs, containers, and the physical network.

Configuration Scenarios: Diverse and Practical

  1. WAN and LAN Interface Setup:

    • This setup involves dedicating separate network interfaces for WAN (like vmbr0) and LAN (such as vmbr1) on your OPNsense router or Proxmox server.
    • Functionality: By trunking all VLANs through the LAN interface (vmbr1), any connected device, whether virtual or physical, can join a specific VLAN by tagging its traffic with the right VLAN ID.
  2. Direct VLAN Interface Assignment:

    • Ideal for scenarios requiring direct VLAN assignments to specific network interfaces.
    • Example: Bridge VLAN 10 to vmbr1, VLAN 20 to vmbr2, etc., for organized and segregated traffic flow.
  3. Single Interface with VLAN-Capable Switch:

    • Suitable if your setup has only one Ethernet interface but includes a VLAN-capable switch.
    • Implementation: Trunk all VLANs through the single Ethernet port. For instance, in my mini-micro cluster, one interface manages WAN traffic, while another is reserved for VM migrations, storage, and backups.
  4. Proxmox Host with Virtual Interfaces:

    • This approach is beneficial in lab-style setups where VLANs are managed on a single Proxmox host.
    • Configuration: Use a bridged network port for WAN (vmbr0) and create a virtual interface (vmbr2) for LAN. VMs/LXCs specify their VLAN tag in the network setup, utilizing vmbr2 that isn’t connected to a physical port.

Device Configuration

Integrating Layer 3 Switch

Now that our VLANs are up and running in OPNsense, it’s crucial to grasp the concept of tagged and untagged ports to effectively bring our VLANs to life.

  • A Layer 3 switch can be used to further break down and manage VLANs.
    • Advantage: It allows for routing between VLANs without passing traffic back to the router, optimizing network speed and efficiency.
    • {explain a bit more about how this works }
Tagged Ports
  1. What They Are: Tagged ports are the network’s multilingual experts. They can handle traffic from multiple VLANs simultaneously.
  2. How They Work: Each packet traveling through a tagged port carries a VLAN tag. This tag tells the network which VLAN the packet belongs to, much like a destination tag on airline luggage.
  3. Usage Scenario: You’d use a tagged port on a switch when it’s connected to a router, another switch, or a server that needs to communicate across multiple VLANs. For instance, your WiFi access point might be connected to a tagged port. This allows it to broadcast multiple SSIDs, each corresponding to a different VLAN (like one for guests and another for home devices).
Untagged Ports
  1. What They Are: Untagged ports are like dedicated couriers, dealing with only one type of delivery at a time.
  2. How They Work: Traffic passing through an untagged port belongs to only one VLAN. There’s no specific VLAN tag on these packets since the port itself is dedicated to a single VLAN.
  3. Usage Scenario: You’d typically set up an untagged port for devices like a desktop PC, a gaming console, or a printer that only need to access one specific VLAN. For example, a security camera might connect to an untagged port assigned to the ‘Cameras VLAN’. This ensures it only sends and receives data within that specific VLAN.

Connecting a WiFi Access Point to a Tagged Port on Your Proxmox Host/VLAN-Capable Switch

Setting up your WiFi access point to handle multiple VLANs can be an effective way to segment and secure your wireless network. By assigning specific VLANs to different WiFi SSIDs, you can create distinct networks for various purposes.

WiFi Networks for Each VLAN
  • Configuration: Depending on the capabilities of your WiFi access point, you can assign different VLANs to individual SSIDs. This segregation allows you to tailor network access based on user needs or device types.

  • Examples:

    • Guest Network SSID: Create an SSID exclusively for guests, providing them internet access without entry into your main network.
    • Local Devices SSID: Have a separate network for your personal devices such as phones and laptops, ensuring secure and unrestricted access to your primary network resources.
    • IoT Devices SSID: Assign a dedicated VLAN and SSID for IoT devices, segregating them for security reasons, as they are often more vulnerable to exploits.
    • Cameras Network SSID: Establish a VLAN for your IP cameras to enhance security and privacy by isolating them from the rest of your network.
  • Benefits:

    • Enhanced Security: By assigning different VLANs to specific SSIDs, you effectively isolate network traffic, which is crucial for sensitive devices like IP cameras or less secure devices like IoT gadgets.
    • Network Organization: This setup aids in efficiently managing your network, making it easier to enforce policies and troubleshoot issues specific to each segment.
    • Flexible Access Control: It allows you to control who has access to what part of your network, essential for guest networks or restricting IoT device interactions.

Connecting to a Tagged Port

Effective connection to a tagged port involves specific configurations depending on the device or system in use. Here’s how to set it up for different environments:

Tagged Proxmox VM

To connect a Proxmox VM to a VLAN:

  1. Edit VM Settings: Access the VM settings you wish to add to the VLAN.
  2. Modify Network Device: Under the “Hardware” tab, locate the network device (commonly net0) and edit its configuration.
  3. Bridge Selection: Set the “Bridge” to your VLAN-aware bridge (e.g., vmbr1).
  4. VLAN Tagging: Input the VLAN tag in the VM’s network settings to correspond with the desired VLAN.
Windows Tagged VLAN Setup

For setting up a VLAN on a Windows machine:

  1. Access Adapter Settings: Navigate to “Network and Sharing Center,” then to “Change adapter settings.”
  2. Properties Adjustment: Right-click the network adapter and choose “Properties.”
  3. VLAN Configuration: If your NIC supports VLANs, an option like “VLAN” or “Advanced” will be present. Here, you can add a VLAN by specifying the VLAN ID that matches your network’s tagged VLAN.
MacOS Tagged VLAN Setup

To configure a VLAN on a macOS device:

  1. Open System Preferences: Click the Apple menu and go to “System Preferences.”
  2. Network Settings: Select “Network” to view your network configurations.
  3. Add VLAN Service: Click the “+” button to add a new service. In the interface dropdown, pick your Ethernet interface, then select “VLAN.”
  4. Configure VLAN: Name the VLAN service and enter the VLAN tag (ID) that aligns with your network setup.
  5. IP Configuration: Set up other network parameters like IP address and subnet mask, either manually or through DHCP, based on your network’s setup.

placeholder for a network diagram

A Simple overview of my network

To finish up lets go through what we’ve talked about and have a look at how i segment my network.

Let’s consolidate everything we’ve discussed into a cohesive picture of how my network is segmented and organized.

Network Layout

graph LR

Modem(Modem - ISP) -->|Untagged VLAN 10| Switch\[Managed Switch]

Switch -->|Port 2: Trunk All VLANs| Baragon(Proxmox Host - Baragon)

Switch -->|Port 3: Trunk| WiFiAP1(WiFi AP - Upstairs)

Switch -->|Port 4: Trunk| OfficeSwitch\[Office - 2nd Managed Switch]

Switch -->|Port 5: Trunk| Scylla(Mini Micro - Scylla)

Switch -->|Port 6: Untagged VLAN 20| StreamVM(Streaming VM)

Switch -->|Port 7: Untagged VLAN 110| IoT(Chromecast - IoT)

Switch -->|Port 4: Trunk| Powerline\[Powerline Adapter]

Powerline --> GarageWiFiAP(WiFi AP - Garage)

OfficeSwitch --> |Port 1: Trunk| Desktop(Desktop PC)

OfficeSwitch --> |Port 2: Trunk| MediaServer(Media Server)

OfficeSwitch --> |Port 3: Trunk| BackupServer(Backup Server)

OfficeSwitch --> |Port 4: Untagged VLAN 20| LaptopDock(Laptop Dock)


classDef vlan fill:#f9f,stroke:#333,stroke-width:2px;

class Modem,StreamVM,IoT vlan;

  • Managed Switch Core: At the heart of my home network is a managed switch, orchestrating VLAN distribution and traffic flow.
  • ISP Connection (Port 1): Port 1, with an untagged VLAN 10, connects to my NBN (ISP) modem, serving as the gateway to the internet.
  • Proxmox Host - Baragon (Port 2): Baragon, a Proxmox host running an OPNsense VM, is linked to port 2. With just one Ethernet port available, it trunks all VLANs, acting as a versatile network hub.
  • WiFi and Powerline Adapters (Ports 3/4): Ports 3 and 4 trunk to a WiFi access point upstairs and a powerline adapter, respectively. The latter extends the network to another WiFi access point in the garage.
  • Office Connectivity (Port 4): This port is tagged for services, storage, and LAN, running directly to a second managed switch in the office.
  • Mini Micro Host - Scylla (Port 5): Port 5 is trunked to Scylla, a secondary mini micro host that functions as both a High Availability (HA) unit and a game streaming server.
  • Dedicated Streaming VM (Port 6): Port 6, an untagged LAN, is allocated to a moonlight streaming VM on Baragon for enhanced streaming performance.
  • IoT Devices (Port 7): Untagged Port dedicated to IoT, connects to devices like a Chromecast, ensuring isolated and secure IoT operation.
  • Second Managed Switch: This switch hosts a mixture of trunks and untagged LAN ports, connecting vital components like my main desktop PC, media server, backup server, and laptop dock.

In this journey through the intricate world of home networking, we’ve traversed from the foundational aspects of VLANs and firewalls to the practical applications within a sophisticated home network. We’ve seen how VLANs can bring a new level of organization, security, and efficiency to our network, allowing for seamless segmentation and tailored traffic management. Our exploration of connecting various devices, from Proxmox VMs to WiFi access points, demonstrates the versatility and power of a well-structured network. As we conclude, I hope this blog post not only enlightens but also inspires you to look at your home network as more than just a mere connection point, but as a dynamic, secure, and highly efficient system. Whether you’re a seasoned network enthusiast or just starting out, remember, the journey to an optimized home network is continuous, and there’s always room to grow and improve.