|
For most stuff I've been comfortable with having my OPNsense gateways be trusted points, which has struck a reasonable balance for me between convenience, security, and compatibility. So I Wireguard into that, and from there it's normal firewall and routing in one place, with the ability to lean on hardwired subnets or VLANs so that the universe of old sensitive appliance things (like UPS interfaces) can still be reached. I have site to site wg tunnels between gateways as well. For LAN usage going through a central point has generally not been a significant performance burden, the only thing I have personally that is both very demanding and secure is iSCSI and there I've gone to the trouble of just physically isolating it. Going through a point also means there isn't much in the way of provisioning to do, each client just needs the single WG to the gateway for all (or most) traffic and that's it. Most stuff can be provisioned with ansible, a few mobile clients though I just use QR codes for manually. I should really try to figure out if Wireguard can be provisioned on iOS/Android with MDM but that's been a backburner so far. I've started to play around with having some things go exclusively into a Nebula mesh with OPNsense only running a lighthouse, but it's more work and rougher. And unlike WG to the gateway and leaning on VLANs for some older kit, really putting everything behind a virtual network they don't natively support requires sticking a translator between them and the rest of the network. Fun to play with a little and the potential is cool, but I don't think there are any prebaked options as smooth and cheap as would be ideal for that, and I suspect the ROI there at my level is getting pretty dang low. IPMI access is the main place I think might be worth it since that's just so sensitive yet simultaneously so useful in resolving issues all while having extremely mediocre security on its own. Whereas WG to the gateway does leave the gateway as a point of failure, but I'm depending on that to a significant degree for now anyway. And it is fast, simple, reliable, easy to manage/reason about, and eliminates layer 2 auth from the picture entirely. Don't have to worry about someone plugging into some open ethernet port either for example and any necessary effort to secure those, not just WiFi. Threats may evolve but hopefully the options we have to combat them evolve in concert to some degree. Lots of other HNers are vastly more experienced in this then me, and I'm not unaware of some of the potential failure points, but it's hard sometimes to figure out how to balance risk vs resources we have to spend on them (not just money but time). Also there are other good gateway/firewall options like VyOS, or just working directly off your favorite flavor of Linux or OpenBSD or whatever, that might fit your needs/preferences/tooling better than OPNsense. I don't mean to suggest that it is the best choice, it's just what I've settled in on as a good balance of other values. |