I figured this out over a week ago, but I hadn’t taken the time to write it down yet.
In my home LAN router-on-a-stick saga so far, I’ve been dreading having to answer this question:
How do I separate the management interfaces from the rest of the LAN, but still have the services - media server, budget software, etc - accessible?
My idea went something like this (assume my server VLAN is 20):
- Use my pi as a jump server into the management network (
10.0.99.0/24). - Set subinterfaces and have both a
10.0.20.*address and a10.0.99.*address on the relevant machines. Only serve the management interfaces over the99.*address per machine. Serve the web interfaces over the20.*address. - Set the switch ports as access ports for both VLAN 20 and VLAN 99.
- Block ALL traffic by default to VLAN 99 subnet from other subnets.
- Add an explicit allow rule for the pi.
Now I think this just might work. There would certainly be some things to work out, and I also feel like I’m missing something obvious. (For one thing, I can’t really access the OPNsense or TrueNAS web interface via SSH using this method. Unsure how to handle that in particular. I could always have a switch port for an end device on the management network, and lock the port down really well, but I’m not confident enough with switchport-lockdown to do that and it doesn’t feel like a great solution anyway.)
Before I really started to dig into this though, another idea occurred to me. Why can’t I just try to block all access to the management network right now?
My current configuration needs a bit of an explanation for this to make sense.
I have Tailscale set up on my OPNsense machine, essentially as a logical extension/simplification of my previous foray into WireGuard. This means the router is serving as my remote access VPN and personal DNS. Additionally…and this is the important part: it’s exposing the 10.0.99.0/24 subnet to the other devices in my tailnet. Any device that lives in the 99 network is exposed via Tailscale. It doesn’t have to even be part of the tailnet.
I had the inkling that this might work, and I basically stumbled into it by deciding to give it a shot - what’s the worst that could happen? After confirming, I backtracked mentally to verify everything. Seems to make perfect sense. The firewall rule blocking access to the management network is simply bypassed by going through a different interface in OPNsense entirely - the TAIL VPN interface.
Any device on my tailnet is already a trusted device, so this seems like the perfect solution for the time being. There is one important consideration: if I want to give a non-trusted device access to the services running on my servers, I must either add that device to my tailnet or drop the applicable firewall rules in their entirety. I’m not keen on either one of those options. For now, though, this has met my simple needs.
In the future, perhaps those needs will change. This basic idea would still work to serve the management web GUIs and more sensitive services over the Tailnet, but I could also expose the less sensitive services over a different VLAN/subnet and lock that down via firewall. We’ll see!
EOF