This repository documents a professional-grade home/lab network. It utilizes a Mikrotik router for WAN edge and Guest isolation, while OPNsense (virtualized on Proxmox) acts as the primary stateful firewall for Secure Internal segments and the DMZ.
| Zone | Vlan | Name | Subnet | Gateway IP | L3 Termination |
|---|---|---|---|---|---|
| Edge | - | WAN | 10.255.255.0/30 |
10.255.255.1 |
ISP |
| Secure Intranet | 10 | Wired | 192.168.10.0/24 |
192.168.10.1 |
OPNsense |
| 30 | Wireless | 192.168.30.0/24 |
192.168.30.1 |
OPNsense | |
| 40 | Server | 192.168.40.0/24 |
192.168.40.1 |
OPNsense | |
| 100 | Transit | 172.20.1.0/24 |
172.20.1.1 |
Mikrotik | |
| DMZ | 50 | DMZ (Web/Public) | 172.17.50.0/24 |
172.17.50.1 |
OPNsense |
| Guest | 20 | Guest | 10.0.0.0/24 |
10.0.0.1 |
Mikrotik |
| Service | VLAN | IP Address | Notes |
|---|---|---|---|
| Layer 2 | 100 | 172.20.1.3 |
Layer 2 switch |
| Access Point | 100 | 172.20.1.10 |
Access Point (WiFi |
| OPNsense Firewall | 40 | 192.168.40.1 |
Management GUI, DNS |
| Proxmox Host | 40 | 192.168.40.10 |
Management Web GUI |
| Zabbix Server | 40 | 192.168.40.101 |
Monitoring |
| Web Server | 50 | 172.17.50.10 |
Public Site |
| Source Zone | Destination Zone | Protocol | Action | Note |
|---|---|---|---|---|
| Secure Intranet | Internet | Any | Allow | Managed by OPNsense |
| DMZ | Internet | Any | Allow | Managed by OPNsense |
| Guest | Internet | Any | Allow | Managed by Mikrotik |
| Secure Intranet | DMZ | Any | Allow | Full Admin access to servers |
| DMZ | Secure Intranet | Any | BLOCK | DMZ cannot initiate internal connections |
| Guest | DMZ | DMZ (V50) | HTTP/S | Access to Web Service (80/443) only |
| Guest | Secure Intranet | Any | BLOCK | Total Isolation at Mikrotik Layer |
The Mikrotik handles the primary routing table and protects the "Front Door" of the internal network.
- Static Routing:
- 192.168.0.0/16 via 172.20.1.2 (OPNsense Transit IP) (Summarize route of Secure Intranet Segments)
- 172.17.50.0/24 via 172.20.1.2 (OPNsense Transit IP) (DMZ Segments)
- Guest Policy: Firewall filter rules on the Mikrotik drop traffic from VLAN 20 to all subnets within the Secure Intranet (V10, V30, V40) and Transit (V100) zones.
- Transit Setup: OPNsense WAN interface is assigned to VLAN 100 (172.20.1.2).
- Security: "Block private networks" is disabled on the OPNsense WAN interface to allow the Mikrotik-managed Guest subnet (192.168.20.0/24) to reach the DMZ via the Transit link.
- Upstream: Default gateway is set to the Mikrotik Transit IP (172.20.1.1).
- Management: The Proxmox host is assigned a static IP in VLAN 40 (Secure Intranet).
- Gateway: The host gateway is set to 192.168.40.1 (OPNsense).
- Network: vmbr0 is configured as a VLAN Aware bridge to trunk multiple VLANs to the virtualized OPNsense instance and Zabbix server.
- Deployment: Zabbix Server resides in VLAN 40.
- Metrics Collection: - Mikrotik: Monitored via SNMP over the Transit VLAN (100).
- OPNsense & Proxmox: Monitored via Zabbix Agent (V40).
- DMZ Services: Synthetic HTTP/HTTPS checks monitoring availability of web services in VLAN 50.
If OPNsense is Down (No Internet/Internal Routing):
- Connect a laptop physically to Switch Port 24 (if available) or any port assigned to VLAN 40.
- Set a Static IP on your laptop:
192.168.40.99, Subnet255.255.255.0. - Access Proxmox via
https://192.168.40.X:8006to restart the OPNsense VM. - Note: The Mikrotik Guest network (VLAN 20) will continue to work even if OPNsense is down, as it terminates directly on the Mikrotik.