Project Argus — Phase 1: Live Audit Diff
Generated from live pulls of OPNsense (10.67.45.1) and MikroTik (10.67.45.2) on 2026-07-07. Credentials provided by operator are read-only/admin-audit and are assumed rotated after use.
1. Executive summary
Your network is currently running wide-open inter-VLAN. Every internal VLAN has a user-created Temporary allow all - migration pass rule. The MikroTik is doing only Layer-2 switching (no RouterOS firewall rules), so all inter-VLAN enforcement is on OPNsense. Until the temporary rules are removed, Project Argus Phase 1 cannot be considered complete.
Two non-design VLANs are present: VLAN 71 (ISPRouter, 10.67.81.0/24) and a residual 10.0.0.0/16 address on the MikroTik bridge. Both need explicit decisions.
2. OPNsense live interface map
| OPNsense if | VLAN | Subnet / role | Live state |
|---|---|---|---|
WAN (bge1) |
— | 2.124.228.243/22 | DHCP from Sky |
LAN (bge0) |
trunk / native? | IPv6 only in UI | Bound to LAN identifier; IPv4 not shown in overview but may still carry 10.67.0.1/16 per Blackwall post. |
vlan01 |
10 | 10.67.10.1/24 | Services |
vlan02 |
20 | 10.67.20.1/24 | Storage |
vlan03 |
30 | 10.67.30.1/24 | DMZ |
vlan04 |
40 | 10.67.40.1/24 | Infrastructure |
vlan05 |
45 | 10.67.45.1/24 | Management |
vlan06 |
50 | 10.67.50.1/24 | Guest |
vlan07 |
60 | 10.67.60.1/24 | Endpoints |
vlan08 |
70 | 10.67.70.1/24 | IoT |
vlan09 |
71 | 10.67.81.1/24 | ISPRouter (not in original Blackwall design) |
Question for you: Is bge0 / LAN still carrying 10.67.0.1/16 or the old 10.0.0.0/16 virtual IP? If yes, that is another migration leftover to remove.
3. OPNsense live user rules
These are the operator-created (non-automatic) filter rules, in evaluation order.
| # | Description | Interface | Action | Source | Dest | Port | Notes |
|---|---|---|---|---|---|---|---|
| 1 | Matrix HTTPS | WAN | pass | any | wanip | 443/tcp | Public Matrix ingress |
| 2 | Matrix Federation | WAN | pass | any | wanip | 8448/tcp | Public Matrix federation |
| 3 | Syncthing | WAN | pass | any | 10.67.10.26 | 22000/tcp/udp | Direct port-forward to arrstack-1 |
| 4 | Temporary allow all - migration | Services | pass | any | any | any | REMOVE THIS |
| 5 | Allow Services to Storage | Services | pass | 10.67.10.0/24 | 10.67.20.0/24 | any | Keep, but tighten ports |
| 6 | Temporary allow all - migration | Storage | pass | any | any | any | REMOVE THIS |
| 7 | Allow Services to Storage | Storage | pass | 10.67.20.0/24 | 10.67.10.0/24 | any | Keep, but tighten ports |
| 8 | Temporary allow all - migration | DMZ | pass | any | any | any | REMOVE THIS |
| 9 | Matrix HTTPS | DMZ | pass | any | wanip | 443/tcp | Duplicate WAN rule? Review. |
| 10 | Matrix Federation | DMZ | pass | any | wanip | 8448/tcp | Duplicate WAN rule? Review. |
| 11 | Temporary allow all - migration | Infrastructure | pass | any | any | any | REMOVE THIS |
| 12 | Temporary allow all - migration | Management | pass | any | any | any | REMOVE THIS |
| 13 | Temporary allow all - migration | Guest | pass | any | any | any | REMOVE THIS |
| 14 | Temporary allow all - migration | Endpoints | pass | any | any | any | REMOVE THIS |
| 15 | Allow DNS to adguard | Endpoints | pass | any | any | 53/udp | Misleading description — allows UDP/53 to any. Review if Bind9 is now authoritative. |
| 16 | Temporary allow all - migration | IoT | pass | any | any | any | REMOVE THIS |
| 17 | Block to internal 10/8 | ISPRouter | block | 10.67.81.0/24 | 10.0.0.0/8 | any | Good — keeps ISP router isolated |
| 18 | Block to internal 172.16/12 | ISPRouter | block | 10.67.81.0/24 | 172.16.0.0/12 | any | Good |
| 19 | Block to internal 192.168.0/16 | ISPRouter | block | 10.67.81.0/24 | 192.168.0.0/16 | any | Good |
| 20 | Allow to WAN | ISPRouter | pass | 10.67.81.0/24 | any | any | Good — ISP router internet only |
4. MikroTik live findings
L2 switching
- Single bridge
bridge, VLAN filtering enabled (vlan-filtering: true). ether4andether13are the trunk ports (tagged for every VLAN).ether4connects to OPNsense;ether13likely connects to the other switch/AP.- Switch has no L3 firewall rules (
/ip firewall filter print= 0 rows) and no NAT (/ip firewall nat print= 0 rows). - Therefore all inter-VLAN routing and filtering is delegated to OPNsense.
VLAN-to-port mapping
| VLAN | Tagged ports | Untagged ports | Purpose inferred |
|---|---|---|---|
| 1 | ether4 | ether7, bridge | Default / native? |
| 10 | ether4, ether13 | — | Services |
| 20 | ether4, ether13 | ether11 | Storage (TrueNAS direct) |
| 30 | ether4, ether13 | — | DMZ |
| 40 | ether4, ether13 | ether7 | Infrastructure |
| 45 | ether4, ether13, bridge | ether1, ether5, ether9, ether12 | Management |
| 50 | ether4, ether7, ether13 | — | Guest (WiFi) |
| 60 | ether4, ether7, ether13 | ether17 | Endpoints |
| 70 | ether4, ether7, ether13 | — | IoT (WiFi) |
| 71 | ether4 | ether15 | ISP Router |
Management VLAN (45) concern
Untagged management ports: ether1, ether5, ether9, ether12. That is four physical jacks that will land directly in VLAN 45 if something is plugged in. For a “no direct access from user VLANs” control plane, this is a lot of physical exposure. Recommend:
- Audit what is actually plugged into those ports.
- Move non-management devices to their proper VLANs.
- Consider disabling unused management ports or setting their PVID to a quarantine VLAN.
Residual legacy IP
The bridge still has 10.0.1.34/16. This is a leftover from the flat 10.0.0.0/16 migration network. It has a connected route for 10.0.0.0/16, and default gateway is 10.67.45.1. Recommend removing this address once you confirm nothing references it.
5. Current vs required allowlist — the gap
| Required flow | Current state | Gap / action |
|---|---|---|
| Endpoint → Services (443) | Allowed by “Temporary allow all - migration” on Endpoints | Replace with explicit Endpoint → 10.67.40.25:443 rule. |
| Endpoint → Storage (443/445/2049) | Allowed by same temp rule | Add explicit Endpoint → 10.67.20.0/24 services rule. |
| Endpoint → DNS (10.67.40.25:53) | Allowed by “Allow DNS to adguard” UDP/53 to any | Tighten source to Endpoints subnet, dest to 10.67.40.25:53 (TCP+UDP). |
| Endpoint → Management | Currently allowed by temp rule | Must be denied; admin access only from VLAN 45. |
| Guest → Internet only | Currently allowed by temp rule to any | Replace with Guest → !RFC1918 allow, then default deny. |
| IoT → Internet only | Currently allowed by temp rule to any | Same as Guest. Also confirm MikroTik client isolation for WiFi. |
| Services → Storage | Explicit rule exists but too broad (any port) | Restrict to required ports: 443 (TrueNAS UI), 445 (SMB), 2049 (NFS), maybe iSCSI 3260. |
| Services → Infrastructure (DNS/Authentik/Komodo) | Allowed by temp rule | Add explicit Services → 10.67.40.25:53/9000/9120 etc. |
| Services → Management | Allowed by temp rule | Deny. |
| DMZ → Services | Allowed by temp rule | Replace with explicit DMZ → GitLab/Nextcloud/backends only. |
| DMZ → Management | Allowed by temp rule | Deny. |
| Infrastructure → Services/Storage/DMZ/Management | Allowed by temp rule | Keep as needed, but log and tighten per orchestration need. |
| WAN → DMZ | Matrix HTTPS + Federation rules exist | Keep; review whether Matrix should move to Services and only DMZ connectors stay in DMZ. |
| ISPRouter → internal | Blocked by rules 17-19 | Good. Keep. |
6. Immediate risks
- Lateral movement is unrestricted. Any compromised host in Guest, IoT, Endpoints, Services, Storage, DMZ, or Infrastructure can reach any other internal subnet and any management interface.
- Management VLAN is physically exposed. Four untagged management ports mean plugging a device into the wrong jack grants access to VLAN 45.
- Unknown VLAN 71.
10.67.81.0/24/ ISPRouter is not in the Blackwall design. If it is the ISP router isolation VLAN, it should be documented; if leftover, removed. - Legacy flat network still present. MikroTik bridge address
10.0.1.34/16and OPNsensebge0LAN IP may still bridge old and new networks. - Duplicate Matrix rules. Rules on both WAN and DMZ for Matrix 443/8448 — verify which interface Matrix actually ingresses on.
7. Proposed OPNsense rule changes
Remove (after observation window)
| Rule description to delete | Reason |
|---|---|
Temporary allow all - migration on Services |
Replaced by explicit allowlist. |
Temporary allow all - migration on Storage |
Replaced by explicit allowlist. |
Temporary allow all - migration on DMZ |
Replaced by explicit allowlist. |
Temporary allow all - migration on Infrastructure |
Replaced by explicit allowlist. |
Temporary allow all - migration on Management |
Replaced by explicit allowlist. |
Temporary allow all - migration on Guest |
Replaced by internet-only rule. |
Temporary allow all - migration on Endpoints |
Replaced by explicit allowlist. |
Temporary allow all - migration on IoT |
Replaced by internet-only rule. |
Add / tighten
| Priority | Interface | Action | Source | Destination | Port | Description |
|---|---|---|---|---|---|---|
| 10 | Endpoints | pass | 10.67.60.0/24 | 10.67.40.25 | 53/tcp+udp | Endpoint DNS to Bind9 |
| 11 | Endpoints | pass | 10.67.60.0/24 | 10.67.40.25 | 443/tcp | Endpoint HTTPS to Traefik |
| 12 | Endpoints | pass | 10.67.60.0/24 | 10.67.40.27 | 3000/tcp | Endpoint Grafana |
| 13 | Endpoints | pass | 10.67.60.0/24 | 10.67.20.24 | 443/tcp,445/tcp,2049 | Endpoint NAS access |
| 14 | Endpoints | block | 10.67.60.0/24 | 10.67.45.0/24 | any | Endpoint no management |
| 20 | Guest | pass | 10.67.50.0/24 | !RFC1918 | any | Guest internet only |
| 21 | Guest | block | 10.67.50.0/24 | RFC1918 | any | Guest no internal |
| 30 | IoT | pass | 10.67.70.0/24 | !RFC1918 | any | IoT internet only |
| 31 | IoT | block | 10.67.70.0/24 | RFC1918 | any | IoT no internal |
| 40 | Services | pass | 10.67.10.0/24 | 10.67.40.25 | 53/tcp+udp | Services DNS |
| 41 | Services | pass | 10.67.10.0/24 | 10.67.40.25 | 9000/tcp | Services Authentik |
| 42 | Services | pass | 10.67.10.0/24 | 10.67.40.25 | 9120/tcp | Services Komodo |
| 43 | Services | pass | 10.67.10.0/24 | 10.67.20.24 | 443/445/2049/3260 | Services to NAS |
| 44 | Services | block | 10.67.10.0/24 | 10.67.45.0/24 | any | Services no management |
| 50 | Storage | pass | 10.67.20.0/24 | 10.67.10.0/24 | limited | Storage to Services (narrow to required initiators) |
| 51 | Storage | block | 10.67.20.0/24 | 10.67.45.0/24 | any | Storage no management |
| 60 | DMZ | pass | 10.67.30.0/24 | 10.67.10.31 | 80/tcp,443/tcp,5050/tcp | DMZ to GitLab |
| 61 | DMZ | pass | 10.67.30.0/24 | 10.67.10.29 | 8080/tcp | DMZ to Nextcloud |
| 62 | DMZ | pass | 10.67.30.0/24 | 10.67.40.25 | 53/tcp+udp | DMZ DNS |
| 63 | DMZ | block | 10.67.30.0/24 | 10.67.45.0/24 | any | DMZ no management |
| 70 | Management | block | 10.67.45.0/24 | any | any | Management is a sink (except return traffic) |
| 80 | Infrastructure | pass | 10.67.40.0/24 | 10.67.10.0/24,10.67.20.0/24,10.67.30.0/24,10.67.45.0/24 | required | Infra orchestration/monitoring |
8. Proposed MikroTik changes
MikroTik currently does no L3 filtering, so these are Layer-2 / management hygiene items:
- Remove bridge IP
10.0.1.34/16once migration is confirmed complete. - Audit untagged VLAN 45 ports (
ether1,ether5,ether9,ether12). Only management devices should live here. - Consider setting unused access ports to disabled or to PVID 999 (quarantine VLAN).
- Enable DHCP snooping + ARP inspection on user-facing VLANs if MikroTik supports it on this hardware, as a MAC-spoofing mitigation for MAB.
- Confirm MAB is not yet configured (it is not visible in the API output). When implemented, bind it to firewall constraints per Argus exit criteria.
9. Suggested staged rollout
Week 1 — Log mode
- Add all proposed block rules with Log enabled but Action = Pass (so you can see what would be blocked without breaking anything).
- Alternative: add block rules with log, but place them below the temp allow-all so they never hit. Better: temporarily disable the temp allow-all rules during a test window.
- Collect OPNsense logs for 7 days.
Week 2 — Enforce
- Remove temp allow-all rules.
- Switch log-only rules to block/pass as designed.
- Monitor for breakage.
Week 3 — Harden MikroTik
- Clean legacy bridge IP.
- Audit VLAN 45 physical ports.
- Document final port map.
10. Open questions
- What device/service is on
10.67.60.24? It has active MikroTik www connections. - What is plugged into MikroTik
ether1,ether5,ether9,ether12,ether15,ether17? - Is Matrix (10.67.30.24) meant to stay in DMZ or move to Services?
- Does OPNsense
bge0/ LAN still have the10.67.0.1/16or10.0.0.0/16migration IP? - Where is DHCPv4 running? No DHCP server on MikroTik; OPNsense DHCP leases API was not reachable.
11. Files generated
/opt/data/work/argus-phase1-allowlist.md— inferred required allowlist./opt/data/work/argus-phase1-diff.md— this file (live current state + gap analysis)./tmp/opnsense-filter-rules.json— full raw OPNsense filter rule dump./tmp/mikrotik-state.json— full raw MikroTik state dump.
Verify this post
This page is published as a PGP clearsigned document. You can verify it like this:
gpg --keyserver hkps://keys.openpgp.org --recv-keys CA98D5946FA3A374BA7E2D8FB254FBF3F060B796
curl -fsSL 'https://eddiequinn.xyz/sigs/posts/drafts/project-argus/data/argus-phase1-diff.txt' | gpg --verify