Phase 1 Firewall Rule Implementation Log

Card 217 — Replace broad inter-VLAN allow rules with documented policy Last updated: 2026-07-08

Status at a glance

VLAN Rules Applied Temp Disabled DHCP Fixed Verified
WAN ✅ (no new) N/A N/A
Endpoints (vlan07) N/A
Guest (vlan06) ✅ (1.1.1.1)
IoT (vlan08)
Services (vlan01) N/A
Storage (vlan02) N/A
DMZ (vlan03) N/A
Infrastructure (vlan04) N/A
Management (vlan05) N/A
ISPRouter (vlan09) N/A N/A

Tracking: Nextcloud Deck Card 309 — Phase 1 staged temp rule removal


Rules applied by interface

WAN

No new rules. Existing Matrix HTTPS/Federation, Syncthing, and WireGuard rules are correct.

Endpoints (vlan07) — 4 rules

  • 140: pass TCP 10.67.60.0/24 -> 10.67.40.25:443 (Traefik)
  • 160: pass TCP 10.67.60.0/24 -> 10.67.20.24:TRUENAS_SVC (TrueNAS)
  • 170: pass TCP 10.67.60.0/24 -> 10.67.40.27:3000 (Grafana)
  • 180: block 10.67.60.0/24 -> 10.67.45.0/24 (Management)

Guest (vlan06) — 2 rules

  • 190: pass 10.67.50.0/24 -> !RFC1918 (internet only)
  • 200: block 10.67.50.0/24 -> RFC1918
  • DHCP DNS changed to 1.1.1.1, 1.0.0.1, 8.8.8.8
  • Temp rule disabled ✅

IoT (vlan08) — 2 rules

  • 210: pass 10.67.70.0/24 -> !RFC1918 (internet only)
  • 220: block 10.67.70.0/24 -> RFC1918
  • DHCP DNS needs to be changed to 1.1.1.1 (same as Guest)
  • Temp rule still active

Services (vlan01) — 3 rules

  • 240: pass TCP 10.67.10.0/24 -> 10.67.40.25:443 (Traefik)
  • 280: pass TCP 10.67.10.0/24 -> 10.67.20.24:TRUENAS_NFS (TrueNAS)
  • 290: block 10.67.10.0/24 -> 10.67.45.0/24

Storage (vlan02) — 1 rule

  • 310: block 10.67.20.0/24 -> 10.67.45.0/24

DMZ (vlan03) — 8 rules (from Pangolin Integration API)

  • 330: pass TCP 10.67.30.0/24 -> 10.67.10.0/24:PANGOLIN_SVC
  • 340: pass TCP 10.67.30.0/24 -> 10.67.40.0/24:PANGOLIN_INFRA
  • 350: pass TCP 10.67.30.0/24 -> 10.67.20.24:443 (TrueNAS)
  • 360: pass TCP 10.67.30.0/24 -> 10.67.45.1:443 (OPNsense)
  • 370: pass TCP 10.67.30.0/24 -> 10.67.45.2:80 (MikroTik)
  • 380: pass TCP 10.67.30.0/24 -> 10.67.45.26:443 (PDU)
  • 390: pass TCP 10.67.30.0/24 -> 10.67.45.27:443 (Proxmox)
  • 400: block 10.67.30.0/24 -> 10.67.45.0/24

Infrastructure (vlan04) — 4 rules

  • 370: pass TCP 10.67.40.0/24 -> 10.67.10.0/24:INFRA_TO_SERVICES
  • 380: pass TCP 10.67.40.0/24 -> 10.67.20.0/24:TRUENAS_SVC
  • 390: pass TCP 10.67.40.0/24 -> 10.67.30.0/24:INFRA_TO_DMZ
  • 400: pass TCP 10.67.40.0/24 -> 10.67.45.0/24:INFRA_TO_MGMT

Management (vlan05) — 1 rule

  • 410: block 10.67.45.0/24 -> any (sink)

ISPRouter (vlan09) — 2 rules

  • 420: block 10.67.81.0/24 -> RFC1918
  • 430: pass 10.67.81.0/24 -> !RFC1918

Port aliases created

  • RFC1918: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
  • TRUENAS_SVC: 443, 445, 2049
  • TRUENAS_NFS: 443, 445, 2049, 3260
  • PANGOLIN_SVC: 80, 443, 2283, 2424, 3737, 7476, 7878, 8082, 8086, 8087, 8096, 8384, 8989, 9119, 9120, 9696, 11000, 13378
  • PANGOLIN_INFRA: 443, 3000, 3050, 8080, 9000
  • INFRA_TO_SERVICES: 22, 80, 443, 8080, 9120
  • INFRA_TO_DMZ: 22, 443
  • INFRA_TO_MGMT: 22, 443, 8006, 8729

Design decisions

  • Guest + IoT use public DNS (1.1.1.1/8.8.8.8) via DHCP, not Unbound/Bind9
  • DNS exception rules not needed — same-subnet gateway IP resolves DNS at L2
  • DMZ -> Management has explicit per-service exceptions before blanket block (Pangolin proxies OPNsense/MikroTik/PDU/Proxmox)
  • Services -> Traefik (443) covers all app-level access; no per-service port rules needed
  • Pangolin Integration API data is the source of truth for DMZ backend rules (31 resources)

Known issues (cleanup during Step 11)

  • Matrix HTTPS/Federation rules duplicated on DMZ
  • ISPRouter has per-RFC-range block rules duplicated by RFC1918 alias
  • Pangolin has 1 unhealthy target: Hermes (ai.eddiequinn.casa -> 10.67.10.25:9119)

Artifacts


Verify this post

This page is published as a PGP clearsigned document. You can verify it like this:

gpg --keyserver hkps://keys.openpgp.org --recv-keys CA98D5946FA3A374BA7E2D8FB254FBF3F060B796
curl -fsSL 'https://eddiequinn.xyz/sigs/posts/drafts/project-argus/evidence/phase1/implementation-log.txt' | gpg --verify

whoami

Systems should be predictable. People rarely are.