Originally I planned to write out this whole configuration, but I came to realize I have basically written out everything already.
So I decided the approach should instead be to snapshot my configuration in a text form and explain my reasoning so I have sort of a mental map of where I’m at currently.
So here it is!
TAIL - VPN interface
Description
This is the VPN interface for Tailscale remote access (and at-home access to bypass firewall rules).
Firewall rules
- Default allow any ingress
Other
- NAT outbound (2x, one for IPv4 and one for IPv6)
- Interface: WAN
- Source: MGMT net
- Translation target: interface address
- Static-port: checked
USER - VLAN 10
Description
This is the trusted VLAN for end-user devices - laptops, desktops, phones.
Information
- Subnet:
10.0.10.0/24 - Services: Unbound DNS, ISC DHCPv4
Firewall rules
- Default allow any ingress
MGMT - VLAN 99
Description
This is the VLAN for all management interfaces on the network, such as router, switch, WAP, KVMs.
Information
- Subnet:
10.0.99.0/24 - Services: Unbound DNS, ISC DHCPv4
Firewall rules
- Allow MGMT traffic egress (internal communication)
- Allow TAIL traffic egress
- Allow SERVER traffic egress
- Block all other RFC1918 traffic egress
- Default allow any ingress
SERVER - VLAN 20
Description
This is the VLAN for all services offered on the LAN.
Information
- Subnet:
10.0.20.0/24 - Services: Unbound DNS
Firewall rules
- Allow SERVER traffic egress (internal communication)
- Allow MGMT traffic egress
- Allow USER traffic egress
- Block all other RFC1918 traffic egress
- Default allow any ingress
GAME - VLAN 30
Description
This is the VLAN for all gaming devices or consoles. Specifically isolated because of the NAT rules required.
Information
- Subnet:
10.0.30.0/24 - Services: Unbound DNS, ISC DHCPv4, UPnP
Firewall rules
- Allow SERVER traffic egress (internal communication)
- Allow MGMT traffic egress
- Allow USER traffic egress
- Block all other RFC1918 traffic egress
- Default allow any ingress
Other
- NAT outbound
- Interface: WAN
- Protocol: UDP
- Source: GAME net
- Translation target: WAN address
- Static-port: checked
IOT - VLAN 40
Description
This is the VLAN for all LAN devices that need internal communication, but not internet access. Smart TVs or printers is the list at this point, although I have this ready to go for the future.
Information
- Subnet:
10.0.40.0/24 - Services: ISC DHCPv4
Firewall rules
- Allow RFC1918 ingress only
MINE - VLAN 50
Description
This is the VLAN for cryptomining. It is isolated due to the port forwarding rules necessary.
Information
- Subnet:
10.0.50.0/24 - Services: Unbound DNS, UPnP
Firewall rules
- Allow DNS and DoT
- Allow MINE net ingress (internal communication)
- Allow all except RFC1918
Other
- NAT Port Forward (3x rules, one for each port)
- Interface: WAN
- Protocol: TCP
- Destination: WAN address
- Destination port range:
18080,37888,37889 - Redirect target IP:
10.0.50.10 - Redirect target port:
18080,37888,37889
GUEST - VLAN 90
Description
This is the VLAN for the untrusted guest WLAN. Anyone who comes over gets this wifi password.
Information
- Subnet:
10.0.90.0/24 - Services: Unbound DNS, ISC DHCPv4
Firewall rules
- Allow DNS and DoT
- Allow all except RFC1918
Other
DNS redirection rule
This is a port forward rule to catch any rogue DNS requests and redirect them to ensure all DNS passes through my Unbound blocklist. It catches any request over port 53 that’s not bound for a local address and redirects it to the router.
- NAT Port Forward
- Interfaces: GAME GUEST MGMT MINE SERVER TAIL USER
- Protocol: TCP/UDP
- Destination / invert: checked
- Destination: RFC1918
- Destination port range: DNS
- Redirect target IP:
127.0.0.1 - Redirect target port: DNS
RFC1918 alias
A convenient alias for all local networks as defined by RFC1918. Its contents are as follows:
10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
EOF