Introducing OPNsense to the homelab
Intro
I’ve wanted to change the networking setup in the homelab for some time. Changing to an open source router OS has also been high up on the list of things I’ve wanted to do. So in July this year I purchased the TLSense 2980U to run OPNsense as my new router.
One goal was certain from day 1: Split up the tangled networking I’ve relied on for the last few years.
Segmenting the network
My current network is a result of trying to cram homelab requirements into an older proprietary router. I knew the transition was going to be rough, so I spent a significant amount of time mapping out the configuration changes required. This is the first time I’ve made an actual upgrade plan for something related to the homelab.
Here’s the previous assignments from the old router, which
only supported 192.168.1.0/24 (I honestly don’t recall why
I left a gap from 192.168.1.102 to 192.168.1.152, safety
margin?):
| Usage | IP range |
|---|---|
| DHCP | 192.168.1.2-192.168.1.101 |
| MetalLB | 192.168.1.153-192.168.1.203 |
| Static | 192.168.1.204-192.168.1.254 |
Did it work? Yes. Was it tidy? No. But it worked well enough for several years and helped me learn a lot in the meantime.
And this is the OPNsense config for some of the new VLAN interfaces related to the homelab:
| Usage | VLAN ID | IP range |
|---|---|---|
| Proxmox management network | 2 |
10.0.2.0/24 |
| K3s | 3 |
10.0.3.0/24 |
A setup that is quite overengineered, with more available IP addresses than I’ll ever use in each category.
Using the TP-Link VLAN configuration guide, I added the following config:
| VLAN ID | VLAN Name | Member Ports | Tagged Ports | Untagged Ports |
|---|---|---|---|---|
2 |
PROXMOX | 1-3 | 1-3 | (blank) |
3 |
K3S | 1-3 | 1-3 | (blank) |
Proxmox host 1 and 2 are connected to port 2 and 3 on the switch respectively. Since I wanted to use VLAN 2 as the Proxmox management network and VLAN 3 for K3s VMs, I needed to have both ports be able to forward tagged traffic:
graph TB
subgraph switch[Switch]
port_1[Port 1]
port_2[Port 2]
port_3[Port 3]
end
router[Router]-->|VLAN 1-3|port_1
port_2-->|VLAN 1-3|proxmox_1[Proxmox host 1]
port_3-->|VLAN 1-3|proxmox_2[Proxmox host 2]
Then I reinstalled Proxmox on both hosts, made the guest linux bridge VLAN-aware, and added a separate bridge for the management network. This is now a permanent manual process I have to do on each install.
This is /etc/network/interfaces after the changes:
auto lo
iface lo inet loopback
iface eno1 inet manual
# All traffic for the Proxmox hosts
# will be routed through this bridge
auto vmbr0.2
iface vmbr0.2 inet static
# Static IP of this Proxmox host
address 10.0.2.x/24
# Matches the static IP of the
# VLAN interface in OPNsense
gateway 10.0.2.1
# All traffic for guests will be routed
# through this bridge
auto vmbr0
iface vmbr0 inet manual
bridge-ports eno1
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
# Enables all VLAN IDs except VLAN 1
bridge-vids 2-4094
Then I reloaded all interfaces:
ifreload -a
Define VLAN ID of the NIC in Terraform HCL
When using the Terraform provider (mentioned in another post), I can now set the VLAN tag in the network block:
resource "proxmox_vm_qemu" "<name>" {
...
ipconfig0 = "ip=<Static IP>/<CIDR>,gw=<Gateway IP>"
network {
# Use the VLAN-aware bridge
bridge = "vmbr0"
tag = <VLAN tag>
}
}
This is what I use when defining my K3s nodes:
resource "proxmox_vm_qemu" "k8s" {
...
ipconfig0 = "ip=10.0.3.x/24,gw=10.0.3.1"
network {
bridge = "vmbr0"
tag = 3
}
}
And that’s it. The K3s node is now placed in the correct VLAN.
Conclusion
Running this for a few months now, I’m quite happy with the result. OPNsense is well documented and has a large community, making troubleshooting much easier.
The different services in the homelab are now isolated using VLANs and firewall rules. The current setup will scale much better over time and allow me to test new ideas.
I’ve skipped over several details, such as as setting up VLAN interfaces, DNS overrides and firewall rules. I recommend the guides by Home Network Guy for those areas.