OPNsense / UniFi / Proxmox Handoff
How OPNsense fronts the demoted UniFi routers at each site: VLAN 253 transit wiring, the double-NAT model for user devices, Proxmox network zone placement, firewall zone rules, and optional cross-zone routing.
OPNsense sits upstream of the existing UniFi routers at both sites, creating two distinct network zones at each location. This page documents the VLAN 253 transit link that wires each UniFi router WAN to OPNsense, the accepted double-NAT model, Proxmox network zone placement, firewall zone rules, and the optional static routes needed when OPNsense-side infrastructure must reach UniFi-side devices.
Two-Zone Topology
Each site splits traffic into two logical zones rooted at OPNsense.
ISP / ONT
|
OPNsense (sa-fw-01 / sb-fw-01)
|
Core infrastructure switch
|-- Proxmox hosts / OpenShift / storage / PBS
|-- UniFi router WAN (VLAN 253)
|
Existing UniFi LAN / Wi-Fi / usersOPNsense-side infrastructure zone — Proxmox, OpenShift, ZFS storage, Proxmox Backup Server (PBS), DNS, monitoring, and the WireGuard site-to-site tunnel. All infrastructure hosts connect here.
UniFi-side user zone — the existing UniFi router, its LAN VLANs, DHCP, Wi-Fi, and user devices. UniFi configuration is left untouched.
Proxmox and OpenShift must not sit behind UniFi
All Proxmox nodes and OpenShift clusters must connect directly to the OPNsense-side network. Never place infrastructure behind the UniFi router — not even temporarily.
Double NAT is intentional
User devices behind UniFi traverse two NAT layers: UniFi NAT → OPNsense NAT → internet. This is a deliberate trade-off to preserve the existing UniFi user setup without reconfiguration. It is not a misconfiguration.
UniFi WAN Transit (VLAN 253)
253 (UniFi WAN transit) is the dedicated /24 that wires each demoted UniFi router's WAN port to OPNsense. OPNsense holds .1 as the gateway; the UniFi router WAN takes .2.
| Site A | Site B | |
|---|---|---|
| OPNsense VLAN 253 gateway | 10.10.253.1/24 | 10.20.253.1/24 |
| UniFi router WAN | 10.10.253.2/24 | 10.20.253.2/24 |
| UniFi WAN default gateway | 10.10.253.1 | 10.20.253.1 |
Configure the UniFi router WAN interface as a static IP (10.x0.253.2/24) pointing at 10.x0.253.1 as the default gateway. DNS on the UniFi WAN can point to 10.x0.253.1 (OPNsense Unbound) or a public resolver — the existing UniFi LAN, DHCP, and Wi-Fi configuration on the UniFi-side requires no changes.
OPNsense outbound NAT covers the UniFi transit
UniFi-side traffic reaches the internet through OPNsense NAT. No additional NAT rules are required on the UniFi router beyond its own existing LAN masquerade.
Proxmox-Side Networking
Proxmox management runs on VLAN 20 (10.10.20.0/24 at Site A, 10.20.20.0/24 at Site B). The OPNsense L3 gateway at .1 is the default route for every Proxmox host on this VLAN.
Corosync and storage/replication VLANs carry no default gateway — their traffic must remain local to the site switch fabric and must never be routed across WireGuard.
| VLAN | Name | GW |
|---|---|---|
| 25 | Corosync heartbeat | no GW |
| 65 | Ceph cluster | no GW |
Configure Proxmox node interfaces on VLANs 25, 60, 65, and 90 with no gateway — only the VLAN 20 management interface carries the default route. The full VLAN list with subnets and gateway assignments is on the VLAN Reference page.
Use routed VLANs, not a flat /16
Each site's /16 allocation (10.10.0.0/16 Site A, 10.20.0.0/16 Site B) is a summary for routing — not a single flat broadcast domain. Break it into routed VLANs inside OPNsense. A flat /16 generates unnecessary ARP/broadcast noise, weakens security boundaries, and makes OpenShift cluster isolation harder.
Firewall Zone Rules
OPNsense enforces traffic policy at each zone boundary. Apply these rules in addition to the default block-all inbound WAN policy.
WAN
Block all inbound by default. Open only the WireGuard UDP port and any externally published services. Use port forwards to route specific inbound services from OPNsense WAN to internal host IPs.
Management Zone
Restrict OPNsense admin access to the management network only:
| Policy | Source | Destination |
|---|---|---|
| Allow | VLAN 10 (Network Mgmt / IPMI) | OPNsense admin HTTPS, SSH |
| Block | All other VLANs | OPNsense admin HTTPS, SSH |
Proxmox Zone (VLAN 20)
| Policy | Source | Destination |
|---|---|---|
| Allow | VLAN 10 / VLAN 20 | Proxmox web UI TCP 8006, SSH TCP 22 |
| Allow | Proxmox nodes | DNS, NTP, package mirrors, PBS |
| Block | UniFi user LAN | Proxmox management interfaces |
| Block | WAN | Proxmox management (VPN only) |
OpenShift / Kubernetes (VLAN 40)
| Policy | Source | Destination |
|---|---|---|
| Allow | Admin networks | OpenShift API VIP |
| Allow | Required clients | Ingress / LoadBalancer VIPs |
| Allow | Cluster nodes | DNS, NTP, internet updates |
| Block | Guest / IoT VLANs | Cluster nodes |
Optional: Static Routes to UniFi LANs
By default, OPNsense-side hosts cannot reach devices on the UniFi-side LAN — only the UniFi router's WAN IP is reachable from OPNsense. If an infrastructure service (for example, a monitoring agent or DNS resolver) needs to reach UniFi LAN hosts, add static routes on both sides.
On OPNsense
Add a host route to the existing UniFi LAN subnet (the actual subnet depends on the site's existing UniFi configuration; 192.168.1.0/24 is an example):
| Destination | Via |
|---|---|
192.168.1.0/24 (Site A UniFi LAN example) | 10.10.253.2 |
192.168.2.0/24 (Site B UniFi LAN example) | 10.20.253.2 |
On the UniFi router
Add a return route so UniFi-side devices can reach OPNsense-side and VPN ranges:
| Destination | Via |
|---|---|
10.20.0.0/16 (Site B infra, on UniFi A) | 10.10.253.1 |
10.10.0.0/16 (Site A infra, on UniFi B) | 10.20.253.1 |
Add cross-zone routes only when required
Most use cases do not need OPNsense-to-UniFi-LAN routing. Omit these routes unless a specific service requires it — keeping the two zones separated simplifies firewall policy and reduces attack surface.
Site-to-Site VPN
The WireGuard tunnel terminates on OPNsense at both sites, not on UniFi. Each site advertises its /16 summary as the peer's allowed destination.
| Endpoint | WireGuard IP | Advertised route |
|---|---|---|
sa-fw-01 (Site A) | 10.255.0.1 | 10.10.0.0/16 |
sb-fw-01 (Site B) | 10.255.0.2 | 10.20.0.0/16 |
Apply firewall rules on the WireGuard interface to permit only required cross-site traffic: management, Proxmox, PBS replication, and monitoring. Avoid broad allow-any rules unless the lab is intentionally fully trusted. See WireGuard for full interface and firewall configuration.
One cluster per site — never stretch across WAN
Each site runs its own independent Proxmox cluster (sa-pve at Site A, sb-pve at Site B). Do not attempt a single stretched cluster across WireGuard — Corosync requires LAN-level latency and a cross-WAN cluster risks quorum instability. Use PBS sync and ZFS replication for cross-site DR instead. See Proxmox Clusters for the DR model.
Migration Overview
OPNsense is inserted upstream of each site's UniFi router in five phases:
- Prepare OPNsense offline — configure WAN, VLAN interfaces, DHCP, outbound NAT, DNS resolver, and WireGuard keys before any physical cutover.
- Insert at Site A — move the ISP handoff from UniFi WAN to OPNsense WAN; connect OPNsense LAN to
sa-sw-01; set UniFi WAN to static10.10.253.2/24, gateway10.10.253.1; verify UniFi users retain internet access; connect Proxmox hosts to OPNsense-side VLANs. - Insert at Site B — repeat using
10.20.x.xaddressing. - Build site-to-site WireGuard — bring up the tunnel between
sa-fw-01andsb-fw-01; route10.10.0.0/16 ↔ 10.20.0.0/16; verify Proxmox and PBS cross-site paths. - Optional UniFi LAN routing — add static routes on both sides only if infrastructure services need to reach UniFi-side devices.
See Migration Phases for the complete step-by-step procedure.
Related Pages
- VLAN Reference — all 15 VLANs with Site A / Site B subnets, gateways, and no-GW flags
- IP Addressing — supernets, bootstrap IPs, and per-host VLAN assignments
- Migration Phases — step-by-step OPNsense migration procedure
- WireGuard — site-to-site VPN configuration and allowed-IPs
- Proxmox Clusters — cluster independence and cross-site DR model
Migration Phases
Detailed walkthrough of the six OPNsense migration phases: inserting OPNsense upstream of UniFi at each site, building the WireGuard site-to-site VPN, migrating Proxmox to final management IPs, and standing up clusters, storage, and Kubernetes.
Compute & Storage
Proxmox cluster layout, Site A ZFS storage, Site B Ceph cluster, and PBS cross-site backup replication.