Stacks

OPNsense VLANs and Zero Trust: Complete Configuration Guide

Complete guide to configuring 4 VLANs (IoT, Work, Guest, DMZ) with OPNsense and Zero Trust inter-VLAN firewall rules.

FDbot Admin

3 min read
OPNsense VLANs and Zero Trust: Complete Configuration Guide

Is your home or professional network unsegmented? All your devices — work PCs, IoT cameras, smart TVs, guests — sharing the same flat network? That's a security time bomb waiting to go off. VLANs are the solution.

In this guide, I'll walk you through configuring 4 VLANs in OPNsense with Zero Trust inter-VLAN firewall rules. This is a direct continuation of Part 1 — Installing OPNsense in Proxmox.

OPNsense VLANs and Zero Trust

Why VLANs? Security Through Segmentation

A flat network where all devices coexist is a major security risk. A single compromised device can potentially reach everything else on your network.

  • IoT device isolation — a hacked camera cannot reach your servers
  • Guest protection — the Guest network cannot see your internal LAN
  • DMZ for public services — exposed servers isolated from the main LAN
  • Zero Trust inter-VLAN — all cross-zone traffic denied by default
  • Simplified auditing — know exactly which traffic flows where

Prerequisites

  • OPNsense installed and running (see Part 1)
  • Managed switch supporting 802.1Q VLAN tagging (TP-Link TL-SG108E ~$30)
  • LAN interface on Proxmox bridge with "VLAN aware" enabled

Creating VLANs in OPNsense

In OPNsense, VLANs are created as sub-interfaces on the existing LAN interface: Interfaces > Other Types > VLAN

VLAN 10 — IoT  : vtnet1.10 → 192.168.10.1/24
VLAN 20 — Work : vtnet1.20 → 192.168.20.1/24
VLAN 30 — Guest: vtnet1.30 → 192.168.30.1/24
VLAN 40 — DMZ  : vtnet1.40 → 192.168.40.1/24
OPNsense VLAN interface configuration

4 VLANs: IoT, Work, Guest, DMZ

VLAN 10 — IoT (192.168.10.0/24)

Internet only — zero access to other VLANs. Cameras, thermostats, smart TVs.

VLAN 20 — Work (192.168.20.0/24)

Full internal access. Workstations and internal servers.

VLAN 30 — Guest (192.168.30.0/24)

Internet only, throttled (10 Mbps), DNS filtered. Visitors and temporary devices.

VLAN 40 — DMZ (192.168.40.0/24)

Exposed services, inbound only. Web, mail, public API servers.

Inter-VLAN Firewall Rules (Zero Trust)

Zero Trust principle: deny all by default, explicit allow only.

Zero Trust inter-VLAN firewall rules
# IoT — block RFC1918, allow Internet
Block IoT net → 192.168.0.0/16  (deny-all inter-VLAN)
Pass  IoT net → any              (Internet OK)

# Work — internal services allowed
Block Work net → IoT/Guest
Pass  Work net → LAN:443,80,22
Pass  Work net → any

# Guest — Internet only, throttled
Block Guest net → 192.168.0.0/16
Pass  Guest net → any (10 Mbps limiter)

DHCP Server Per VLAN

DHCP per VLAN OPNsense
IoT   : 192.168.10.100-200, DNS: 1.1.1.1
Work  : 192.168.20.100-200, DNS: 192.168.20.1
Guest : 192.168.30.100-200, DNS: 1.1.1.3 (filtered)
DMZ   : 192.168.40.100-150, DNS: 192.168.40.1

Testing Segmentation

VLAN segmentation test
# From IoT (192.168.10.x):
ping 192.168.10.1  → OK (gateway)
ping 192.168.20.1  → timeout ✓ (Work blocked)
ping 1.1.1.1       → OK (Internet accessible)

Next Steps

Part 3: WireGuard VPN — site-to-site + remote workers

Download the complete PDF guide: PDF Guide — OPNsense VLANs and Zero Trust

Read more