Overview
This project implements a security-first, enterprise-style network design using OPNsense as the central firewall and routing platform. The goal was not just connectivity, but proper isolation, control, and visibility across different types of devices and services.
Instead of relying on a server-based firewall, I deployed a dedicated OPNsense appliance so security remains online at all times, even if lab servers are powered down. My ISP router is configured in bridge mode, allowing OPNsense to handle all routing, firewall, NAT, and security responsibilities.
This design mirrors how real environments separate trust zones and reduce attack surface.
Core Design Philosophy
Everything on the network has a defined purpose and level of trust.
Segmentation was implemented to:
- Limit lateral movement between devices
- Reduce the blast radius if a system is compromised
- Apply firewall rules based on function, not convenience
- Make troubleshooting and monitoring easier
All inter-VLAN traffic is explicitly controlled by OPNsense.
VLANs and Network Segments
Management LAN
Used for infrastructure management, including switches, access points, controllers, and hypervisors.
Why:
Management interfaces should never live on user networks. This VLAN is tightly restricted and accessible only from trusted administrative devices.
Homelab VLAN
Hosts core lab systems, including ESXi, virtual machines, and internal services.
Why:
Servers require more access than user devices, but should still be isolated. This VLAN enables controlled access to services such as Active Directory while blocking unnecessary inbound traffic.
DMZ
Reserved for services that may be exposed externally or semi-trusted applications.
Why:
The DMZ prevents internet-facing services from having direct access to internal networks. Firewall rules strictly limit what the DMZ can access, adhering to the principle of least privilege.
IoT VLAN
Smart devices, TVs, and other embedded systems.
Why:
IoT devices are often poorly secured. This VLAN only allows internet access and blocks communication with internal networks to prevent lateral movement.
Regular Devices VLAN
Laptops, phones, and general user devices.
Why:
Separating user devices from servers and infrastructure reduces risk and allows different security policies, monitoring, and captive portal enforcement.
VoIP VLAN
Cisco CP8845 phones are used for voice and video conferencing practice.
Why:
VoIP traffic benefits from isolation for security, clarity, and future QoS tuning. Separating phones also prevents them from accessing internal systems unnecessarily.
Captive Portal
OPNsense captive portal is implemented on selected networks.
Why:
Captive portals are commonly used in enterprise environments for guest access, acceptable use acknowledgment, or temporary device access. Implementing this at the firewall keeps authentication and enforcement centralized and independent of wireless hardware.
Wireless Integration with Omada
Access points are managed using the Omada Controller.
Role separation:
- Omada handles SSIDs, RF tuning, and VLAN tagging
- OPNsense enforces security, routing, DHCP, and firewall rules
Why:
This separation keeps wireless management simple while ensuring that all security decisions are made at the firewall. Access points do not make trust decisions, they only tag traffic.
Firewall and Routing
OPNsense handles:
- Inter-VLAN routing
- Stateful firewall rules
- DHCP per VLAN
- NAT and WAN access
- Security enforcement between trust zones
Why:
Centralizing this logic at the firewall provides visibility, control, and consistency across the entire network.
Result
This project resulted in a fully segmented, enterprise-style network with:
- Clear trust boundaries
- Dedicated management and infrastructure networks
- Isolated IoT and VoIP traffic
- Firewall-enforced security policies
- Centralized control through OPNsense
This network now serves as the foundation for all other lab projects, including Active Directory, virtualization, VoIP testing, and future security tooling.