Sanity Checking My "Stick" Setup

[Indianb0y016]

Hello all! Been using this great software for quite some time now. Financial constraints have prevented me from really being able to splurge and get some adequate hardware to really streamline the setup, but over time, I have been able to collect some better gear. A lightning storm has damaged my previous equipment, and I have acquired a new managed switch, and a used HP EliteDesk 80 G2.
With this being said, I am wanting to make sure my setup is something that is still technically appropriate for SOHO.
In essence, my understanding is that its a router on a stick setup.

From the ONT, a Cat5e cable is connected to port 1 on the managed switch, and a cable is connected to the OPNSense computer via port 2. Port 3 is connected to an unmanaged switch.
On the managed switch, Ports 2, 3, 4, and 5 are a part of VLAN 1, and all ports are untagged. This is for the LAN. In OPNSense, the LAN is assigned to use the hardware NIC port. em0 name for example.
Additionally, the managed switch has a second VLAN (ID 2), which only includes Port 1 and 2. Port 2 is tagged in this VLAN and Port 1 is untagged. In Opnsense, the WAN interface is assigned to vlan 2, tagged 2. em0_vlan2

From there, my LAN has worked flawlessly and WAN also works. Opnsense unbound serves as the LAN DNS, and all is well.

However, I have been reading a little bit more, and now Im doubtful if this is a safe setup. Although I have not encountered any issues, I would like to double check if this is mostly secure and an acceptable setup. Are there any other ways I should tackle this, or is it fine as is? Any tips on how I can improve this, or is this also fine as is?

Thank you kindly all and I hope you are doing well!

[bartjsmit]

Nothing wrong with VLAN separation instead of physical interfaces. I run OPNsense on a single NIC machine.

You may want to consider running a hypervisor such as Proxmox so you can separate DNS from the firewall to reduce the attack surface. This will also let you snapshot before updates, although that improves availability more than security.

That is dependent on the amount of RAM in the HP, you'd want at least 8 GB for an OPNsense VM and something like a Pi-hole LXC.

Bart...

[Indianb0y016]

Nothing wrong with VLAN separation instead of physical interfaces. I run OPNsense on a single NIC machine.

You may want to consider running a hypervisor such as Proxmox so you can separate DNS from the firewall to reduce the attack surface. This will also let you snapshot before updates, although that improves availability more than security.

That is dependent on the amount of RAM in the HP, you'd want at least 8 GB for an OPNsense VM and something like a Pi-hole LXC.

Bart...

Many thanks for the helpful info Bart!
Its good to know that I at least got the VLAN setup mostly correct. I am still grasping the concepts of these kinds of network tech, so I am still learning the basics, but I think I am getting there.
As for the hypervisor setup, I read a lot of conflicting info on the practice, as many suggest running firewall on separate bare metal, while others say its just fine to run in hypervisor, but the risk is up to user responsibility, which is also fine by me.
I managed snag this hp machine for about 45 USD, and it came with a skylake i5, 8 gigs of ram, and the ever important intel NIC. I do have another machine running proxmox, which hosts my home automation software and other services, I have the internet based services relegated to the opnsense machine, running the firewall, unbound dns, and caddy reverse proxy.
While the setup hasnt given me many issues, I have come across hostname resolution issues from changing ip addresses. But that is relatively small and only and issue with seldom used computers.
I will investigate the options of using proxmox on the hp machine, as it stupidly underutilized for its purpose. I only have 500/500 internet speeds, and my LAN is wired for 1G only, so the machine is hardly breaking a sweat.

[bartjsmit]

I know the risk of virtual firewalls but modern hypervisors are very good at workload isolation, much like modern switches' VLAN separation amply meets the security requirements for the likes of us 

A Proxmox cluster will mitigate the impact of hardware failures, upgrades, etc. Not that you should expect many issues with HP SFF hardware; they are very well designed.

Bart...