Deprecated — Migrated to PLAT-0001 on 2026-05-02 per ADR-0047. This source file is retained as a reference; the canonical content is in PLAT-0001.
ADR-0004: OPNsense as KVM VM, not Docker¶
Status¶
Accepted — 2026-03-31
Context¶
The platform requires a NGFW to implement DMZ segmentation. OPNsense was chosen as the NGFW software. The primary compute host is caneast-site1-node3 (CanEast Server) with KVM virtualization and USB NICs.
Decision¶
OPNsense runs as a KVM VM (caneast-site1-fw1) on caneast-site1-node3. Not Docker.
Interface mapping: - WAN: lan-bridge → REDACTED - LAN: dmz-bridge-0 → REDACTED - MGT: dmz-bridge-1 → REDACTED - ICT: dmz-bridge-2 → REDACTED
Web GUI restricted to LAN and MGT interfaces only.
Alternatives Considered¶
Docker container (macvlan) — macvlan networking is incompatible with USB NICs. The USB NIC driver does not support promiscuous mode, which macvlan requires. No production-grade Docker image exists for OPNsense. This path was attempted and abandoned.
pfSense — Technically viable but OPNsense has better community support and more frequent updates.
nftables + Suricata (DIY) — No management GUI, no plugin ecosystem, significant operational overhead.
Consequences¶
caneast-site1-node3is now dual-role: KVM host and firewall host- ISP gateway DMZ pointed to REDACTED — firewall rules must be configured before activating
- Jump box VM (
caneast-site1-jmp1) required for management access to DMZ-segmented nodes
References¶
- ADR-0002 (Infisical on caneast-site1-node3) — caneast-site1-node3 criticality accumulation
- Network bridge design: lan-bridge, dmz-bridge-0, dmz-bridge-1, dmz-bridge-2