Network Architecture
The network is built around VLAN-based zone segmentation with all inter-VLAN routing and firewall enforcement centralised in pfSense. Each VLAN represents a functional trust boundary rather than just a subnet division — devices in different VLANs cannot communicate unless firewall policy explicitly allows it.
Design Philosophy
The core principle is blast radius reduction: a compromise or failure in one zone should not propagate to others. IoT devices cannot reach workstations. The firewall VM is isolated from the hypervisor networking stack. Development and lab systems are separated from production services.
This mirrors segmentation patterns used in professional infrastructure environments, applied at homelab scale.
The firewall runs independently of host networking through PCI passthrough, ensuring that host network misconfiguration cannot affect routing or firewall policy enforcement.
VLAN Layout
| VLAN | Purpose | Typical Devices | Trust Level |
|---|---|---|---|
| Management / Infrastructure | Admin and infrastructure services | Hypervisors, switches, monitoring | Restricted |
| Trusted LAN | Primary user devices | Workstations, laptops, dev machines | High |
| Services | Internal service platforms | App servers, automation, media | Medium |
| Public Services / Web | Externally accessible systems | Reverse proxy, web hosting | Controlled |
| IoT | Smart home devices | Zigbee gateways, sensors, smart devices | Low — isolated |
| Printer / Utility | Low-trust utility hardware | Printers, misc devices | Low |
| Home Automation | Automation infrastructure | Home Assistant and related services | Controlled |
| Lab / Development | Testing and experimental workloads | Dev builds, temporary services | Isolated |
The IoT VLAN can only communicate with specific internal service endpoints required for automation — it has no path to the trusted LAN. The Home Automation VLAN acts as the controlled bridge between IoT devices and automation services.
Firewall Architecture
pfSense runs as a virtual machine on the hypervisor. Rather than using virtualized network interfaces, it receives two physical NICs via PCI passthrough:
- WAN interface — dedicated physical NIC connected to the upstream router/modem
- LAN trunk interface — dedicated physical NIC connected to the switching fabric, carrying all internal VLANs via 802.1Q tagging
VLAN tagging and inter-VLAN routing are handled entirely by pfSense, not by the hypervisor. The hypervisor has no visibility into inter-VLAN routing and cannot influence firewall policy enforcement.
This design means the firewall operates identically to a dedicated hardware appliance. Changes to hypervisor networking configuration — bridge setup, bond configuration, VM migrations — do not affect routing or firewall policy enforcement.
Physical Topology
[ WAN / Internet ]
│
┌───────────▼────────────┐
│ pfSense (VM) │
│ │
│ WAN NIC LAN LAGG │
│ 10GbE / 1GbE│
│ (PCI passthrough) │
└───────────┬────────┬───┘
│ │
VLAN trunk │ │ VLAN trunk
10GbE │ │ 1GbE failover
│ │
┌─────────────────▼──┐ ┌─▼───────────────────────┐
│ Netgear GS752TXS │===│ Netgear GS752TP │
│ 10GbE primary │ │ 1GbE PoE / failover │
│ core / aggregation │ │ access + backup path │
└──────────┬─────────┘ └──────────┬──────────────┘
│ │
│ 10GbE primary │ 1GbE failover
│ │
└──────────┬─────────────┘
│
┌───────▼────────┐
│ Dell T620 │
│ Hypervisor │
│ bond0 │
│ 10GbE / 1GbE │
└────────────────┘
=== 2 × 1GbE inter-switch links carrying VLANsThe GS752TXS is the primary aggregation point for all high-bandwidth infrastructure. The GS752TP serves dual roles: it provides PoE for access-layer devices (wireless access points, IoT) and acts as the failover switching path for the hypervisor bond — the T620’s backup 1GbE interface connects here, ensuring hypervisor connectivity survives a primary switching path failure.
Hypervisor Connectivity and Redundancy
The T620 connects to the switching fabric through a bonded interface configured in active-backup mode:
- Primary: 10GbE interface connected to the GS752TXS core switch
- Backup: 1GbE interface connected to the GS752TP PoE switch
Under normal operation, all host traffic uses the 10GbE path. If the 10GbE link or core switch becomes unavailable, the bond automatically fails over to the 1GbE interface with no manual intervention required. Testing shows the transition typically results in at most a single lost packet before connectivity resumes.
A Linux bridge sits on top of the bond interface. All virtual machines attach to this bridge using virtio network interfaces presented by the hypervisor and receive their VLAN assignments via 802.1Q tagging — the bridge is configured for VLAN-aware operation.
Key Design Decisions
NIC passthrough for pfSense rather than virtual interfaces
Virtualized NICs introduce a dependency between hypervisor networking state and firewall operation. If the bridge or bond is misconfigured during a host change, the firewall loses connectivity. Physical passthrough removes this dependency — the firewall is isolated from the host networking stack.
Active-backup bonding rather than LACP
LACP (802.3ad) provides higher aggregate bandwidth but requires both ends to negotiate the bond. Active-backup requires no switch-side configuration, works correctly even if the primary and backup ports are connected to different switches, and has simpler, more predictable failure semantics. For a single host with a 10GbE primary path, active-backup provides sufficient redundancy without the operational complexity of LACP.
MAC pinning on the bridge
The bridge MAC address is explicitly set to the primary interface’s address so the host presents a stable hardware identity to the network. Addressing in the environment is managed through DHCP static assignments rather than manually configured static IPs, providing a single source of truth for device addressing. Without MAC pinning, the bridge would adopt the MAC address of whichever bond member is active; during a failover this would cause the host to appear as a different device and could result in an unexpected DHCP lease or temporary connectivity disruption.