ADR-0004: OPNsense as KVM VM, not Docker¶
Status¶
Accepted — 2026-03-31
Context¶
The platform requires a NGFW to implement DMZ segmentation. OPNsense was chosen as the NGFW software. The primary compute host is caneast-c1-node3 (CanEast Server) with KVM virtualization and USB NICs.
Decision¶
OPNsense runs as a KVM VM (caneast-c1-fw1) on caneast-c1-node3. Not Docker.
Interface mapping: - WAN: lan-bridge → caneast-c1-fw1 - LAN: dmz-bridge-0 → caneast-c1-fw1 - MGT: dmz-bridge-1 → caneast-c1-fw1 - ICT: dmz-bridge-2 → caneast-c1-fw1
Web GUI restricted to LAN and MGT interfaces only.
Alternatives Considered¶
Docker container (macvlan) — macvlan networking is incompatible with USB NICs. The USB NIC driver does not support promiscuous mode, which macvlan requires. No production-grade Docker image exists for OPNsense. This path was attempted and abandoned.
pfSense — Technically viable but OPNsense has better community support and more frequent updates.
nftables + Suricata (DIY) — No management GUI, no plugin ecosystem, significant operational overhead.
Consequences¶
caneast-c1-node3is now dual-role: KVM host and firewall host- ISP gateway DMZ pointed to caneast-c1-fw1 — firewall rules must be configured before activating
- Jump box VM (
caneast-c1-jmp1) required for management access to DMZ-segmented nodes
References¶
- ADR-0002 (Infisical on caneast-c1-node3) — caneast-c1-node3 criticality accumulation
- Network bridge design: lan-bridge, dmz-bridge-0, dmz-bridge-1, dmz-bridge-2