Messages

I think trying to stack the switches is going to be the best option.  I currently run an Aruba S2500-48p in my current network.  I also have a second Aruba S2500-24-p at my parents house that I could "swap" and use at my house if needed.

I have purchased a Brocade ICX6610-48 and a ICX6450-48p as well.  I have come to learn that those two units will "stack" to some degree, but apparently there are some limitations in the way Brocade handles the stacking of these two models.  Honestly I wasn't even sure they would stack together at all due to being different models.

I am currently only using LVANs (L2) on my Aruba switch and I have no idea the advanced capabilities of that switch, although I do know it supports stacking with like models so I should have no problem stacking the S2500s together.

Any suggestions as to which set of switches I should use?  I guess I am leaning towards the Brocade since it is the easiest to try out without disrupting my current network.

I have set up OPNsense in a lab environment to try out.  I have a situation I need to figure out before I can roll it out to my home network.  I have two network switches - both managed.  I have multiple VLANs set up.  I have three different wireless access points spread around my home that run multiple SSIDs for most of the VLANs.  All of the APs will be plugged into one switch.  I have some wireless networks that are assigned to VLANs that will be handled by the second switch.  Therefore I need to be able to access some of the VLANs on both switches.

I'd like to attach each switch directly to my OPNsense device via 10gb SFP+ ports (the firewall has two of those ports available).  Since OPNsense assigns VLANs to interfaces, and it doesn't seem possible to assign an interface to more than one network port, what are my options?  Is it possible through some sort of aggregation option?

I realize one answer is to run the firewall to the first switch and then the first switch to the second switch, but that seems to waste bandwidth of the 1st switch unnecessarily.  A second answer is to use the layer 3 functionality of my switches and take the VLAN assignment away from OPNsense.  I may go this route but will need to set up a DHCP server on the network as well as set up rules in the switches.  That's certainly possible (and probably the most "professional" answer), but I'm hoping for a simpler solution.

Hopefully this question makes sense.  I'm not an IT professional, so I might not be using the correct terminology to describe my situation.  Thanks for the help!

I just wanted to say thank you for posting this information.  I just installed one of these cards in my OPNsense device and it saved me a lot of headaches!

Neither.  Right now I would look at some of the many Brocade switches being sold on EBay.  Check this thread out for more information.  https://forums.servethehome.com/index.php?threads/brocade-icx-series-cheap-powerful-10gbe-40gbe-switching.21107/

I'm currently trying OPNsense in a lab setting and considering making the change myself.  This will come in handy.  Thanks for posting!

Your family will just need to know the public IP address so they can access the OpenVPN.  If your public IP address will change over time (many internet providers will change their "residential" client's public IP addresses from time to time to prevent them from hosting servers that are really meant for business customers), then you will need to use a "Dynamic DNS" service (free or paid).  This service will issue you a domain name (perhaps "ohara.dyndns.com")and you give that domain name to your family instead of your actual public address.  Even if your public IP address changes, the DDND service will automatically forward anything from "ohara.dyndns.com" to whatever you current public IP address happens to be.  This ensures people can access your VPN connection - even if your public IP address changes periodically.

I'm not sure if this is the only problem, but it doesn't look like you have added the 192.168.0.1 network as an allowable network in the wireguard set up.

Without using VLANs, you are going to need to create two physically isolated networks.  This means you'll need two sets of equipment (switches, APs, etc).  Both switches will be plugged into unique ports on the OPNsense box.  Assign the port to the appropriate interface (one of the LAN and one for IOT).  If you are using a single switch without using VLANs, then the traffic is not going to be isolated.

(I'm also a hobbyist and not a network professional so this may be an oversimplification of the situation, but using creating the two physically separate networks will work just fine).

I mean it sounds like you already have the hardware.  There is no better resource than testing it out yourself. 

To access Home Assistant via OpenVPN, I first have to connect via the VPN. I am using OpenVPN for Android on my cell phone to do that and it takes over a minute and a half to establish the connection.

To access Home Assistant via the Cloudflare tunnel, the connection is made in about 2 seconds.

If connecting to your self hosted VPN takes 90 seconds, there is something wrong with your setup.  It should only take about 1-2 seconds normally to make that connection (about the same speed as your Cloudflare connection).

Just curious what your experience was with this?  I find myself in a similar situation.  I'm currently running pfSense, but have purchases another device that I want to set OPNsense up on.  I'll run it behind the pfSense firewall as I begin to explore it, but I'd love to hear your experiences in moving everything over eventually.

While I use Ubiquity APs, I couldn't imagine using their switches, routers, cameras, etc.  They are too expensive and too limiting IMHO. 

IMHO they are designed for the "Apple" crowd - people who are willing to give up flexibility for simplicity and pretty interfaces.... who would rather pay top dollar for a system that integrates together without much effort than actually learn how to build their own system.  Those are not the same people who are interested in OPNsense. 

I understand it might be a way to attract disgruntled Ubiquity users to OPNsense, but I think those people are going to find their way to this type of solution (OPNsense, pfSense, Open WRT, etc) regardless.  I'd rather see development resources go towards things that will make OPNsense stand out against it's other "competitors" in way that will affect a larger group of users vs spending a lot of resources creating this type of integration that would satisfy a very small subset of users.

Adding a IOT VLan using one of the unused network ports is a great solution.  Just be sure to "lock" down the IOT VLan when you are writing the firewall rules.  You'll need to grant access to some firewall services (like DNS), but you will want to block as many as possible.  For example, you certainly don't want someone being able to access the SSH or web GUI of the firewall while using that network connection.

I've never used wireguard myself (so I could be completely off base here), but it seems strange that in the logs you have an address of 192.168.12.133 being listed.  That isn't part of your network architecture that you laid out.  Perhaps you mistyped an address in the setup.

Wish I read this before I picked an eap670 up on the way home today!
Are there any issues if I don't wish to use IPv6? Also this is probably a stupid question but can I place different ssids on different VLANs and preserve these tags thru a smart switch? I've always thought that smart switches only allowed one tag per port

I was going to suggest that you simply drop V6 addresses if you run into a problem with the TP Link device.  V6 for home use really isn't necessary at this point.

Yes you can place different SSIDs on different VLANs.  As you hinted at, you'll need to make sure the network port that the wireless AP is plugged into is tagged for the necessary VLANs.  I run 5 different SSIDs at home (Main, Guest, PBX Phones, IOT with Internet, IOT without internet) - all assigned to different VLANs. .