jester/knowledge-base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix network model — subnets per vmbr bridge, not VLANs

Browse Source
This commit is contained in:
jester 2026-03-24 23:14:19 +00:00
parent a673534200
commit a62d49085a
1 changed files with 21 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
network/opnsense-checklist.md
View File

@ -14,24 +14,26 @@ should be worked through systematically.
| Router | Role | Status | | Router | Role | Status |
|--------|------|--------| |--------|------|--------|
| Primary OPNsense | Core network routing, VLANs, WireGuard | Needs audit | | Primary OPNsense | Core network routing, WireGuard | Needs audit |
| Secondary OPNsense | Failover / redundancy | Needs audit | | Secondary OPNsense | Failover / redundancy | Needs audit |
--- ---
## VLAN Structure (Verify) ## Network Model
Expected VLANs — confirm these match actual config: ZeroLagHub does not use VLANs. Each network is a separate subnet tied to a
dedicated Linux bridge (`vmbr`) on the Proxmox host. OPNsense routes between
these bridges.
| VLAN | Subnet | Purpose | | Bridge | Subnet | Purpose |
|------|--------|---------| |--------|--------|---------|
| Management | 10.60.0.0/24 | API, portal, core services | | vmbr? | 10.60.0.0/24 | Core services — API, portal, DNS, artifacts |
| Game/Dev containers | 10.100.0.0/24 | LXC containers | | vmbr? | 10.70.0.0/24 | Proxy/edge — Traefik, zpack-proxy |
| Proxy/Edge | 10.70.0.0/24 | Traefik, zpack-proxy | | vmbr? | 10.100.0.0/24 | Game/dev containers — LXC |
| WireGuard | 10.x.x.x/24 | Admin VPN access | | vmbr? | WireGuard range | Admin VPN access |
**Action:** Log into OPNsense dashboard and confirm actual VLAN assignments **Action:** Fill in actual `vmbr` numbers from Proxmox network config.
match the above. Update this table if different. Check: Proxmox → Node → Network tab.
--- ---
@ -48,7 +50,7 @@ match the above. Update this table if different.
### Must be confirmed blocked: ### Must be confirmed blocked:
- [ ] Direct container access from internet (no public IP on container VMs) - [ ] Direct container access from internet (no public IP on container VMs)
- [ ] Cross-VLAN access that bypasses API (containers cannot reach API directly) - [ ] Containers cannot reach management subnet directly (should go via API)
--- ---
@ -65,7 +67,7 @@ match the above. Update this table if different.
- [ ] Confirm whether CARP/VRRP is configured between primary and secondary - [ ] Confirm whether CARP/VRRP is configured between primary and secondary
- [ ] Test failover: shut down primary router, verify traffic continues - [ ] Test failover: shut down primary router, verify traffic continues
- [ ] Confirm secondary has identical VLAN and firewall config - [ ] Confirm secondary has identical interface and firewall config
- [ ] Document failover behavior — is it automatic or manual? - [ ] Document failover behavior — is it automatic or manual?
--- ---
@ -110,11 +112,12 @@ nslookup zerolaghub.dev # DNS working
## Action Items (Priority Order) ## Action Items (Priority Order)
1. Audit both router configs — document actual VLAN and firewall rules 1. Fill in actual `vmbr` numbers in network model table above
2. Run connectivity matrix above and confirm all pass 2. Audit both router configs — document actual interfaces and firewall rules
3. Test WireGuard reconnect after router restart 3. Run connectivity matrix above and confirm all pass
4. Test failover between primary and secondary 4. Test WireGuard reconnect after router restart
5. Document any gaps found and remediate 5. Test failover between primary and secondary
6. Document any gaps found and remediate
--- ---