Complicated network topology

[wizziLalev]

Hello to all!

I'm using OPNsense from few mounts now and I love it! But I want to make my home network just a little bit more organized and I need your help because I'm lost...

Recently I've manage to get HP ProCurve 2626 (J4900C) for $10 from eBay and after resurrecting one old HP 6005 Pro (AMD ATHLON II X4 645, 16GB Ram, 2x2TB HDDs) I'm ready to start!

That is old hardware - I know that, also there will be issues like old firmware, etc. - I know that also - but for the moment I can't invest any money to make it better, so I need to work with what I have.

So after few days of cleaning dust, changing thermal paste and preparing small place where to put everything I want to make something which will work and will be practical, so here is my idea:

• Proxmox as main OS
• OPNsense as guest VM
• Another VM for few lightweight WEB apps

So far, so good but here is my problem: My machine have only one NIC and I want to use it for so called "router on a stick"

What is my topology:

• ISP up-link enters my apartment - it's a cat6 cable without modem/router and this cable is connected to one of the Gbe ports of my switch
• the host machine is connected to the second Gbe port of the switch
• few ports are occupied by dummy APs, 2 PC and 3 SBC's

What is my issue:
I don't know how to set all VLANs and briges correctly so the OPNsense VM to act as normal router so, all hardwired/wireless devices to get their IP from OPNsense's DHCP, and all other VMs to be able to access internet also.

So I'm open for any ideas/suggestions/comments!

P.S. Please check attached diagram

[wizziLalev]

Anyone? As far as I know this setup is not the best approach, but possible.

[Mega32]

I'm an OpenSense newbie , and even still waiting for my hardware.
But i do know networking, and your setup is as you mention a "Router (fw) on a stick"

For Zone (Lan) separation you need to run 802.1q tagging (Vlans).

Decide what switchport your OpenSense PC would connect to , that would be your "Uplink port" , let's say it's port 24.

You would create a Vlan for each Zone (separate lan) in the switch, and make the ports where you connect your equipment for that specific Zone , an untagged member of that vlan.
If you ie. have 3 ap's in the same Zone , you would just make 3 switchports untagged mebers of the same Zone (Vlan), and plug the AP's into those ports.

For every Zone/Vlan you create on the switch , that is to be handled by OpenSense , you would also need to make that Vlan a tagged member of your "Uplink port" (Port 24).
This means that traffic from all Zones/Vlans would also go via the single "Uplink port (24) to the OpenSense Box , where the OpenSense would be able to do the routing & firewalling between the different Zones.

 
So all Zone members (PC's) , AP's etc. would connect to an untagged Vlan port on the switch , and all created Vlans on the switch that have to be handled by OpenSense , would have to be a tagged member of the OpenSense "uplink port" (port 24)

Now your L2 (Layer2) network is done , and you'd need to create a matching (Vlan) interface on the OpenSense Box , for each vlan you have tagged in the switch for transport on the fw (firewall) "Uplink port"
/Mega32