Network Segmentation #

Procedures for building the segmented VLAN network on a substrate. These steps create VLAN infrastructure on OPNsense and the access switch, configure DHCP/DNS/firewall, assign ports to segments, and set up wireless.

These procedures are used during the Build Network step of a greenfield build, and can be re-run for network changes or recovery.

**History:** These procedures were originally developed for the dvntm flat-to-VLAN migration (completed 2026-03-25). They are now the standard procedures for building network segmentation on any site.

Segmentation Flow #

flowchart TD
    A["Prerequisites & Preflight
Vault, backups, connectivity checks"]
    B["VLAN Foundation
OPNsense VLANs, switch database, trunk uplink"]
    C["Builder Cutover
OPNsense interfaces, switch dual-mgmt,
builder IP & port move"]:::critical
    D["Services & Routing
DHCP, firewall rules, trunk PVID"]
    E["Port Migration & Wireless
Access ports, management cutover,
Omada adoption, SSIDs"]
    F["Post-Migration
Validation, DNS refresh, cleanup"]

    A --> B --> C --> D --> E --> F

    classDef default fill:#2d333b,stroke:#539bf5,color:#adbac7
    classDef critical fill:#3d1f00,stroke:#d29922,color:#e6c068

Phases #

Prerequisites & Preflight #

Decrypt vault, verify backups, confirm physical port mapping, and run automated preflight checks (OPNsense API, switch SSH, AP ping, builder services).

VLAN Foundation #

Create VLAN sub-interfaces on OPNsense, create VLANs in the switch database, and configure the trunk uplink with tagged VLANs. All non-disruptive — no traffic is affected.

Builder Cutover #

The highest-risk phase. Assign OPNsense VLAN interfaces (manual GUI step), add temporary firewall rules, dual-home the switch on VLAN 99, change the builder’s static IP, and move its port to the management VLAN. After this, the builder operates from the new network.