AORXI Homelab
Firewall / OPNsense

OPNsense / UniFi / Proxmox Handoff

How OPNsense fronts the demoted UniFi routers at each site: VLAN 253 transit wiring, the double-NAT model for user devices, Proxmox network zone placement, firewall zone rules, and optional cross-zone routing.

OPNsense sits upstream of the existing UniFi routers at both sites, creating two distinct network zones at each location. This page documents the VLAN 253 transit link that wires each UniFi router WAN to OPNsense, the accepted double-NAT model, Proxmox network zone placement, firewall zone rules, and the optional static routes needed when OPNsense-side infrastructure must reach UniFi-side devices.

Two-Zone Topology

Each site splits traffic into two logical zones rooted at OPNsense.

ISP / ONT
   |
OPNsense (sa-fw-01 / sb-fw-01)
   |
Core infrastructure switch
   |-- Proxmox hosts / OpenShift / storage / PBS
   |-- UniFi router WAN (VLAN 253)
            |
         Existing UniFi LAN / Wi-Fi / users

OPNsense-side infrastructure zone — Proxmox, OpenShift, ZFS storage, Proxmox Backup Server (PBS), DNS, monitoring, and the WireGuard site-to-site tunnel. All infrastructure hosts connect here.

UniFi-side user zone — the existing UniFi router, its LAN VLANs, DHCP, Wi-Fi, and user devices. UniFi configuration is left untouched.

Proxmox and OpenShift must not sit behind UniFi

All Proxmox nodes and OpenShift clusters must connect directly to the OPNsense-side network. Never place infrastructure behind the UniFi router — not even temporarily.

Double NAT is intentional

User devices behind UniFi traverse two NAT layers: UniFi NAT → OPNsense NAT → internet. This is a deliberate trade-off to preserve the existing UniFi user setup without reconfiguration. It is not a misconfiguration.

UniFi WAN Transit (VLAN 253)

253 (UniFi WAN transit) is the dedicated /24 that wires each demoted UniFi router's WAN port to OPNsense. OPNsense holds .1 as the gateway; the UniFi router WAN takes .2.

Site ASite B
OPNsense VLAN 253 gateway10.10.253.1/2410.20.253.1/24
UniFi router WAN10.10.253.2/2410.20.253.2/24
UniFi WAN default gateway10.10.253.110.20.253.1

Configure the UniFi router WAN interface as a static IP (10.x0.253.2/24) pointing at 10.x0.253.1 as the default gateway. DNS on the UniFi WAN can point to 10.x0.253.1 (OPNsense Unbound) or a public resolver — the existing UniFi LAN, DHCP, and Wi-Fi configuration on the UniFi-side requires no changes.

OPNsense outbound NAT covers the UniFi transit

UniFi-side traffic reaches the internet through OPNsense NAT. No additional NAT rules are required on the UniFi router beyond its own existing LAN masquerade.

Proxmox-Side Networking

Proxmox management runs on VLAN 20 (10.10.20.0/24 at Site A, 10.20.20.0/24 at Site B). The OPNsense L3 gateway at .1 is the default route for every Proxmox host on this VLAN.

Corosync and storage/replication VLANs carry no default gateway — their traffic must remain local to the site switch fabric and must never be routed across WireGuard.

VLANNameGW
25Corosync heartbeatno GW
65Ceph clusterno GW

Configure Proxmox node interfaces on VLANs 25, 60, 65, and 90 with no gateway — only the VLAN 20 management interface carries the default route. The full VLAN list with subnets and gateway assignments is on the VLAN Reference page.

Use routed VLANs, not a flat /16

Each site's /16 allocation (10.10.0.0/16 Site A, 10.20.0.0/16 Site B) is a summary for routing — not a single flat broadcast domain. Break it into routed VLANs inside OPNsense. A flat /16 generates unnecessary ARP/broadcast noise, weakens security boundaries, and makes OpenShift cluster isolation harder.

Firewall Zone Rules

OPNsense enforces traffic policy at each zone boundary. Apply these rules in addition to the default block-all inbound WAN policy.

WAN

Block all inbound by default. Open only the WireGuard UDP port and any externally published services. Use port forwards to route specific inbound services from OPNsense WAN to internal host IPs.

Management Zone

Restrict OPNsense admin access to the management network only:

PolicySourceDestination
AllowVLAN 10 (Network Mgmt / IPMI)OPNsense admin HTTPS, SSH
BlockAll other VLANsOPNsense admin HTTPS, SSH

Proxmox Zone (VLAN 20)

PolicySourceDestination
AllowVLAN 10 / VLAN 20Proxmox web UI TCP 8006, SSH TCP 22
AllowProxmox nodesDNS, NTP, package mirrors, PBS
BlockUniFi user LANProxmox management interfaces
BlockWANProxmox management (VPN only)

OpenShift / Kubernetes (VLAN 40)

PolicySourceDestination
AllowAdmin networksOpenShift API VIP
AllowRequired clientsIngress / LoadBalancer VIPs
AllowCluster nodesDNS, NTP, internet updates
BlockGuest / IoT VLANsCluster nodes

Optional: Static Routes to UniFi LANs

By default, OPNsense-side hosts cannot reach devices on the UniFi-side LAN — only the UniFi router's WAN IP is reachable from OPNsense. If an infrastructure service (for example, a monitoring agent or DNS resolver) needs to reach UniFi LAN hosts, add static routes on both sides.

On OPNsense

Add a host route to the existing UniFi LAN subnet (the actual subnet depends on the site's existing UniFi configuration; 192.168.1.0/24 is an example):

DestinationVia
192.168.1.0/24 (Site A UniFi LAN example)10.10.253.2
192.168.2.0/24 (Site B UniFi LAN example)10.20.253.2

On the UniFi router

Add a return route so UniFi-side devices can reach OPNsense-side and VPN ranges:

DestinationVia
10.20.0.0/16 (Site B infra, on UniFi A)10.10.253.1
10.10.0.0/16 (Site A infra, on UniFi B)10.20.253.1

Add cross-zone routes only when required

Most use cases do not need OPNsense-to-UniFi-LAN routing. Omit these routes unless a specific service requires it — keeping the two zones separated simplifies firewall policy and reduces attack surface.

Site-to-Site VPN

The WireGuard tunnel terminates on OPNsense at both sites, not on UniFi. Each site advertises its /16 summary as the peer's allowed destination.

EndpointWireGuard IPAdvertised route
sa-fw-01 (Site A)10.255.0.110.10.0.0/16
sb-fw-01 (Site B)10.255.0.210.20.0.0/16

Apply firewall rules on the WireGuard interface to permit only required cross-site traffic: management, Proxmox, PBS replication, and monitoring. Avoid broad allow-any rules unless the lab is intentionally fully trusted. See WireGuard for full interface and firewall configuration.

One cluster per site — never stretch across WAN

Each site runs its own independent Proxmox cluster (sa-pve at Site A, sb-pve at Site B). Do not attempt a single stretched cluster across WireGuard — Corosync requires LAN-level latency and a cross-WAN cluster risks quorum instability. Use PBS sync and ZFS replication for cross-site DR instead. See Proxmox Clusters for the DR model.

Migration Overview

OPNsense is inserted upstream of each site's UniFi router in five phases:

  1. Prepare OPNsense offline — configure WAN, VLAN interfaces, DHCP, outbound NAT, DNS resolver, and WireGuard keys before any physical cutover.
  2. Insert at Site A — move the ISP handoff from UniFi WAN to OPNsense WAN; connect OPNsense LAN to sa-sw-01; set UniFi WAN to static 10.10.253.2/24, gateway 10.10.253.1; verify UniFi users retain internet access; connect Proxmox hosts to OPNsense-side VLANs.
  3. Insert at Site B — repeat using 10.20.x.x addressing.
  4. Build site-to-site WireGuard — bring up the tunnel between sa-fw-01 and sb-fw-01; route 10.10.0.0/16 ↔ 10.20.0.0/16; verify Proxmox and PBS cross-site paths.
  5. Optional UniFi LAN routing — add static routes on both sides only if infrastructure services need to reach UniFi-side devices.

See Migration Phases for the complete step-by-step procedure.

  • VLAN Reference — all 15 VLANs with Site A / Site B subnets, gateways, and no-GW flags
  • IP Addressing — supernets, bootstrap IPs, and per-host VLAN assignments
  • Migration Phases — step-by-step OPNsense migration procedure
  • WireGuard — site-to-site VPN configuration and allowed-IPs
  • Proxmox Clusters — cluster independence and cross-site DR model

On this page