How I Built My Segmented OPNsense and UniFi Network
A comprehensive guide and case study on how I built and documented my segmented OPNsense firewall and UniFi network setup, integrating VLANs, WireGuard VPN, and advanced plugins.
When I decided to rebuild my home network, I didn’t just want faster internet — I wanted control. Consumer routers hide too much behind simplified menus. This project became a blend of curiosity, discipline, and obsession with clean design.
In this guide, I’ll walk you through how I built my segmented OPNsense network from scratch, configured VLANs for isolation, integrated WireGuard for remote access, documented the system, and overcame a UniFi adoption quirk.
Hardware and Foundation
The foundation of any reliable network is solid hardware. My build uses dependable components chosen for stability and efficiency.
- Motherboard: ASUS A520M-E (compact, reliable, stable BIOS)
- CPU: AMD Ryzen 5 5600G (6 cores — perfect balance of performance and efficiency)
- Memory: 8 GB DDR4
- Storage: 256 GB NVMe M.2 SSD
- Network Card: Intel i350-T4 Quad-Port Gigabit NIC
The Intel NIC’s FreeBSD compatibility and VLAN tagging support make it ideal for OPNsense.
NIC-to-Port Mapping
| NIC Port | Interface | Role |
|---|---|---|
| Port 1 (igb0) | WAN | Internet uplink |
| Port 2 (igb1) | Temporary LAN | Used for UniFi adoption (192.168.100.0/24) |
| Port 3 (igb2) | Reserved | For testing or expansion |
| Port 4 (igb3) | VLAN Trunk | Carries VLANs 5, 10, 15, and 20 |
| re0 (onboard) | Bridge Member | Part of bridge0 |
| bridge0 | Virtual Interface | 192.168.5.1/24 – Bridge of management VLAN and re0 |
This layout allows full control of physical and logical separation. I can repurpose any port easily during troubleshooting. The purpose of the bridge is to give the port on the motherboard some use, using it as a failsafe.
System Overview
| Setting | Value |
|---|---|
| Hostname | opnsense |
| Domain | internal |
| Theme | rebellion |
| Optimization Mode | conservative |
| SSH | Enabled (restricted to Management VLAN) |
| WebGUI | HTTPS only, bound to bridge0 (192.168.5.1) |
| DNS Servers | 8.8.8.8, 8.8.4.4, 1.1.1.1, 1.0.0.1 |
| NAT Reflection | Disabled |
Setting Up OPNsense
I installed OPNsense using a USB drive and selected ZFS for snapshots and reliability. After the setup wizard, I mapped igb0 as WAN and igb1 as LAN, then changed the LAN IP to 192.168.100.1/24 to avoid overlap with my existing network.
Once connected to the GUI, I updated the system and enabled SSH for remote access. Then I configured igb3 as a VLAN trunk that connects to my UniFi switch.
VLAN Architecture
Proper segmentation was the foundation of this project. VLANs separate broadcast domains, prevent lateral movement, and simplify rule creation.
| VLAN | Tag | Subnet | Purpose | Domain |
|---|---|---|---|---|
| 5 | 5 | 192.168.5.0/24 | Management – for OPNsense, UniFi, and infrastructure | management.internal |
| 10 | 10 | 192.168.10.0/24 | Trusted – personal devices and PCs | trusted.internal |
| 15 | 15 | 192.168.15.0/24 | Guest – Wi-Fi guests, internet-only | guest.internal |
| 20 | 20 | 192.168.20.0/24 | IoT – smart home devices | iot.internal |
Each VLAN has DHCP managed by OPNsense and DNS handled by Unbound. Internal host overrides simplify access to services (like controller.management.internal → 192.168.5.160).
WireGuard Configuration
Two WireGuard instances were configured using the WireGuard plugin. These provide remote access and management tunnels.
| Name | Interface | Port | Subnet | Peers | Purpose |
|---|---|---|---|---|---|
| Main | wg0 | 51820 | 10.10.0.0/24 | Laptop, Tablet, Phone | Remote access to VLANs 10, 15, and 20 |
| Management | wg1 | 51821 | 10.10.1.0/24 | Admin devices | Full internal and management access |
How It Works
When a client connects to the Main WireGuard, OPNsense routes its traffic internally through the appropriate VLANs while NATing outbound traffic to WAN. The Management WireGuard has unrestricted LAN access for administrative use.
Firewall and NAT Configuration
OPNsense’s firewall rules follow a “default deny” principle after adoption and testing.
VLAN Rule Highlights
- Management (VLAN 5): Full access to all subnets for administration.
- Trusted (VLAN 10): Internet access and select inter-VLAN (NAS, controller).
- Guest (VLAN 15): Internet-only.
- IoT (VLAN 20): Internet-only, blocked from private subnets.
- WireGuard (wg0 / wg1): Controlled access to internal VLANs, NATed outbound.
NAT & Forwarding
- Hybrid NAT mode enabled.
- Port forwards for internal services (HTTP/HTTPS, custom applications).
- GeoIP-restricted NAT rule for a game server (port 25565).
The UniFi Adoption Quirk
This was the most frustrating part. The UniFi switch simply refused to adopt, even though my controller (192.168.5.160) was reachable. The issue wasn’t OPNsense — it was UniFi’s reliance on Layer 2 broadcasts.
Why It Happens
UniFi discovery uses UDP 10001 broadcasts, which cannot traverse VLANs. During initial setup, the switch sat on an untagged network, and the controller was on VLAN 5. Despite open firewall rules, discovery failed because VLAN boundaries isolate broadcasts.
The Fix: Temporary Flat LAN
To solve it, I configured igb1 as a temporary flat LAN:
- Assign igb1 as LAN: IP
192.168.100.1/24 - Enable DHCP on 192.168.100.10–192.168.100.200
- Connect UniFi switch to igb1 and SSH in (default user
ubnt) - Run:
bash set-inform http://controller.management.internal:8080/inform
Network Override and VLAN Alignment on the UniFi Switch
Once the switch was adopted via SSH and the set-inform command, I had to make sure it pulled its management IP from the correct VLAN — in my case, VLAN 5 (Management).
Here’s the process that made everything click:
- After adoption, I went into the UniFi Controller → Devices → [Switch] → Settings → Network.
- Under Network Override, I selected Management VLAN (VLAN 5) as the management network for the switch.
- This forced the switch to request a new DHCP lease from OPNsense VLAN 5 (192.168.5.0/24).
- Once it reconnected, it appeared in the controller with an IP in the management subnet.
- With the switch now correctly on VLAN 5, I temporarily set all access ports on the switch to untagged VLAN 5.
- This step was crucial because UniFi devices (APs, In-Wall units, etc.) look for untagged traffic when they first boot.
- By keeping VLAN 5 untagged on every port, all newly connected UniFi devices received DHCP from the management VLAN automatically.
- After each UniFi device adopted successfully and appeared in the controller, I changed their Network Override to Management VLAN (VLAN 5) within the UniFi interface.
- Finally, I reconfigured the switch ports:
- Set uplinks to trunk ports, tagged for VLANs 5, 10, 15, and 20.
This sequence ensured that every UniFi device joined the controller cleanly on the same management VLAN, after which I could safely reapply proper VLAN tagging and restore normal trunk configurations.
Reference
Network Infrastructure
UniFi
UniFi operates in “third-party gateway” mode — OPNsense handles all routing and VLANs.
| Device | Model | VLAN | Role |
|---|---|---|---|
| Switch | USW Flex | 5 | PoE trunk carrying all VLANs |
| APs | U6 Long Range, In-Wall | 10, 15, 20 | Wi-Fi SSIDs mapped to VLANs |
| Extender | U6 Extender | 10 | Coverage expansion for Trusted network |
APs carry all the VLANs, as they are connected on trunk ports. Being that said, they only broadcast 3 SSIDs (IoT, Trusted, Guest).
TP-Link
TP-Link Smart Switches extend VLAN connectivity to wired segments (static assigned IPs).
| Model | IP | VLANs | Notes |
|---|---|---|---|
| TL-SG108PE | 192.168.5.10 | 5, 10, 15, 20 | Trunks on ports 1–4, Access on 5–8 |
| TL-SG105E | 192.168.5.11 | 5, 10, 15, 20 | Trunks on 1,5, Access on 2–4 |
Plugins and Enhancements
| Plugin | Function |
|---|---|
| os-cpu-microcode-amd | Loads AMD CPU microcode updates. |
| os-crowdsec | Blocks malicious IPs using global threat intelligence. |
| os-dmidecode | Shows detailed system info on dashboard. |
| os-nut | Integrates UPS management and safe shutdown. |
| os-sftp-backup | Encrypted config backups to SFTP server. |
| os-theme-rebellion | Dark, ergonomic theme for long sessions. |
| os-upnp | Selective UPnP for IoT and gaming VLANs. |
| os-wol | Wake-on-LAN for remote systems. |
Monitoring and Maintenance
- CrowdSec Dashboard: Displays live IP bans and alerts.
- RRD Graphs: Track traffic per VLAN.
- SFTP Backup: Nightly configuration syncs.
- UPS (NUT): Monitors power and ensures safe shutdowns.
- Logs: System → DHCP and Firewall logs are essential for troubleshooting VLAN tagging.
Lessons and Improvements
| Challenge | Lesson |
|---|---|
| UniFi adoption | It’s not a config error — VLAN broadcast isolation breaks discovery. Use a flat LAN and set-inform. |
| WireGuard routing | Handshakes ≠ traffic. Check NAT and firewall rules. |
| VLAN design | Plan early and label cables/ports. |
| Plugin use | Focus on automation and visibility without bloat. |
| Resilience | UPS integration and offsite SFTP backups make recovery painless. |
Final Thoughts
This project turned a standard home network into a professional-grade lab. OPNsense now handles routing, firewalling, VPNs, and segmentation with precision, while UniFi provides the wifi for my devices.
Once I understood UniFi’s quirks and bridged the VLAN logic, the entire system became reliable, scalable, and — most importantly — mine. For safety purposes and peace of mind I kepted the interface that I used for the Unifi adoption quirk (Backup_Adoption_Interface), just made sure to disable the DHCP on the interface.