CornfieldWin
Regular Contributor
For the tdlr types with short attention spans: read the headings. The interesting stuff is in PortVLAN configuration [2] and [3] to soft control altering the home "electrical" level network topology (there is an implicit Level 0 in the OSI model).
1. Core network physical and logical topology established: The core network as described in my signature is now fully functional and configured by the managed switch in PortVlan mode to be in the standard home network operating mode. It consists of the Internet WAN access into bare metal Opnsense and main the home network on OpnSense LAN with the ASUS AX88U Pro and on AX5400 in AP and AImesh mode backhauled with Cat 8 cable (use what you have, eh), and the (next step) Promox server currently running Windows co-resident with ASUS routers but soon to be reconfigureed as the main Promox controlled home application server and backup router.
2. Optional Maintenance Mode for working on Opnsense and for hardware redundancy if the bare metal Opnsense server fails hard: Using the smart switch in PortVLAN mode, its GUI can reconfigure with ease and no physical wire re-plugging (electrical alteration) the main home network into Promox First Maintenance mode. The virtualized Opnsense in Promox takes over for the home network routing and the bare metal Opensense is nested behind it for isolated testing. This guarantees uninterrupted home network operation for critical maintenance and testing of Opnsense before switching back to standard operating mode with bare metal Opnsense first. Is this overkill? Certainly. but priceless for the sake of family peace.
3. Bare metal Opsense versus Virtualized Opnsense: Why not both? There is vigorous debate in the Opnsense community between the virtues of bare metal and virtualized Opnsense in Promox using VM or LXC containers (tbd). I lean towards bare metal Opnsense for isolation of concerns and reduced attack surface, continuity, and maybe performance but that is not a big factor. I will use virtualized Opnsense for back up when doing things that have already bitten me largely due to inadequate knowledge (and/or dumb mistakes) only rectified the hard way. The network configurations are synchronized, especially DHCP hosts and ranges. That is no big deal since all of that is well documented in external CSV files using the IP address management policy to identify and assign every single known device (>50) by DHCP hosts assignment thus simulating fixed IP addresses as far as possible. Later I may develop further subnet and VLAN policy for the ASUS radios (WIFI SSIDs) but performance already is superb. This standard network configuration is already running 25% faster measured over WIFI than did using only the ASUS routers in router mode, nearly reaching incoming ISP service speed.
4. Future proofing: All core home network hardware including the home application server can be easily replaced by other vendors' equipment at any time. The home network and application software is highly configurable and almost exclusive open source (optimized by device driver). It can be easily substituted while being well documented online for further learning and research.
5. Open issues: cannot fully test switching over without the virtualized Opsense in place but since standard configuration works, there is no reason to think that maintenance configuration will not. Switching DCHPing servers on the fly may cause some confusion even with consistent assigned IP addresses handed out especially in the dhcpd.leases file. But it is largely passive and believed to not (much) effect clients. I will also swap assigned address IP addresses of the bare metal and Promox servers to keep the LAN gate way address consistent. It may be necessary to power recycle (or reset) every network device in the core network. Fingers cross if unexpected software controlled network issues arise.
1. Core network physical and logical topology established: The core network as described in my signature is now fully functional and configured by the managed switch in PortVlan mode to be in the standard home network operating mode. It consists of the Internet WAN access into bare metal Opnsense and main the home network on OpnSense LAN with the ASUS AX88U Pro and on AX5400 in AP and AImesh mode backhauled with Cat 8 cable (use what you have, eh), and the (next step) Promox server currently running Windows co-resident with ASUS routers but soon to be reconfigureed as the main Promox controlled home application server and backup router.
2. Optional Maintenance Mode for working on Opnsense and for hardware redundancy if the bare metal Opnsense server fails hard: Using the smart switch in PortVLAN mode, its GUI can reconfigure with ease and no physical wire re-plugging (electrical alteration) the main home network into Promox First Maintenance mode. The virtualized Opnsense in Promox takes over for the home network routing and the bare metal Opensense is nested behind it for isolated testing. This guarantees uninterrupted home network operation for critical maintenance and testing of Opnsense before switching back to standard operating mode with bare metal Opnsense first. Is this overkill? Certainly. but priceless for the sake of family peace.
3. Bare metal Opsense versus Virtualized Opnsense: Why not both? There is vigorous debate in the Opnsense community between the virtues of bare metal and virtualized Opnsense in Promox using VM or LXC containers (tbd). I lean towards bare metal Opnsense for isolation of concerns and reduced attack surface, continuity, and maybe performance but that is not a big factor. I will use virtualized Opnsense for back up when doing things that have already bitten me largely due to inadequate knowledge (and/or dumb mistakes) only rectified the hard way. The network configurations are synchronized, especially DHCP hosts and ranges. That is no big deal since all of that is well documented in external CSV files using the IP address management policy to identify and assign every single known device (>50) by DHCP hosts assignment thus simulating fixed IP addresses as far as possible. Later I may develop further subnet and VLAN policy for the ASUS radios (WIFI SSIDs) but performance already is superb. This standard network configuration is already running 25% faster measured over WIFI than did using only the ASUS routers in router mode, nearly reaching incoming ISP service speed.
4. Future proofing: All core home network hardware including the home application server can be easily replaced by other vendors' equipment at any time. The home network and application software is highly configurable and almost exclusive open source (optimized by device driver). It can be easily substituted while being well documented online for further learning and research.
5. Open issues: cannot fully test switching over without the virtualized Opsense in place but since standard configuration works, there is no reason to think that maintenance configuration will not. Switching DCHPing servers on the fly may cause some confusion even with consistent assigned IP addresses handed out especially in the dhcpd.leases file. But it is largely passive and believed to not (much) effect clients. I will also swap assigned address IP addresses of the bare metal and Promox servers to keep the LAN gate way address consistent. It may be necessary to power recycle (or reset) every network device in the core network. Fingers cross if unexpected software controlled network issues arise.
Last edited:
