Building a Zero-Trust Homelab Network with VLANs and OPNsense

In today’s interconnected world, securing your home lab is not just about protecting against external threats; it's also about ensuring that internal components don’t inadvertently cause damage or expose sensitive data. A zero-trust network architecture can help achieve this by segmenting your homelab into isolated segments, each with its own security policies and access controls.

This deep dive covers how to build a robust zero-trust homelab using VLANs for segmentation and OPNsense as the firewall platform. We’ll walk through setting up VLANs on your switch, configuring OPNsense to enforce strict access rules, and integrating these systems to create a secure network environment that even enterprise IT departments would envy.

Segmenting Your Homelab with VLANs

The first step in building a zero-trust homelab is to segment the lab into distinct segments using VLANs. VLANs allow you to logically separate traffic on your switch, ensuring that devices within one VLAN can’t communicate directly with those in another unless explicitly allowed.

Configuring VLANs on Your Switch

For this example, let’s assume you have a ProxMox cluster and several lab servers connected to an unmanaged switch. You want to create three VLANs: one for the management network (VLAN 10), one for the production environment (VLAN 20), and another for testing (VLAN 30).

Example Configuration on a Managed Switch

Below is an example configuration using a Netgear ProSafe managed switch: 
# Enable VLANs globally
enable vlan

Create VLANs

vlan 10 name management
vlan 20 name production
vlan 30 name testing

Assign ports to respective VLANs

interface gigabitethernet 0/1
switchport mode access
switchport access vlan 10

interface gigabitethernet 0/2
switchport mode access
switchport access vlan 20


interface gigabitethernet 0/3
switchport mode access
switchport access vlan 30

Configuring VLANs on a ProxMox Node

If you’re using a ProxMox node to handle VLAN tagging, configure the network interfaces accordingly: 
# Create VLAN interfaces in /etc/network/interfaces.d/51-netcfg.cfg
auto vmbr10
iface vmbr10 inet static
    address 192.168.10.1/24
    bridge-ports eth0.10

auto eth0.10
iface eth0.10 inet manual
    vlan_raw_device eth0


Repeat for VLANs 20 and 30

Restart networking services to apply changes:

systemctl restart networking

Configuring OPNsense as Your Firewall

OPNsense is a powerful open-source firewall based on FreeBSD. It offers a user-friendly interface and robust security features, making it ideal for homelab environments.

Setting Up VLAN Interfaces in OPNsense

To use VLANs with OPNsense, you need to create virtual interfaces within the firewall configuration:

1. Login to your OPNsense web UI.
2. Navigate to Interfaces > Assignments and click on Add Interface.
3. Choose VLAN Subinterface for each of your VLANs (management, production, testing).
4. Enter appropriate IP addresses for each interface.

Configuring Security Policies

Next, configure security policies to enforce zero-trust principles:

Example Configuration: Blocking Unwanted Traffic

# OPNsense Firewall Rule in Rules > LAN

Action: Block
Interface: LAN (VLAN 10)
Source: any
Destination: any
Protocol: any
Description: Block all traffic not explicitly allowed

Enforcing Access Control Lists (ACLs)

Create ACLs to allow only necessary services and limit access between segments: 
# OPNsense Firewall Rule in Rules > LAN

Action: Pass
Interface: LAN (VLAN 10)
Source: 192.168.10.0/24
Destination: 192.168.20.0/24
Protocol: TCP
Port(s): 22
Description: Allow SSH from management to production network

Logging and Monitoring

Enable logging for critical interfaces and rules: 
# OPNsense in Firewall > Settings

Log packets for selected rules with 'log' option enabled.

Integrating VLANs and OPNsense for Zero-Trust Security

Now that you have VLANs and firewall rules configured, it’s time to integrate them seamlessly:

1. Connect each VLAN interface from your switch or ProxMox node directly to an appropriate port on the OPNsense firewall.
2. Ensure proper IP addressing within each segment matches the VLAN configuration.

Example: Network Diagram

+-------------+    +-----------------+
| Switch      |---->| ProxMox Node   |
| (VLAN 10)   |    |                 |
+-------------+    +-----------------+
                       |
                       v
               +-------------------+
               | OPNsense Firewall |
               |                   |
               +-------------------+

Configuring NAT and Port Forwarding

If you need external access to services within your homelab: 
# OPNsense in Firewall > NAT

Type: One-to-one
Interface: WAN
Protocol: TCP
External IP: <WAN_IP>
External port(s): 80
Internal IP: 192.168.20.5 (production server)
Internal port(s): 80
Description: Allow HTTP access to production web server

Bottom Line

Implementing a zero-trust architecture in your homelab with VLANs and OPNsense is essential for maintaining robust security. By logically separating network segments, you minimize the blast radius of potential breaches. OPNsense provides an easy-to-manage interface for setting up comprehensive firewall rules that enforce strict access policies.

Remember to continuously monitor and update your configurations as needed. This setup ensures your homelab remains secure while offering flexibility and scalability for future projects.