Setup guide Proxmox, Opnsense, HA, OpenWRT - eviltoast

So I bought a fanless firewall appliance with 4x2.5Gbps ports and I would like to setup Proxmox on two identical SSD drives. I also want to configure a bridge on my ISP router and then configure the router as a firewall on top of Proxmox. My plan is to install HA on top of Proxmox too.

My goal is to separate both my normal WiFi connection into two or even 3 VLANs, one for normal devices, one for IoT and a third for Guest VLAN. And I would like the Home Assistant to have access to both my normal SSID and IoT VLANs.

For the Access point I have a mesh router that doesn’t support VLANs and I was thinking temporary to repurpose an old Netgear R7800 and here I don’t know whether I should simply configure the Guest SSID to be for the IoT or repurpose the 2.4GHz network and leave the 5Ghz for normal devices. Currently on the WiFi router I have OpenWRT but I am also considering switching to Voxel?

Can you maybe recommend some tutorials with what settings and setup to use and if you had similar network setup to give me some hints on what to

  • SheeEttin@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    You need two Proxmox nodes for HA.

    Virtual networking is also not a great idea in the homelab. It’s better if you do have HA, but even so, if you screw it up and break something in Proxmox, you’ll be without any network access to look for help online (except on your phone, so good luck retyping commands or transferring files).

  • Decronym@lemmy.decronym.xyzB
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    1 year ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    AP WiFi Access Point
    HA Home Assistant automation software
    ~ High Availability
    IP Internet Protocol
    IoT Internet of Things for device controllers
    MQTT Message Queue Telemetry Transport point-to-point networking
    SSD Solid State Drive mass storage

    6 acronyms in this thread; the most compressed thread commented on today has 5 acronyms.

    [Thread #245 for this sub, first seen 26th Oct 2023, 21:45] [FAQ] [Full list] [Contact] [Source code]

  • ChiefSinner@lemm.ee
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    In the realm of firewall applications, i use the following: ° Ipfire is easy to use, but lacks ipv6 support and it doesn’t have otp. It has lots of packages though.

    ° Alpine is good, if you don’t want a GUI or want to spend time figuring out how to build a web ui (really good for beginners as its mostly xml)

    ° openwrt is good fit for low end hardware (SPARC or arm processors mostly) but also works on x86.

    ° opnsense - like pfsense, but more up to date. Has some quirks in it (like if you block both incoming and outgoing, but just want to allow 80/443, the rules look weird…like the direction you have to allow is in, but destination is 80/443. Very strange bug that isn’t in pfsense).

    ° hardenedbsd firewall - literally just opnsense but with hbsd’s fully patched kernel. No repo though.

    That being said, you can make any distro a firewall, just use iptables/pf/ipfw/ipfilter rules through command line, and you can add anything in that distros repo you can think of.

  • wwwwhatever@lemmy.omat.nl
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Ok, so it is not that hard then I guess. Install proxmox on the appliance, then install two vm’s, HA and pfsense. Deal with further segmentation of your lan and the bridge to the router in pfsense.

    But if you ask me, drop the idea of vlans for appliances and keep it simple. Only make a guest network on WiFi, but using vlans is a pita, people want to stream to tv’s, use the app to control heating, etc. If you are concerned about appliances connecting to internet, just block internet access in OpenWRT or pfsense.

    • ChiefSinner@lemm.ee
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      1
      ·
      1 year ago

      Personally, I’d advise to use opnsense over pfsense. Opnsense kernels are more up to date, and the devs are less toxic.

      Ipfire is a Linux alternative that is easy to use, just no otp.

  • giacomo@lemm.ee
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    1
    ·
    1 year ago

    Can you list the devices you have and what you want each one to be doing?

    • filister@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      1
      ·
      1 year ago

      I have this fanless PC, and it has 4 ethernet ports, 2.5Gbps. I have equipped it with 2x2Tb of SSD and 32Gb of RAM.

      I have an ISP router, but it would only serve to bridge the WAN interfaces.

      I have Netgear with OpenWRT running on it.

      I want to install proxmox on the fanless PC and spin up Opnsense and Home assistant on it. The plan is to run a couple of containers but I consider them out of scope for now.

      I want to pass through the network interfaces to Opnsense directly as I have a Gbps Internet connection.

      The plan is to create a couple of VLANs, e.g.

      • 100 - home connection
      • 200 - IoT
      • 201 - Guest WiFi VLAN

      Here I am debating whether I need a fourth for the management interfaces of all services, but let’s say not for now.

      The WiFi router would be connected to one of the ports of the firewall appliance and it would need to have access to all three VLANs in tagged mode. I want to configure them on the Netgear R7800 running OpenWRT or Voxel, need to decide what’s better suited for my needs as I believe this router would only act as a dumb AP and all the networking and firewalling will be handled by Opnsense. Here the plan is to create three different SSIDs (Home WiFi, connected to VLAN 100 on 5GHz, IoT SSID for the IoT devices connected to VLAN 200 and running at 2.4GHz and a Guest SSID.

      My HomeAssistant VM should have access to both the VLAN 100 and 200. Eventually it should have management IP from VLAN 100 and also access to see all the IoT devices over VLAN 200.

      I know that’s not the best setup and I have one huge point of failure, but since I am living in Europe in a country where electricity is one of the most expensive, I wanted to minimise my cost over time. I specifically bought a fanless firewall appliance that is using N100 CPU and through some BIOS tweaks I managed to reduce the idle power consumption to 9 Watts, as I don’t want my annual electricity bill to balloon by adding a couple of devices. Alternatively I also have a Raspberry Pi but I would prefer not to use it, to save on electricity costs.

      My goal is to try this setup for a couple of days and in the worst case I can always revert to the old setup.

      • NeoNachtwaechter@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        1 year ago

        Your MQTT broker for IoT lives in your IoT VLAN, obviously.

        Assuming your Home Assistant webfrontend lives in your “home” VLAN (otherwise you can’t get all the fancy controls). Then how are these two talking to each other?

        • filister@lemmy.worldOP
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          1
          ·
          1 year ago

          That’s the question? If the device has access to both VLANs I presume I would be able to configure the Management interface to be on VLAN 100 while everything else is on VLAN 200 Is it that hard to configure?