Home Network Segmentation with OPNsense: A Complete Guide
In today’s connected world, the average home network is packed with devices ranging from laptops and smartphones to smart TVs, security cameras, and IoT gadgets. While convenient, this growing number of devices also introduces potential security risks. Many IoT devices lack robust security, making them easy targets for malicious actors. If a single device is compromised, an unsegmented network can allow attackers to move laterally, gaining access to more sensitive devices like your personal computer or NAS.
A notable example of this occurred during the Mirai botnet attacks, where unsecured IoT devices like cameras and routers were exploited to launch massive DDoS attacks. The lack of network segmentation allowed attackers to easily hijack multiple devices in the same network, amplifying the scale and damage of the attack.
By implementing network segmentation, you can isolate devices into separate virtual networks, reducing the risk of lateral movement and containing potential breaches. In this guide, we’ll show you how to achieve effective network segmentation using OPNsense, a powerful and open-source firewall solution. Whether you’re a tech enthusiast or a beginner, this step-by-step guide will help you create a safer, more secure home network.
What You’ll Learn
- Understanding VLANs and their role in network segmentation
- Planning your home network layout for maximum efficiency and security
- Setting up OPNsense for VLANs and segmentation
- Configuring firewall rules to protect your network
- Setting up DHCP and DNS for segmented networks
- Configuring your network switch for VLANs
- Testing and monitoring your segmented network
- Troubleshooting common issues
By the end of this guide, you’ll have a well-segmented home network that enhances both security and performance.
Understanding VLANs
Virtual Local Area Networks (VLANs) are a powerful way to segment your home network without requiring additional physical hardware. A VLAN operates at Layer 2 of the OSI model, using switches to create isolated network segments. Devices on different VLANs cannot communicate with each other unless a router or Layer 3 switch is used to route the traffic. This segmentation improves network security and efficiency by keeping traffic isolated and reducing unnecessary broadcast traffic.
When traffic travels across a network, it can either be tagged or untagged. Tagged traffic includes a VLAN ID (identifier) in its Ethernet frame, following the 802.1Q standard. This tagging allows switches to know which VLAN the traffic belongs to. Untagged traffic, on the other hand, does not include a VLAN tag and is typically assigned to the default VLAN of the port it enters. Each switch port has a Port VLAN ID (PVID) that determines the VLAN for untagged incoming traffic.
Switch ports can operate in two main modes: access and trunk. Access ports are configured for a single VLAN and are commonly used to connect end devices like PCs or printers. Trunk ports, on the other hand, carry traffic for multiple VLANs and are used to connect switches or other devices that need to understand VLAN tags. Trunk ports use 802.1Q tagging to identify VLANs for traffic passing through them.
Using VLANs is often better than physically separating network segments because it reduces hardware costs and simplifies network management. Instead of buying separate switches for each network segment, you can configure VLANs on a single switch. This flexibility is particularly useful in home networks where you want to isolate devices (like IoT gadgets or guest devices) but don’t have room or budget for extra hardware.
Example of VLAN Traffic Flow
The following is a simple representation of VLAN traffic flow:
| Device/Port | VLAN | Traffic Type | Description |
|---|---|---|---|
| PC1 (Access Port) | 10 | Untagged | PC1 is part of VLAN 10 and sends traffic untagged. |
| Switch (Trunk Port) | 10, 20 | Tagged | The trunk port carries tagged traffic for VLANs 10 and 20. |
| PC2 (Access Port) | 20 | Untagged | PC2 is part of VLAN 20 and sends traffic untagged. |
In this example, PC1 and PC2 are on separate VLANs. They cannot communicate with each other unless a router is configured to route traffic between VLANs.
### Planning Your VLAN Layout
When setting up a home network, organizing your devices into VLANs (Virtual Local Area Networks) can significantly enhance security, performance, and manageability. VLANs allow you to segregate traffic based on device type or role, ensuring that sensitive devices are isolated while minimizing unnecessary communication between devices. Below is a recommended VLAN layout for a typical home network, along with the associated IP ranges and purposes.
#### Recommended VLAN Layout
1. **VLAN 10: Management** (10.0.10.0/24)
This VLAN is dedicated to managing your network infrastructure, such as your router (e.g., OPNsense), managed switches, and wireless access points (APs). Isolating management traffic ensures that only authorized devices can access critical network components.
2. **VLAN 20: Trusted** (10.0.20.0/24)
This is the primary VLAN for everyday devices such as workstations, laptops, and smartphones. These devices are considered trusted, and this VLAN has full internet access. Inter-VLAN communication with other VLANs should be carefully restricted.
3. **VLAN 30: IoT** (10.0.30.0/24)
IoT devices, such as smart home assistants, cameras, and thermostats, often have weaker security and should be isolated from the rest of the network. Restrict inter-VLAN access for these devices, while allowing them to access the internet as needed.
4. **VLAN 40: Guest** (10.0.40.0/24)
This VLAN is for visitors who need temporary WiFi access. It should provide internet connectivity while being completely isolated from the rest of your network to protect your devices and data.
5. **VLAN 50: Lab/DMZ** (10.0.50.0/24)
If you experiment with homelab servers, development environments, or host services exposed to the internet, this VLAN is ideal. Isolating these devices minimizes the risk of security breaches affecting other parts of the network.
Below is an HTML table for a quick reference of the VLAN layout:
“`html
| VLAN ID | Name | Subnet | Purpose | Internet Access | Inter-VLAN Access |
|---|---|---|---|---|---|
| 10 | Management | 10.0.10.0/24 | OPNsense, switches, APs | Limited | Restricted |
| 20 | Trusted | 10.0.20.0/24 | Workstations, laptops, phones | Full | Restricted |
| 30 | IoT | 10.0.30.0/24 | Smart home devices, cameras | Full | Restricted |
| 40 | Guest | 10.0.40.0/24 | Visitor WiFi | Full | None |
| 50 | Lab/DMZ | 10.0.50.0/24 | Homelab servers, exposed services | Full | Restricted |
“`
Step-by-Step Guide: OPNsense VLAN Configuration
1. Creating VLAN Interfaces
To start, navigate to Interfaces > Other Types > VLAN. This is where you will define your VLANs on a parent interface, typically igb0 or em0. Follow these steps:
- Click Add (+) to create a new VLAN.
- In the Parent Interface dropdown, select the parent interface (e.g.,
igb0). - Enter the VLAN tag (e.g.,
10for VLAN 10). - Provide a Description (e.g., “VLAN10_Office”).
- Click Save.
Repeat the above steps for each VLAN you want to create.
Parent Interface: igb0
VLAN Tag: 10
Description: VLAN10_Office
2. Assigning VLAN Interfaces
Once VLANs are created, they must be assigned as interfaces. Go to Interfaces > Assignments and follow these steps:
- In the Available Network Ports dropdown, locate the VLAN you created (e.g.,
igb0_vlan10). - Click Add.
- Rename the interface (e.g., “VLAN10_Office”) for easier identification.
- Click Save.
3. Configuring Interface IP Addresses
After assigning VLAN interfaces, configure IP addresses for each VLAN. Each VLAN will act as its gateway for connected devices. Follow these steps:
- Go to Interfaces > [Your VLAN Interface] (e.g.,
VLAN10_Office). - Check the Enable Interface box.
- Set the IPv4 Configuration Type to Static IPv4.
- Scroll down to the Static IPv4 Configuration section and enter the IP address (e.g.,
192.168.10.1/24). - Click Save, then click Apply Changes.
IPv4 Address: 192.168.10.1
Subnet Mask: 24
4. Setting Up DHCP Servers per VLAN
Each VLAN can have its own DHCP server to assign IP addresses to devices. Go to Services > DHCPv4 > [Your VLAN Interface] and follow these steps:
- Check the Enable DHCP Server box.
- Define the Range of IP addresses (e.g.,
192.168.10.100to192.168.10.200). - Set the Gateway to the VLAN IP address (e.g.,
192.168.10.1). - Optionally, configure DNS servers, NTP servers, or other advanced options.
- Click Save.
Range: 192.168.10.100 - 192.168.10.200
Gateway: 192.168.10.1
5. DNS Configuration per VLAN
To ensure proper name resolution for each VLAN, configure DNS settings. Go to System > Settings > General:
- Add DNS servers specific to your VLAN (e.g.,
1.1.1.1and8.8.8.8). - Ensure the Allow DNS server list to be overridden by DHCP/PPP on WAN box is unchecked, so VLAN-specific DNS settings are maintained.
- Go to Services > Unbound DNS > General and enable DNS Resolver.
- Under the Advanced section, configure access control lists (ACLs) to allow specific VLAN subnets to query the DNS resolver.
- Click Save and Apply Changes.
DNS Servers: 1.1.1.1, 8.8.8.8
Access Control: 192.168.10.0/24
Firewall Rules for VLAN Segmentation
Implementing robust firewall rules is critical for ensuring security and proper traffic management in a VLAN-segmented network. Below are the recommended inter-VLAN firewall rules for an OPNsense firewall setup, designed to enforce secure communication between VLANs and restrict unauthorized access.
Inter-VLAN Firewall Rules
The following rules provide a practical framework for managing traffic between VLANs. These rules follow the principle of least privilege, where access is only granted to specific services or destinations as required. The default action for any inter-VLAN communication is to deny all traffic unless explicitly allowed.
| Order | Source | Destination | Port | Action | Description |
|---|---|---|---|---|---|
| 1 | Trusted | All VLANs | Any | Allow | Allow management access from Trusted VLAN to all |
| 2 | IoT | Internet | Any | Allow | Allow IoT VLAN access to the Internet only |
| 3 | IoT | RFC1918 (Private IPs) | Any | Block | Block IoT VLAN from accessing private networks |
| 4 | Guest | Internet | Any | Allow | Allow Guest VLAN access to the Internet only, with bandwidth limits |
| 5 | Lab | Internet | Any | Allow | Allow Lab VLAN access to the Internet |
| 6 | Lab | Trusted | Specific Ports | Allow | Allow Lab VLAN to access specific services on Trusted VLAN |
| 7 | IoT | Trusted | Any | Block | Block IoT VLAN from accessing Trusted VLAN |
| 8 | All VLANs | Firewall Interface (OPNsense) | DNS, NTP | Allow | Allow DNS and NTP traffic to OPNsense for time sync and name resolution |
| 9 | All VLANs | All VLANs | Any | Block | Default deny all inter-VLAN traffic |
OPNsense Firewall Rule Configuration Snippets
# Rule: Allow Trusted to All VLANs
pass in quick on vlan_trusted from 192.168.10.0/24 to any tag TrustedAccess
# Rule: Allow IoT to Internet (block RFC1918)
pass in quick on vlan_iot from 192.168.20.0/24 to !192.168.0.0/16 tag IoTInternet
# Rule: Block IoT to Trusted
block in quick on vlan_iot from 192.168.20.0/24 to 192.168.10.0/24 tag BlockIoTTrusted
# Rule: Allow Guest to Internet
pass in quick on vlan_guest from 192.168.30.0/24 to any tag GuestInternet
# Rule: Allow Lab to Internet
pass in quick on vlan_lab from 192.168.40.0/24 to any tag LabInternet
# Rule: Allow Lab to Specific Trusted Services
pass in quick on vlan_lab proto tcp from 192.168.40.0/24 to 192.168.10.100 port 22 tag LabToTrusted
# Rule: Allow DNS and NTP to Firewall
pass in quick on any proto { udp, tcp } from any to 192.168.1.1 port { 53, 123 } tag DNSNTPAccess
# Default Deny Rule
block in log quick on any from any to any tag DefaultDeny
These rules ensure secure VLAN segmentation by only allowing necessary traffic while denying unauthorized communications. Customize the rules for your specific network requirements to maintain optimal security and functionality.
Managed Switch Configuration, Testing Segmentation, and Monitoring & Maintenance
Managed Switch Configuration
Setting up VLANs on a managed switch is essential for implementing network segmentation. Below are the general steps involved:
- Create VLANs: Access the switch’s management interface, navigate to the VLAN settings, and create the necessary VLANs. Assign each VLAN a unique identifier (e.g., VLAN 10 for “Trusted”, VLAN 20 for “IoT”, VLAN 30 for “Guest”).
- Configure a Trunk Port: Select a port that will connect to your OPNsense firewall or router and configure it as a trunk port. Ensure this port is set to tag all VLANs to allow traffic for all VLANs to flow to the firewall.
- Configure Access Ports: Assign each access port to a specific VLAN. Access ports should be untagged for the VLAN they are assigned to, ensuring that devices connected to these ports automatically belong to the appropriate VLAN.
Here are examples for configuring VLANs on common managed switches:
- TP-Link: Use the web interface to create VLANs under the “VLAN” menu. Set the trunk port as “Tagged” for all VLANs and assign access ports as “Untagged” for their respective VLANs.
- Netgear: Navigate to the VLAN configuration menu. Create VLANs and assign ports accordingly, ensuring the trunk port has all VLANs tagged.
- Ubiquiti: Use the UniFi Controller interface. Under the “Switch Ports” section, assign VLANs to ports and configure the trunk port to tag all VLANs.
Testing Segmentation
Once VLANs are configured, it is crucial to verify segmentation and functionality. Perform the following tests:
- Verify DHCP: Connect a device to an access port in each VLAN and ensure it receives an IP address from the correct VLAN’s DHCP range. Test command:
ipconfig /renew(Windows) ordhclient(Linux). - Ping Tests: Attempt to ping devices between VLANs to ensure segmentation works. For example, from VLAN 20 (IoT), ping a device in VLAN 10 (Trusted). The ping should fail if proper firewall rules block inter-VLAN traffic. Test command:
ping [IP Address]. - nmap Scan: From a device in the IoT VLAN, run an nmap scan targeting the Trusted VLAN. Proper firewall rules should block the scan. Test command:
nmap -sP [IP Range]. - Internet Access: Access the internet from a device in each VLAN to confirm that internet connectivity is functional.
- DNS Resolution: Test DNS resolution in each VLAN to ensure devices can resolve domain names. Test command:
nslookup google.comordig google.com.
Monitoring & Maintenance
Network security and performance require ongoing monitoring and maintenance. Utilize the following tools and practices:
- OPNsense Firewall Logs: Regularly review logs to monitor allowed and blocked traffic. This helps identify potential misconfigurations or suspicious activity. Access via the OPNsense GUI:
Firewall > Log Files > Live View. - Blocked Traffic Alerts: Configure alerts for blocked traffic attempts. This can help detect unauthorized access attempts or misbehaving devices.
- Intrusion Detection (Suricata): Enable and configure Suricata on OPNsense to monitor for malicious traffic. Regularly review alerts for potential threats. Access via:
Services > Intrusion Detection. - Regular Rule Reviews: Periodically review firewall rules to ensure they are up to date and aligned with network security policies. Remove outdated or unnecessary rules to minimize attack surfaces.
- Backup Configuration: Regularly back up switch and OPNsense configurations to ensure quick recovery in case of failure.
By following these steps, you ensure proper VLAN segmentation, maintain network security, and optimize performance for all connected devices.
Hardware and books for building a segmented home network:
- Protectli Vault FW4C Firewall Appliance — Purpose-built OPNsense/pfSense appliance ($300-400)
- MokerLink 8-Port PoE Switch — VLAN-capable managed switch for segmentation ($70-90)
- Practical Packet Analysis, 3rd Edition — Network troubleshooting with Wireshark ($30-40)
📋 Disclosure: Some links in this article are affiliate links. If you purchase through these links, I earn a small commission at no extra cost to you. I only recommend products I have personally used or thoroughly evaluated.
