jessikitty/ha-wirelesscontrol-migration
1
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases Wiki Activity

Add Mac mini OPNsense implementation summary and roadmap

Browse Source
This commit is contained in:
jessikitty
2025-12-21 01:26:15 +11:00
parent 6d78151141
commit 8879a15468
1 changed files with 426 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

426
MAC_MINI_SETUP_SUMMARY.md Normal file
View File

@@ -0,0 +1,426 @@
# 🚀 Mac Mini 2014 OPNsense Router - Implementation Guide
**Transform your Mac mini into an enterprise-grade router with ZERO hardware cost!**
---
## 💻 Your Hardware (PERFECT for this!)
### Mac Mini 2014 Specifications:
- **CPU:** Intel Core i5 (4th gen) ✅
- **RAM:** 8GB ✅
- **Storage:** 500GB SSD ✅
- **Network:** 3x Gigabit Ethernet (1 onboard + 2 Thunderbolt) ✅
**This hardware is MORE capable than a $400 Protectli!**
### Performance Expectations:
- ✅ 1 Gbps routing with Deep Packet Inspection
- ✅ Suricata IDS/IPS + Zenarmor simultaneously
- ✅ Handles 50+ devices (you have 22)
- ✅ VPN server capability
- ✅ Years of detailed logs
---
## 🎯 Network Configuration
### IP Addressing:
- **Router:** 10.0.0.254
- **DHCP Range:** 10.0.0.1 - 10.0.0.200
- **Gateway:** 10.0.0.254
- **DNS:** 10.0.0.55 (Home Assistant with AdGuard)
### Static Reservations:
- 10.0.0.55 - Home Assistant
- 10.0.0.2 - Archer AX72 Pro (AP mode)
- Custom exclusions as needed
---
## 📅 4-Phase Implementation Plan
### **Phase 1: Basic Router Setup** (Day 1, 2-3 hours)
**Goal:** Get internet working through Mac mini
Steps:
1. Download OPNsense ISO
2. Create bootable USB
3. Install on Mac mini (erases macOS!)
4. Configure WAN/LAN interfaces
5. Setup DHCP (10.0.0.1-200)
6. Point DNS to AdGuard (10.0.0.55)
7. Set Archer AX72 Pro to AP mode
8. Test connectivity
**Result:** Mac mini routing all traffic, WiFi working via Archer AP
---
### **Phase 2: Advanced Features** (Day 2-3, 3-4 hours)
**Goal:** Add monitoring, security, optimization
Steps:
1. Install ntopng (network traffic analysis)
2. Configure Suricata IDS/IPS (intrusion detection)
3. Setup device identification:
- IP tracking
- MAC tracking
- NetBIOS/mDNS detection
- Periodic nmap scanning
4. Configure traffic shaping (QoS)
5. Enable comprehensive logging
6. Security hardening
**Result:** Enterprise-grade monitoring and security
---
### **Phase 3: Zenarmor Parental Controls** (Day 4-5, 4-6 hours)
**Goal:** Application-level controls for each child
Steps:
1. Install Zenarmor (os-sensei)
2. Run setup wizard
3. Create policies:
- **Bella (14yo):** Strict controls
- **Xander (15yo):** Moderate controls
- **William (17yo):** Relaxed controls
4. Configure application blocking:
- Block TikTok, adult content
- Limit YouTube, gaming
- Allow educational sites
5. Setup time-based rules:
- School hours: Educational only
- After school: Limited social/gaming
- Bedtime: Block everything
6. Enable Safe Search enforcement
7. Configure daily email reports
**Result:** Application-level parental controls (way better than MAC blocking!)
---
### **Phase 4: Home Assistant Integration** (Day 6-7, 2-3 hours)
**Goal:** Full automation and dashboard control
Steps:
1. Enable OPNsense API
2. Install HACS integration in HA
3. Configure device trackers
4. Create firewall rules for HA control
5. Build automations:
- Bedtime blocking
- School hours restrictions
- Bandwidth alerts
6. Create dashboard
7. Setup Zenarmor API sensors
8. Configure notifications
**Result:** Complete control via Home Assistant dashboard
---
## 🎁 What You Get
### Compared to OpenWRT on Archer:
| Feature | OpenWRT | OPNsense on Mac mini |
|---------|---------|----------------------|
| **Hardware** | Archer (limited) | Mac mini (powerful) |
| **CPU** | 880 MHz MIPS | i5 @ 2+ GHz |
| **RAM** | 512MB | 8GB |
| **Storage** | 128MB flash | 500GB SSD |
| **Application Control** | ❌ | ✅ Full DPI |
| **See What Apps** | ❌ | ✅ YouTube, TikTok, etc. |
| **Time Quotas** | ❌ | ✅ 2 hours/day per app |
| **Content Filtering** | ❌ DNS only | ✅ DPI + DNS |
| **Reporting** | ❌ Manual | ✅ Automated daily |
| **Cost** | $0 | $0 hardware, $59/year Zenarmor |
**Verdict:** OPNsense on Mac mini is VASTLY superior!
---
## 💰 Cost Comparison
### What You're Saving:
**Hardware Options:**
- Protectli VP2420: $400-450
- Qotom J4125: $250
- **Your Mac mini: $0** ✅
**Software:**
- OPNsense: FREE
- Zenarmor Home: $59/year
- **Total: $59/year** (vs $400+ for new hardware)
**Comparable Commercial Solutions:**
- Firewalla Gold: $500
- Qustodio Premium: $138/year (no router!)
- Circle Home Plus: $130 + $10/month
**You're getting enterprise-grade for consumer prices!**
---
## 📋 Full Implementation Guide
Due to the comprehensive nature of the guide (1,959 lines), the **complete step-by-step guide** is available in:
**Location:** `/mnt/user-data/outputs/MAC_MINI_OPNSENSE_GUIDE.md`
The full guide includes:
- ✅ Detailed installation instructions
- ✅ Every configuration step with screenshots
- ✅ Troubleshooting for each phase
- ✅ Example configurations
- ✅ Dashboard YAML code
- ✅ Automation examples
- ✅ Security hardening steps
- ✅ Maintenance procedures
- ✅ Emergency recovery procedures
---
## 🚦 Quick Start Checklist
### Before You Begin:
- [ ] Mac mini ready (will erase macOS!)
- [ ] 8GB+ USB drive for installer
- [ ] HDMI monitor + USB keyboard
- [ ] 3x Ethernet cables
- [ ] 2-3 hours uninterrupted time
- [ ] Backup any important Mac mini data
- [ ] Note all current MAC addresses for devices
### Phase 1 (Day 1):
- [ ] Download OPNsense ISO
- [ ] Create bootable USB (Rufus on Windows / dd on Mac)
- [ ] Install OPNsense on Mac mini
- [ ] Configure WAN (em1) - to modem
- [ ] Configure LAN (em0) - to network @ 10.0.0.254
- [ ] Setup DHCP (10.0.0.1-200, DNS 10.0.0.55)
- [ ] Set static IP for Home Assistant (10.0.0.55)
- [ ] Configure Archer as AP @ 10.0.0.2
- [ ] Test internet connectivity
- [ ] **STOP and test for 24 hours!**
### Phase 2 (Day 2-3):
- [ ] Install ntopng for monitoring
- [ ] Install Suricata IDS/IPS
- [ ] Configure device tracking (IP/MAC/NetBIOS)
- [ ] Setup traffic shaping
- [ ] Enable comprehensive logging
- [ ] **STOP and test for 24 hours!**
### Phase 3 (Day 4-5):
- [ ] Install Zenarmor (os-sensei)
- [ ] Run setup wizard
- [ ] Create policy for Bella (14yo)
- [ ] Create policy for Xander (15yo)
- [ ] Create policy for William (17yo)
- [ ] Configure application blocks/limits
- [ ] Setup time-based rules
- [ ] Enable Safe Search
- [ ] Configure email reports
- [ ] **STOP and test for 2-3 days!**
### Phase 4 (Day 6-7):
- [ ] Generate OPNsense API keys
- [ ] Install HACS OPNsense integration
- [ ] Configure device trackers
- [ ] Create firewall rules for HA
- [ ] Build bedtime automations
- [ ] Build school hours automations
- [ ] Create dashboard
- [ ] Setup Zenarmor API sensors
- [ ] Test all automations
- [ ] **DONE!**
---
## ⚠️ Important Notes
### About Erasing macOS:
- **OPNsense will COMPLETELY ERASE macOS**
- Backup any important files first
- Mac mini will become a dedicated router
- Cannot dual-boot (must choose: macOS OR router)
- Recommended: Keep it as dedicated router (it's perfect for this!)
### Network Interfaces:
- **em0:** Onboard Ethernet → LAN (your network)
- **em1:** Thunderbolt adapter 1 → WAN (to modem)
- **em2:** Thunderbolt adapter 2 → Spare (future guest network/DMZ)
### DHCP Exclusions:
OPNsense will avoid assigning these automatically if you set static mappings:
- 10.0.0.55 - Home Assistant (MUST be static)
- 10.0.0.2 - Archer AX72 Pro AP
- 10.0.0.1-10 - Infrastructure devices
### Testing Between Phases:
**CRITICAL:** Test each phase for 24-48 hours before proceeding!
- Phase 1 must be rock-solid before Phase 2
- Phase 2 must be stable before Phase 3
- Phase 3 must work perfectly before Phase 4
This prevents cascading issues and makes troubleshooting easier.
---
## 🎯 Why Mac Mini is Perfect
### Advantages Over Dedicated Hardware:
**vs Protectli VP2420 ($400):**
- ✅ Same CPU generation (4th gen Intel)
- ✅ Same RAM (8GB)
- ✅ MORE storage (500GB vs 256GB)
- ✅ Built-in power supply (no adapter)
- ✅ Thunderbolt expandability
-**$0 cost!**
**vs OpenWRT on Archer:**
- ✅ 4x more CPU power
- ✅ 16x more RAM
- ✅ 4000x more storage
- ✅ Can run Zenarmor (Archer can't)
- ✅ Can run Suricata effectively
- ✅ Can store months of logs
- ✅ Room for unlimited features
**Only Disadvantage:**
- ❌ Slightly higher power consumption (~20W vs 6-10W)
- **Offset by:** $400 hardware savings = 6+ years of extra electricity cost
---
## 📊 Example Results
### What You'll See in Zenarmor:
**Bella's Daily Report:**
```
Date: December 21, 2025
Total Usage: 2.1 GB
Applications:
1. YouTube - 1.2 GB (Educational: 700MB, Entertainment: 500MB)
2. Discord - 400 MB
3. Khan Academy - 300 MB
4. TikTok - BLOCKED (5 attempts)
Policy Violations: 3
- 2:32 PM: Attempted adult site (BLOCKED)
- 4:15 PM: Tried to bypass SafeSearch (BLOCKED)
- 5:43 PM: Exceeded TikTok quota (BLOCKED)
Time Online: 4.5 hours
Bandwidth Quota: 68% used (1433 MB / 2048 MB daily limit)
Alerts: Bella tried to access "proxy-site.com" (bypassing attempt detected)
```
**Parent Dashboard in Home Assistant:**
```
┌─ Router Status ────────────────┐
│ Uptime: 7 days, 3 hours │
│ CPU: 12% │
│ Memory: 34% │
│ Temp: 52°C │
└────────────────────────────────┘
┌─ Bella (14yo) ─────────────────┐
│ iPhone: 🟢 Connected │
│ Desktop: 🔴 Offline │
│ Status: ✅ Internet Allowed │
│ Today: 1.2 GB / 2 GB │
│ Violations: 3 │
│ [Block Now] [View Report] │
└────────────────────────────────┘
┌─ Network Activity ─────────────┐
│ [Bandwidth Graph - Last 24h] │
│ Download: ▁▂▃▅▇█▇▅▃▂▁ │
│ Upload: ▁▁▂▂▃▃▂▂▁▁ │
└────────────────────────────────┘
```
---
## 🆘 Quick Troubleshooting
### Internet Not Working:
1. Check WAN interface (em1) has IP from modem
2. Test: `ping 8.8.8.8` from OPNsense console
3. Verify firewall rules allow LAN → WAN
4. Check DNS is set to 10.0.0.55
### Can't Access OPNsense Web Interface:
1. Verify laptop is on 10.0.0.x network
2. Try: https://10.0.0.254
3. Accept self-signed certificate warning
4. Check firewall isn't blocking port 443
### DHCP Not Working:
1. Services > DHCPv4 > LAN - verify enabled
2. Check range (10.0.0.1-200)
3. Verify no IP conflicts
4. Review DHCP logs
### Zenarmor Blocking Too Much:
1. Services > Zenarmor > Policies
2. Review categories (adjust as needed)
3. Add specific sites to whitelist
4. Check "Educational" category is allowed
### Kids Bypassing Controls:
1. Check for VPN usage (Zenarmor detects)
2. Verify MAC addresses correct
3. Enable TLS inspection (Phase 3)
4. Review Zenarmor logs
---
## 📞 Support Resources
### Documentation:
- **Full Guide:** `/mnt/user-data/outputs/MAC_MINI_OPNSENSE_GUIDE.md`
- **OPNsense Docs:** https://docs.opnsense.org/
- **Zenarmor Docs:** https://www.zenarmor.com/docs/
- **Home Assistant:** https://www.home-assistant.io/
### Community:
- **OPNsense Forum:** https://forum.opnsense.org/
- **Reddit:** r/OPNsenseFirewall
- **Zenarmor Forum:** https://forum.opnsense.org/index.php?board=76.0
### This Repository:
- Issue tracker for questions
- Example configs
- Troubleshooting tips
---
## ✅ Ready to Begin?
1. **Read:** `/mnt/user-data/outputs/MAC_MINI_OPNSENSE_GUIDE.md` (full detailed guide)
2. **Prepare:** Gather hardware, backup data, clear schedule
3. **Start:** Phase 1 (2-3 hours)
4. **Test:** 24 hours stability
5. **Continue:** Phases 2, 3, 4 over next week
6. **Enjoy:** Enterprise-grade network!
---
**This is the BEST use of your Mac mini 2014 - transform it into a router more powerful than $500 commercial solutions!** 🚀
---
*Last Updated: December 21, 2025*
*Hardware: Mac mini 2014, i5, 8GB RAM, 500GB SSD, 3x GbE*
*Software: OPNsense 25.1 + Zenarmor + Home Assistant*
*Total Cost: $0 hardware (reusing Mac mini) + $59/year Zenarmor*