OPNsense Interface Plan
Firewall name
HQ-FW01
Interfaces
| Interface |
Purpose |
Bridge |
IP / Mode |
| WAN |
Internet/provider side |
vmbr0 |
DHCP or provider static |
| LAN |
Lab internal trunk |
vmbr1 |
VLAN parent |
VLAN gateways
| VLAN |
Name |
Gateway |
| 10 |
Management |
172.20.10.1 |
| 20 |
Servers |
172.20.20.1 |
| 30 |
Workstations |
172.20.30.1 |
| 40 |
Printers |
172.20.40.1 |
| 50 |
Voice |
172.20.50.1 |
| 60 |
Corporate WiFi |
172.20.60.1 |
| 70 |
Guest |
172.20.70.1 |
| 80 |
DMZ |
172.20.80.1 |
| 90 |
Backup |
172.20.90.1 |
| 100 |
Hypervisors |
172.20.100.1 |
Initial allowed flows
| Source |
Destination |
Purpose |
| Management |
Servers |
Administration |
| Workstations |
HQ-DC01 |
DNS, Kerberos, LDAP, SMB, domain services |
| Servers |
Internet |
Updates |
| Guest |
Internet |
Guest access only |
| Guest |
Internal networks |
Deny |
| DMZ |
Internal networks |
Deny by default |
| Backup |
Servers |
Backup traffic only |
Remote administration rule
Remote administration must enter through VPN or a controlled management path. RDP should not be exposed directly to the Internet.