jester/knowledge-base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix network model — subnets per vmbr bridge, not VLANs

Browse Source
This commit is contained in:
jester 2026-03-24 23:14:19 +00:00
parent a673534200
commit a62d49085a
1 changed files with 21 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
network/opnsense-checklist.md
View File

@ -14,24 +14,26 @@ should be worked through systematically.
| Router | Role | Status |
|--------|------|--------|
| Primary OPNsense | Core network routing, VLANs, WireGuard | Needs audit |
| Primary OPNsense | Core network routing, WireGuard | Needs audit |
| Secondary OPNsense | Failover / redundancy | Needs audit |
---
## VLAN Structure (Verify)
## Network Model
Expected VLANs — confirm these match actual config:
ZeroLagHub does not use VLANs. Each network is a separate subnet tied to a
dedicated Linux bridge (`vmbr`) on the Proxmox host. OPNsense routes between
these bridges.
| VLAN | Subnet | Purpose |
|------|--------|---------|
| Management | 10.60.0.0/24 | API, portal, core services |
| Game/Dev containers | 10.100.0.0/24 | LXC containers |
| Proxy/Edge | 10.70.0.0/24 | Traefik, zpack-proxy |
| WireGuard | 10.x.x.x/24 | Admin VPN access |
| Bridge | Subnet | Purpose |
|--------|--------|---------|
| vmbr? | 10.60.0.0/24 | Core services — API, portal, DNS, artifacts |
| vmbr? | 10.70.0.0/24 | Proxy/edge — Traefik, zpack-proxy |
| vmbr? | 10.100.0.0/24 | Game/dev containers — LXC |
| vmbr? | WireGuard range | Admin VPN access |
**Action:** Log into OPNsense dashboard and confirm actual VLAN assignments
match the above. Update this table if different.
**Action:** Fill in actual `vmbr` numbers from Proxmox network config.
Check: Proxmox → Node → Network tab.
---
@ -48,7 +50,7 @@ match the above. Update this table if different.
### Must be confirmed blocked:
- [ ] Direct container access from internet (no public IP on container VMs)
- [ ] Cross-VLAN access that bypasses API (containers cannot reach API directly)
- [ ] Containers cannot reach management subnet directly (should go via API)
---
@ -65,7 +67,7 @@ match the above. Update this table if different.
- [ ] Confirm whether CARP/VRRP is configured between primary and secondary
- [ ] Test failover: shut down primary router, verify traffic continues
- [ ] Confirm secondary has identical VLAN and firewall config
- [ ] Confirm secondary has identical interface and firewall config
- [ ] Document failover behavior — is it automatic or manual?
---
@ -110,11 +112,12 @@ nslookup zerolaghub.dev # DNS working
## Action Items (Priority Order)
1. Audit both router configs — document actual VLAN and firewall rules
2. Run connectivity matrix above and confirm all pass
3. Test WireGuard reconnect after router restart
4. Test failover between primary and secondary
5. Document any gaps found and remediate
1. Fill in actual `vmbr` numbers in network model table above
2. Audit both router configs — document actual interfaces and firewall rules
3. Run connectivity matrix above and confirm all pass
4. Test WireGuard reconnect after router restart
5. Test failover between primary and secondary
6. Document any gaps found and remediate
---