VLAN Design

OPNsense VLAN configuration for network segmentation and IoT isolation.

Overview

                          [ISP Modem]
                               │
                        [OPNsense VM]
                         (Mini PC)
                               │
                    ┌──────────┼──────────┐
                    │          │          │
              VLAN 1      VLAN 10     VLAN 20
            Management      IoT       Guest
           192.168.0.0  192.168.10.0 192.168.20.0
                │          │          │
           ┌────┴────┐     │     ┌────┴────┐
           │         │     │     │         │
        [Servers] [Admin]  │  [Phones]  [Visitors]
                           │
                    ┌──────┴──────┐
                    │             │
               [Cameras]    [Smart Home]

---

VLAN Assignments

VLAN ID	Name	Subnet	Purpose
1	Management	192.168.0.0/24	Servers, admin devices
10	IoT	192.168.10.0/24	Cameras, smart devices
20	Guest	192.168.20.0/24	Untrusted devices, visitors

---

Device Placement

VLAN 1 - Management (192.168.0.0/24)

Trusted devices with full network access.

Device	IP	Connection	Notes
Proxmox (OPNsense + Docker VM)	.1 / .10	MokerLink P1	Trunk — both VMs share nic1/vmbr1
RPi 4 (Start9)	.11	MokerLink P2	Bitcoin node
RPi 5 (openclaw)	.20	MokerLink P3	AI assistant
NAS	.12	MokerLink P4	Storage, backups
Yamaha RX-V671	.30	MokerLink P5	AV Receiver (Ethernet)
TP-Link AP	-	MokerLink P7	VLAN trunk
Apple TV	.31	WiFi (HomeNet)	Jellyfin client
LG Smart TV	.32	WiFi (HomeNet)	Jellyfin client
MacBook	DHCP	MokerLink P8	Admin workstation
Phones	DHCP	WiFi (HomeNet)	Family devices

VLAN 10 - IoT (192.168.10.0/24)

Untrusted IoT devices. No internet access by default.

Device	IP	Notes
Reolink Cam 1	.101	Front door
Reolink Cam 2	.102	Back yard
Tapo C110	.103	Indoor (WiFi)
Smart bulbs	DHCP	If added
Smart plugs	DHCP	If added

VLAN 20 - Guest (192.168.20.0/24)

Internet-only access. No LAN access.

Device	IP	Notes
Guest phones	DHCP	Visitors
Guest laptops	DHCP	Visitors

---

OPNsense Configuration

1. Create VLANs

Interfaces → Other Types → VLAN

Parent	VLAN Tag	Description
vtnet1 (LAN)	10	IoT
vtnet1 (LAN)	20	Guest

2. Assign Interfaces

Interfaces → Assignments

Interface	Device	Description
LAN	vtnet1	Management (untagged)
IOT	vtnet1.10	IoT VLAN
GUEST	vtnet1.20	Guest VLAN

3. Configure Interface IPs

Interface	IPv4	DHCP Range
LAN	192.168.0.1/24	.100-.199
IOT	192.168.10.1/24	.100-.199
GUEST	192.168.20.1/24	.100-.199

4. Enable DHCP

Services → DHCPv4

For each interface:

• Enable DHCP
• Set range: .100 to .199
• DNS: Point to Pi-hole (192.168.0.10)

---

Firewall Rules

Management VLAN (LAN)

#	Action	Source	Destination	Ports	Description
1	Pass	LAN net	any	any	Allow all outbound

IoT VLAN

#	Action	Source	Destination	Ports	Description
1	Pass	IOT net	192.168.0.10	53	Allow DNS (Pi-hole)
2	Pass	IOT net	192.168.0.10	123	Allow NTP
3	Pass	192.168.10.101-103	192.168.0.10	5000	Cameras → Frigate
4	Block	IOT net	RFC1918	any	Block LAN access
5	Block	IOT net	any	any	Block internet (default deny)

Camera-specific rules: Cameras only need to reach Frigate, no internet.

Guest VLAN

#	Action	Source	Destination	Ports	Description
1	Pass	GUEST net	192.168.0.10	53	Allow DNS
2	Block	GUEST net	RFC1918	any	Block LAN access
3	Pass	GUEST net	any	80,443	Allow HTTP/HTTPS
4	Block	GUEST net	any	any	Block all else

---

Switch Configuration

MokerLink 8-Port 2.5G Switch

Configure for VLAN trunking:

Port	Mode	VLAN	Device	Speed
1	Trunk	1,10,20	Proxmox (OPNsense + Docker VM)	2.5G
2	Access	1	RPi 4 (Start9)	1G
3	Access	1	RPi 5 (OpenClaw)	1G
4	Access	1	NAS	2.5G
5	Access	1	Yamaha RX-V671	1G
6	Access	10	TP-Link PoE Switch	1G
7	Trunk	1,10,20	TP-Link AP	1G
8	Access	1	Reserved (MacBook)	2.5G

Note: Port 1 is a trunk because Proxmox's vmbr1 bridge carries both OPNsense VLAN-tagged traffic (10, 20) and Docker VM untagged traffic (VLAN 1). OPNsense handles tagging internally via vtnet1 sub-interfaces (vtnet1.10, vtnet1.20).

MokerLink VLAN Membership (802.1Q)

Configure in the switch web UI (http://192.168.1.2):

VLAN ID	Tagged (trunk)	Untagged (access)
1	P1, P7	P2, P3, P4, P5, P8
10	P1, P7	P6
20	P1, P7	—

MokerLink PVID Settings

Each port's PVID determines which VLAN untagged incoming traffic is assigned to:

Port	PVID
1	1
2	1
3	1
4	1
5	1
6	10
7	1
8	1

TP-Link PoE Switch (TL-SG1005P)

Unmanaged switch - all ports share same VLAN (10, inherited from MokerLink P6).

Port	Device	IP
1	Uplink to MokerLink P6	-
2	Reolink Cam 1	192.168.10.101
3	Reolink Cam 2	192.168.10.102
4-5	Reserved	-

All cameras automatically on VLAN 10 (IoT) without per-port config.

---

WiFi Configuration

TP-Link Archer AX50 AP

SSID	VLAN	Purpose
HomeNet	1	Trusted devices
IoT-Devices	10	Smart home (if supported)
Guest	20	Visitors

Note: Stock firmware may not support multi-VLAN. Options:

• Single SSID on Management VLAN
• Flash OpenWrt for full VLAN support

---

Camera Isolation

Security Model

┌─────────────────────────────────────────────────────┐
│                   IoT VLAN (10)                      │
│                                                      │
│   [Cam 1]    [Cam 2]    [Cam 3]                     │
│   .101       .102       .103                         │
│      │          │          │                         │
│      └──────────┼──────────┘                         │
│                 │                                    │
│           Only allowed to:                           │
│           192.168.0.10:5000 (Frigate)               │
│                                                      │
│           ✗ No internet                             │
│           ✗ No LAN access                           │
│           ✗ No camera-to-camera                     │
└─────────────────────────────────────────────────────┘

Why Isolate Cameras?

• Prevent firmware phone-home to China
• Block network scanning/attacks
• Contain compromised devices
• RTSP streams stay local

---

Tailscale Bypass

Tailscale devices access services via overlay network, bypassing VLANs:

Tailscale IP	Device	Physical VLAN
100.68.63.168	Docker VM	1
100.64.0.11	RPi 4	1
100.82.77.97	NAS	1

Access from anywhere: ssh 100.82.77.97 works regardless of VLAN.

---

Implementation Checklist

Phase 1: OPNsense

• [x] Create VLAN 10 (IoT)
• [x] Create VLAN 20 (Guest)
• [x] Assign interfaces
• [x] Configure DHCP per VLAN
• [x] Create firewall rules

Phase 2: Switch

• [x] Configure MokerLink VLAN trunks
• [x] Configure access ports
• [x] Connect PoE switch to IoT VLAN

Phase 3: Cameras

• [ ] Assign static IPs (.101-.103)
• [ ] Verify Frigate connectivity
• [ ] Confirm no internet access

Phase 4: WiFi (Optional)

• [ ] Create Guest SSID
• [ ] Map to VLAN 20
• [ ] Test isolation

---

Troubleshooting

Device Can't Get IP

# Check DHCP leases in OPNsense
Services → DHCPv4 → Leases

# Verify VLAN tagging matches switch config

Camera Can't Reach Frigate

# Check firewall logs
Firewall → Log Files → Live View

# Verify rule allows IoT → 192.168.0.10:5000

Inter-VLAN Traffic Blocked

# Expected behavior!
# Only explicitly allowed traffic passes between VLANs

---

Reference

• OPNsense VLAN Guide
• OPNsense Firewall Rules