Setup for a 'hostile' DMZ, full control, junk-hacking

[unsure if best posted here, or better in Share your Projects! or Configuration; effectively a follow-up from an earlier post of mine].

I have something that looks as follows: [diagrams later]
CAVEAT: IP’s/subnets/ranges changed to protect the innocent.

  • a trusted zone - let’s call it LAN (
    • I have a VM’d Supervisor on my LAN as my ‘master’ controller ( aka 192x13 aka LAN-Super)
  • a separate DMZ network for IoT (
    • using an OpenWRT AP ( aka 172x254 aka DMZ-AP) to serve that network running through a dedicated port on my pfSense primary gateway.
    • RPi running Core ( aka 172x13 aka DMZ-Core), wired into the WRT.
  • By default IoT nodes are all running in isolated mode and cannot talk TO anything - not each other, not DMZ-Core, not LAN-Super, and no internet unless explicitly ‘blessed’ (using Aliasing/groups set up on pf).
  • DMZ-AP & DMZ-Core can talk TO DMZ IoT nodes, LAN-Super, each other & internet.
  • LAN-Super has universal access to DMZ’d IoT nodes (including DMZ-Core & DMZ-AP), who in turn cannot talk to LAN except some key comms, such as MQTT & logging to some LAN hosts.
  • IPv6 is universally blocked/disabled - don’t need the double-handling right now.

My reasoning is that I can only trust my principal pf gateway & LAN-Super.
Everything else in my DMZ is considered ‘compromised’, including my DMZ-AP & DMZ-Core. I making regular backups/snapshots & looking at something like Ansible reprovisioning them periodically, using immutable imaging & configs pulled from local repo.

If something wants access to any resources, it should “ask”, and even then I want it sanitised & served by my HA.

I’ve already enjoyed some success with, trying to gain access to a pretty suss chinese black-box doorcam, able to intercept & inject packets via pcap on the DMZ-AP.
It turns out I know a lot less thank I thought about IGMP, SNMP, UPnP, Avahi/Zeroconf, as I’ve had no cause until now to turn attention to it, but it’s pretty ubiquitous for IoT automagic discovery & config.
I effectively > /dev/null anything I don’t explicitly use.

I’ve yet to figure out some other… stuff, mostly gaps in my knowledge.
eg. using my LAN-Super/DMZ-Core more effectively as a filtering relay/gateway, IGMP proxy and realtime MitM IoT’s to use/investigate them without needlessly exposing myself, identifying & mitigating risks - both known & unknown.