I want to establish a second LAN at home. It’s supposed to host different services on different infrastructure (vms, k8s, docker) and mostly serving as a lab.

I want to separate this from the default ISP router LAN (192.68.x.0/24).

I have a machine with 2 NIC (eno1 plugged in at ISP router and eno2), both with corresponding bridges and proxmox. I already set up the eno2 bridge with a 10.x.x.x IP and installed a opnsense vm that has eno1 as the WAN interface in the 192 network and eno2 as the LAN interface as 10. network with dhcp server.

I connected a laptop (no wifi) to eno2, got a dhcp lease and can connect the opnsense interface, machines in the 192 network and the internet, same for a vm on the eno2 bridge, so that part is working. There’s a pihole in the 192 network that I successfuly set as the dns server in opnsense.

Here’s what I am trying to achieve and where I’m not sure about how to properly do it:

• Block access from the 10 network to 192 network except for specific devices - I guess that’s simply firewall rules
• Make services (by port) in the 10 network accessible to the internet. I currently have a reverse proxy vm in the 192 network which got 80 and 443 forwarded by the ISP router. Do I need to add a second nic to the vm or can I route some services through the firewall? I want to firewall that vm down so it can’t open outgoing connections except for specific ports on specific hosts.
• Make devices in the 10 network available for devices in the 192 network - here I’m not quite sure. Do I need to a static route?
• Eventually I want to move all non-enduser devices to the new LAN so I can experiment without harming the family network but I want to make sure I understand it properly before doing that

I’d be glad for any hints on this, I’m a bit confused with the nomenclature here. If you have other ideas on how to approach this, I’m open for that too.