"
? tdlr; Fine. Move on in peace.
Homelab Supporting Consistent Intranet/Private Networks withOPNsense Routing Using Reversible Bare Metal and Proxmox VM
I post this as a personal checkpoint happy for feedback while building out my homelab.
System Hardware/Software
Core Network: Goalake GS108 managed switch, Minisforum UN300 I-3 N300 running OPNsense, ASUS AX88U Pro + AX5400 running ASUSWRT-Merlin in AP and AImesh mode
Experimental: GMK K8 Ryzen 7 8845HS + 3 TB NMVE SDD + 2 x 8TB SATA HDD + 4 x 4TB SATA SDD running Proxmox + OPNense virtualized + OMV + HomeAssistant + Jellyfin (first build)
Note: this reflects a conscious chode of network services architecture - independent and interchangeable choice of routing, switching, APs, NAS, and application servers and services.
The goal is to establish:
1. Standard Operating Mode with bare metal Opnsense (OPNsense.bm) routing for the Intranet in front of the Proxmox Server which also runs a virtualized OPNsense VM (OPNsense.Virt) to route simultaneously for the isolated backend Private Network.
2. Alternately, Maintenance Mode switches the role of OPNsense.Virt on Proxmox with OPNSense.bm to hand Intranet responsibilities to OPNsense.Virt and Private Network routing to OPNsense.bm (or OPNsense.bm can be offline). The purpose for switching is do risky things on production router (OPNsense.bm) with minimum downtime (even if pre-tested in the VM(s)) by continuing Intranet services with the Proxmox server. The penalty for messing up Internet continuity is family disruption and disorder, always best avoided...
Is this absolutely necessary? Absolutely not. But why do homelab just for the absolutely necessary? Techies will be techies. I have reached the point in Standard Operating Mode (OPNsense.bm in charge) where I can do this without physically swapping any cables by reconfiguring the front end Smart Switch config file using PortVLAN mode (needing just a single switch) to make the Opensense.bm server and Proxmox server swap places at level 2 bridging while guaranteeing that the WANs and LANs never get on the same networks. Likewise the OPNsense and Proxmox config files require only a few simple updates which I believe can be easily automated and scripted by copying from templates. Note: the use of VLANs is never seen outside of the switch where all eight ports run in access mode - none of the other equipment is aware of the smart switch using internal VLANs.
The other key to this involves rigorously defining all Intranet and the Private Network IP addresses independently of whether OPNsense.bm or OPNsense.Virt is in charge of the Intranet. This is important as my home network has 50+ devices of which roughly 80% have been belatedly identified and defined in DHCP assignments and the mysterious ones have at least been given DHCP place holder names and addresses. I run a very tiny pool of DHCP address up for grabs. I have further extended fixed IP address to all routers, access points, and switches to support Standard Operating Mode and Maintenance Mode.
Setting up OPNSense on Proxmox has been a nightmare but I think I finally got the hang of IP aliases layered through Proxmox host bridges and OPNsense in a VM. My out-of-the-mothballs Raspberry Pi 4 on the backend of the Private Network was doing fine until RASPAP started to bake it. With a new passively ventilated case, backend testing will resume. I am now finally ready to move on the to the pay dirt and tackle the application VMs on Proxmox.
Quick tip: liberate the Proxmox Management GUI to use an IP address with "LISTEN_IP=x.x.x.x" in /etc/default/pveproxy rather being stuck in the installation LAN device. That way the Management GUI becomes independent of a physical port or even the LAN network, it just has to be reachable from wherever you are.
Homelab Supporting Consistent Intranet/Private Networks withOPNsense Routing Using Reversible Bare Metal and Proxmox VM
I post this as a personal checkpoint happy for feedback while building out my homelab.
System Hardware/Software
Core Network: Goalake GS108 managed switch, Minisforum UN300 I-3 N300 running OPNsense, ASUS AX88U Pro + AX5400 running ASUSWRT-Merlin in AP and AImesh mode
Experimental: GMK K8 Ryzen 7 8845HS + 3 TB NMVE SDD + 2 x 8TB SATA HDD + 4 x 4TB SATA SDD running Proxmox + OPNense virtualized + OMV + HomeAssistant + Jellyfin (first build)
Note: this reflects a conscious chode of network services architecture - independent and interchangeable choice of routing, switching, APs, NAS, and application servers and services.
The goal is to establish:
1. Standard Operating Mode with bare metal Opnsense (OPNsense.bm) routing for the Intranet in front of the Proxmox Server which also runs a virtualized OPNsense VM (OPNsense.Virt) to route simultaneously for the isolated backend Private Network.
2. Alternately, Maintenance Mode switches the role of OPNsense.Virt on Proxmox with OPNSense.bm to hand Intranet responsibilities to OPNsense.Virt and Private Network routing to OPNsense.bm (or OPNsense.bm can be offline). The purpose for switching is do risky things on production router (OPNsense.bm) with minimum downtime (even if pre-tested in the VM(s)) by continuing Intranet services with the Proxmox server. The penalty for messing up Internet continuity is family disruption and disorder, always best avoided...
Is this absolutely necessary? Absolutely not. But why do homelab just for the absolutely necessary? Techies will be techies. I have reached the point in Standard Operating Mode (OPNsense.bm in charge) where I can do this without physically swapping any cables by reconfiguring the front end Smart Switch config file using PortVLAN mode (needing just a single switch) to make the Opensense.bm server and Proxmox server swap places at level 2 bridging while guaranteeing that the WANs and LANs never get on the same networks. Likewise the OPNsense and Proxmox config files require only a few simple updates which I believe can be easily automated and scripted by copying from templates. Note: the use of VLANs is never seen outside of the switch where all eight ports run in access mode - none of the other equipment is aware of the smart switch using internal VLANs.
The other key to this involves rigorously defining all Intranet and the Private Network IP addresses independently of whether OPNsense.bm or OPNsense.Virt is in charge of the Intranet. This is important as my home network has 50+ devices of which roughly 80% have been belatedly identified and defined in DHCP assignments and the mysterious ones have at least been given DHCP place holder names and addresses. I run a very tiny pool of DHCP address up for grabs. I have further extended fixed IP address to all routers, access points, and switches to support Standard Operating Mode and Maintenance Mode.
Setting up OPNSense on Proxmox has been a nightmare but I think I finally got the hang of IP aliases layered through Proxmox host bridges and OPNsense in a VM. My out-of-the-mothballs Raspberry Pi 4 on the backend of the Private Network was doing fine until RASPAP started to bake it. With a new passively ventilated case, backend testing will resume. I am now finally ready to move on the to the pay dirt and tackle the application VMs on Proxmox.
Quick tip: liberate the Proxmox Management GUI to use an IP address with "LISTEN_IP=x.x.x.x" in /etc/default/pveproxy rather being stuck in the installation LAN device. That way the Management GUI becomes independent of a physical port or even the LAN network, it just has to be reachable from wherever you are.
