A production-grade home infrastructure designed as a zero-trust, defense-in-depth environment: VLAN-segmented, default-deny firewalling, high-availability routing, and disaster-recovery engineering — all mapped to NIST CSF 2.0 and CIS Controls v8.
This repo documents the architecture and the reasoning behind it: the segmentation
model, the firewall policy, the resilience/DR design, and the decision records that
explain why each choice was made. It is the design counterpart to my
policy-as-code-demo repo — the network segmentation described
here is the same model enforced programmatically by network_policy.rego there.
All addresses in this repo use documentation ranges (
10.0.0.0/8). No production IPs, hostnames, credentials, or CARP VHIDs are published.
flowchart TB
INET([Internet]) --- EDGE[Edge Firewall / IDS-IPS]
EDGE --- FW{{OPNsense HA Pair<br/>CARP VIP + pfsync}}
FW --- SW[L2/L3 Switch<br/>802.1Q trunks]
SW --- V10[VLAN 10 · DMZ<br/>external-facing]
SW --- V20[VLAN 20 · IoT<br/>internet-only]
SW --- V30[VLAN 30 · TRUSTED<br/>workstations]
SW --- V40[VLAN 40 · MGMT<br/>net controller/switches]
SW --- V50[VLAN 50 · GUEST<br/>isolated]
SW --- V60[VLAN 60 · SERVICES<br/>servers · k8s · DNS · hypervisor mgmt]
SW --- V70[VLAN 70 · ISOLATED<br/>lab platform]
V60 --- K8S[k3s cluster]
V60 --- DNS[Recursive DNS sink]
V60 --- HV[Hypervisor mgmt plane]
classDef untrusted fill:#3a1f1f,stroke:#a33;
classDef trusted fill:#1f2f1f,stroke:#3a3;
classDef mgmt fill:#1f2333,stroke:#46a;
class V10,V20,V50,V70 untrusted;
class V30 trusted;
class V40,V60 mgmt;
| Area | Docs |
|---|---|
| Network segmentation | network/segmentation.md — VLAN model, trust tiers, zero-trust rationale |
| Firewall policy | network/firewall-model.md — default-deny, inter-VLAN matrix, DNS/QUIC egress control |
| Resilience & DR | resilience/dr-runbook.md, resilience/break-glass.md |
| Decision records | decisions/ — CARP HA, DHCP engine, management-plane placement |
| Automation (IaC) | automation/ — Ansible patch-management, sanitized |
- Default-deny everywhere — every segment starts closed; access is explicitly granted per flow.
- Trust tiers, not a flat LAN — untrusted (IoT/Guest/DMZ), trusted (users), and management planes are isolated.
- No single point of failure on the control path — routing/DHCP/DNS are being moved to HA; SPOFs are documented and tracked as decision records.
- Monitoring integrity — DNS is forced to a sink and encrypted-DNS bypass (DoH/DoT) + QUIC are blocked so visibility can't be silently defeated.
- Operability under failure — a documented break-glass path and DR runbook exist for when the automated control plane is down.
- NIST CSF 2.0 — PR.AA / PR.IR (segmentation), PR.DS (data-in-transit control), DE.CM (monitoring), RC.RP (recovery).
- CIS Controls v8 — 4 (secure config), 12 (network infrastructure mgmt), 13 (network monitoring & defense).