At the moment my network is not optimised for what it does and may have some flaws. I came up with an idea, which I want to try out. I think it’s not the most common approach and also qualifies for “Security by Obscurity”, but nevertheless I somehow believe it fits my needs and may also fit needs of other homelaber’s. And because it is not straight forward it makes a fun side project…
- Other family members should not get bothered with my experiments. And if the internet fails it is likely that my experiments are not to blame :)
- Secure (not super secure, but more like do not leave all doors open)
- Minimal power consumption (no additional hardware)
Not all hardware is in a central space. There are different reasons like; restrictions because of the flat’s rooms and tv / telephone sockets, spaces where hardware is allowed to be loud and / or hardware really needs to be etc. So summarized I struggle with following constraints:
- The server room is in a weird spot of the flat and running one ethernet cable there was pain enough. Unfortunately the internet access is also on the other end of the flat.
- That is why I decided to make a nested network (outer unsafe network which routes everything to the nested networks through a virtual OpnSense Router)
First Idea and PoC
- Install 1-Port-NIC’S on Server
- Add the new interfaces to the opnsense-0 vm for testing the setup.
- Add a second virtual network bridge to proxmox for the vms in the new subnet managed by opnsense.
- Test the nested network with some existing vm’s.
The described steps went down pretty smooth. I could do almost everything in the web interface. Just added a new Linux bridge in Proxmox and added the new interface to it. Then connected the OpnSense’s WAN to the first bridge and the LAN to the second (see in the diagram above).
For the DMZ it was straight forward as well. I added a third Linux bridge, which ist not connected to any hardware interface. Then added a third virtual network interface to the OpnSense Router and all VM’s of the DMZ and connected it with the bride.
Configuring the firewall, and make it highly available
To be continued …