Hi,
I want to connect two remote sites over some kind of VPN connection with a layer 3 link --- at least I think it needs layer 3:
There is an access point controller on one of the sites that controls wireless access points. It hands out IP addresses to the access points via DHCP and communicates over some tunnel it estblishes between them and itself. So I think I need a connection that lets layer 3 broadcasts go through for the broadcasts to work.
The access point controller is in its own VLAN. I want to extend that VLAN to the remote site. So far, I have always used routed connections, i. e. IPsec and wireguard. There is currently a routed IPsec connection between the sites which is going to be replaced with wireguard.
There will be OPNsense routers at each ends of the connections. Should I use IPsec or OpenVPN for this? Or should I use something else, like a tunnel over a wireguard connection?
OpenVPN uses SSL as opposed to IPSec. I would recommend OpenVPN in you case.
Why? :)
It doesn't seem to make a difference?
However, there will be a wireguard connection between the two sites anyway. Could I use some kind of tunnel that goes over the existing wireguard connection? How would I set this up, are there plugins for this? I've never done anything like that.
OpenVPN is simpler to configure than IPSec by a mile.
Wireguard is another VPN, so you will only need to sort the routing. The default gateway on each side needs to have a route across the tunnel. Consider how the packets go to the AP controller and how the return packets come back.
Bart...
I wouldn't expect to be able to route broadcasts. I need a 1:1 connection as if I had an enthernet cable between the two sites. It's supposed to be the same VLAN on both ends. Otherwise it would be difficult or impossible to make it so that the remote access points can find the controller.
And I don't want to extend any other networks than that particular VLAN. From what I've seen with IPsec and wirguard, everything can (must) be routed if so desired. But apparently with IPsec, you can choose 'tunnel' instead of 'routed', and I'm guessing that goes for OpenVPN as well? And you can't do that with wireguard because wg is always routed. But how would I limit the connection to that particular VLAN when I choose tunnel instead of routed? Or can I somehow route broadcast packets?
Layer 3 site to site, OPNsense on both ends --> WireGuard. No contest. Simple, secure, fastest, supports IPv4 and IPv6 in a single tunnel.
Wireguard? That is routed, isn't it?
PS:
Yes, it is. I made some packet captures and I can see the broadcasts on the site where the access points and the controller are, and there aren't any on the other endpoint of the wg connection.
That's what I expected; broadcasts aren't routed. So that won't work.
You can't use a layer 3 vpn for what you want.
Did anyone who replied even read the original post??
I don't use opnsense so I can't give exact steps but you're gonna need to use OpenVPN in tap mode.
I do this with pfSense. I'm actually trunking 3 separate vlans over a tap so you will be able to do just one vlan with no problem.
The only problem you may have is, from the times I've tried opnsense, I notice it's very "dumbed down" compared to pfSense so it may not even be able to do this but if you follow this article, you might get there.
https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-bridged.html
Some suggestions... Set a separate DHCP range for the remote site. The remote virtual interface is going to receive the first IP of whatever range you set so a separate range will make more sense. What I did was take the local subnet, say it's a /24, and make the remote subnet either a "virtual" (meaning don't actually change the mask, just split the /24) /25 out of the /24 or smaller depending on how many IP's you need on the remote end. So if you make it a /25, .0 through .127 will be local, .128 through .255 will be remote and the DHCP range set in your tap config will start with .128. The remote virtual interface will receive that address. To be honest I got rid of DHCP and set all static reserves on the remote site, if you can, I suggest doing the same.
You'll need a vlan capable switch on both ends since you'll need to trunk them for the vlan.
Since you have an existing vpn to the remote site already, you'll need a separate physical interface on the remote site to bridge to the virtual vpn interface, this is gonna cause trouble with routing tables so make sure you do not pull routes over the tap. I have a tun vpn to the remote site on my setup also, do yourself a favor, setup a remote access vpn to the site too. That way if the routes get screwy you can still use the RA vpn to get to the site and fix route tables.
That link is a guideline, you may need to change some things but it works very well when you get there.
Hm, so I need a layer 2 link --- I wasn't sure which layer is needed. I've been looking at the documentation of IPsec and OpenVPN, and it seems neither can do what I need because they are all like routed.
The article you're pointing to looks interesting. OPNsense also has the tap mode, so I'll go through that and see if that might work, or even try it out.
Using a different network on the remote site with its own DHCP server probably won't work, at least not easily. I'm pretty sure that the access point controller uses DHCP options to tell the access points where to find itself so that they can establish a tunnel to the controller. Maybe that won't work anyway when MSS settings interfere ...
There will be about 20 access points on the remote site (and there are about 20 locally). I don't want to configure any of them other than through the access point controller. Not configuring all the access points manually is the point of having an access point controller :) If you have more than 3--5 access points to configure, you can get away with doing it manually; any more than that and it doesn't make any sense.
With these access points, I probably can't give them static addresses because that would involve to configure them manually. I think there's some option to tell them where the access point controller is. That would also require to pre-configure them all manually first, and I don't know if that would work.
Suitable switches are available.
Is it not possible to just extend the VLAN as if there was a network between the two sites? What's the problem with DHCP? If I need to, I can set a long lease time, and the APs tend to keep their IPs even when they can't reach the controller and continue to work once they are configured.
Layer 2 links across the Internet via VPN are a really bad idea. All broadcast traffic, speccifically ARP and neighbor discovery will have to be sent across the link. Better rethink your architecture so you can route. Really.
Quote from: pmhausen on June 05, 2022, 02:46:32 PM
Layer 2 links across the Internet via VPN are a really bad idea. All broadcast traffic, speccifically ARP and neighbor discovery will have to be sent across the link. Better rethink your architecture so you can route. Really.
I don't see an alternative other than having an access point controller at each site, which doubles cost and maintenance.
How much traffic do you expect on a VLAN with about 40 devices in total? If it's too much, I can probably cut the connection once the remote access points are configured and/or bring it up limited to some hours during the night when nothing else is using much internet.
What sort of access points and controller? Unifi need not be in the same broadcast domain. Unifi access points can be told their controller's IP address via DHCP.
Neither IPsec nor WireGuard will do layer 2. OpenVPN supposedly can via tap, but I have managed to avoid these scenarios so far.
An Ethernet bridge across VPN is a bad bad bad idea. Go ahead, do it, you will find out. You have no idea how much broadcast and multicast traffic is happening in an Ethernet all the time. And all of this must be transferred over the wire introducing delays for which the protocols on top were not designed, because it's a local Ethernet, right?
If you are indeed using Unifi, it works like this - see screenshot. The first two bytes are a special vendor code, the next four are the IP address of the controller in hexadecimal.
HTH,
Patrick
It's all HP, MSM760 and MSM422.
Ubiquity has taken themselves out of business since they want to force you to register your devices with them mandatorily --- which is, of course, unacceptable --- and by apparently having given up the EdgeMax product line. The stuff has basically disappeared from their web site, there have been no firmware updates for EdgeRouters in a year and they are unable to deliver even when ordered for many weeks.
I sent them an email a while ago, asking about their EdgeMax products, and their answer was that I can take at look at their web site which lists discontinued products if I want to find out if they are going to continue to support them.
So stay away from Ubiquity.
On a side note: It will be a while before I know more, but it seems that you can't use their EdgeRouters for routed IPsec site-to-site connections because such connections go down frequently and don't come back up.
There is reasons why we switched to OPNsense and are ditching Ubiquity. And that doesn't even mention their lack of documentation. They have improved on that over the years, but they still don't understand what documentation is.
Quote from: defaultuserfoo on June 05, 2022, 02:20:43 PM
Using a different network on the remote site with its own DHCP server probably won't work, at least not easily. I'm pretty sure that the access point controller uses DHCP options to tell the access points where to find itself so that they can establish a tunnel to the controller. Maybe that won't work anyway when MSS settings interfere ...
Never said use a different network. What I said was split the network between the two sites just to keep things clear. You'll still use the same /24 (or whatever the local is) but set the remote to specific IP's. This suggestion is basically just for "record keeping" and not a necessity at all.
QuoteThere will be about 20 access points on the remote site (and there are about 20 locally). I don't want to configure any of them other than through the access point controller. Not configuring all the access points manually is the point of having an access point controller :) If you have more than 3--5 access points to configure, you can get away with doing it manually; any more than that and it doesn't make any sense.
With these access points, I probably can't give them static addresses because that would involve to configure them manually. I think there's some option to tell them where the access point controller is. That would also require to pre-configure them all manually first, and I don't know if that would work.
20 AP's means a lot of clients I would think. Both of my sites have a symmetrical gig for internet. I have no problems whatsoever with bandwidth so don't believe the warnings you hear. That said I only have 2 servers and 10 cameras at the remote site. Cameras are nothing when it comes to bandwidth but the servers do use a bit, as I said, no problems though.
QuoteIs it not possible to just extend the VLAN as if there was a network between the two sites? What's the problem with DHCP? If I need to, I can set a long lease time, and the APs tend to keep their IPs even when they can't reach the controller and continue to work once they are configured.
Vlans are layer 2. Can't route them so I'm not sure what you mean by "a network in between".
DHCP, not really a problem but I found you can't assign a DHCP range to just the remote site and addresses were being handed out to the local site as well. If you don't care what address goes where, then just leave one DHCP pool and let it go.
If opnsense can do this correctly, you'll find that it's exactly what you wanted.
What do you mean by having to register the Unifi devices mandatorily? I used those devices for years and never had to do anything like that.
Since you chose to use a professional solution by HP, what makes you think you need to try to extend a broadcast domain in order to have the APs configured? I would assume even HP has seen some kind of routed enterprise network over the years.
If you look at the HP manuals (https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-c02704528), they describe discovery procedures over routed networks, like a means for DHCP- or DNS-based discovery (see page 6-6 onwards).
Quote from: Demusman on June 05, 2022, 05:38:12 PM
Quote from: defaultuserfoo on June 05, 2022, 02:20:43 PM
Using a different network on the remote site with its own DHCP server probably won't work, at least not easily. I'm pretty sure that the access point controller uses DHCP options to tell the access points where to find itself so that they can establish a tunnel to the controller. Maybe that won't work anyway when MSS settings interfere ...
Never said use a different network. What I said was split the network between the two sites just to keep things clear. You'll still use the same /24 (or whatever the local is) but set the remote to specific IP's. This suggestion is basically just for "record keeping" and not a necessity at all.
Right --- it just seems like it's a different network because it's a different place, would have it's own DHCP server and it's own range of addresses.
Quote
QuoteThere will be about 20 access points on the remote site (and there are about 20 locally). [...]
With these access points, I probably can't give them static addresses because that would involve to configure them manually. I think there's some option to tell them where the access point controller is. That would also require to pre-configure them all manually first, and I don't know if that would work.
Quote
20 AP's means a lot of clients I would think. Both of my sites have a symmetrical gig for internet. I have no problems whatsoever with bandwidth so don't believe the warnings you hear. That said I only have 2 servers and 10 cameras at the remote site. Cameras are nothing when it comes to bandwidth but the servers do use a bit, as I said, no problems though.
Well, try to get a 1GB internet connection in this country ... If you're lucky, you have to pay for 50Mbit and actually get between 2 and 20 --- and then your VPN connection doesn't work because you're being forced to use a router you have to rent or buy from the ISP (because there is no alternative due to the technology they're using) which is so crappy that it blocks the connection ... Or you don't get internet at all, that can easily happen. It's a nightmare, and I guess it's too late to matter because this country has made sure to be left behind, and was left behind a long time ago, not only in that regard.
Anyway, it's a big area to cover and not so many clients. The area is so big, there will be more access points than clients, at least for a while.
Quote
QuoteIs it not possible to just extend the VLAN as if there was a network between the two sites? What's the problem with DHCP? If I need to, I can set a long lease time, and the APs tend to keep their IPs even when they can't reach the controller and continue to work once they are configured.
Vlans are layer 2. Can't route them so I'm not sure what you mean by "a network in between".
DHCP, not really a problem but I found you can't assign a DHCP range to just the remote site and addresses were being handed out to the local site as well. If you don't care what address goes where, then just leave one DHCP pool and let it go.
If opnsense can do this correctly, you'll find that it's exactly what you wanted.
Oh, sorry. I meant "... as if there was a network CABLE between ...".
I doesn't matter at which site the addresses are being used. I'll have to try it out once all sites are migrated from Ubiquity EdgeRouters to OPNsense.
Quote from: meyergru on June 05, 2022, 05:51:34 PM
What do you mean by having to register the Unifi devices mandatorily? I used those devices for years and never had to do anything like that.
I have been reading that you can not deploy their so-called dream machine without creating an account with them and registering it with them. Apparently you can turn off the connection to that account later on but should you ever want to sell your hardware, the next buyer won't be able to use it because of that account.
And how else would you configure their access points?
Quote
Since you chose to use a professional solution by HP, what makes you think you need to try to extend a broadcast domain in order to have the APs configured? I would assume even HP has seen some kind of routed enterprise network over the years.
If you look at the HP manuals (https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-c02704528), they describe discovery procedures over routed networks, like a means for DHCP- or DNS-based discovery (see page 6-6 onwards).
I didn't check the documentation. Finding anything on HPs web sites is a nightmare and they keep changing everything all the time, so I couldn't be bothered to check. And that access point controller requires a very weird configuration that doesn't make any sense. It wants you to somehow use what they call an internet port --- as if anyone would connect that thing to the internet --- and I'm not sure what it's supposed to be for. The other port it has, they call a LAN port, and apparently the APs can only be managed through the LAN port. So the most reasonable way to configure it was to use the LAN port as a LAN port in that it connects to the VLAN the access points are connected to so that they can be managed while the internet port has the VLANs on it that carry the data that goes over the APs to the clients. However, the internet port isn't really needed for that because the ports on the switches the APs are connected to carry these VLANs, so the acceess point controller doesn't create a bottleneck. IIRC I tried it with the internet port disconnected because it's not needed, but I left it plugged in because it didn't work when disconnected ... I guess they intend the controller to be a bottleneck, but I don't know, it just doesn't make sense and I don't want a bottleneck like that.
So the easiest way seems to just extend the VLAN the APs are being managed through to the remote site. With all the fine VPN technology we nowadays have, that can't be a problem, can it? :)
But I'll take a look at the documentation. Maybe it shows a better way.
Quote
But I'll take a look at the documentation. Maybe it shows a better way.
Ok, yes ... Did I mention that HP has outstanding documentation for their stuff?
How do I add an option space and all the things mentioned in appendix E7 in that documentation to the DHCP server in OPNsense?
I can try that with the local DHCP server first and if I can get it to work, I can do it at the remote site and just have the management traffic go through the wireguard connection which will be used for everything else anyway.
(I did try with the DHCP server in OPNsense but it didn't work because I didn't set up right, so switched back to the DHCP server in the controller ... I'd rather use the DHCP server in OPNsense anyway ...)
You don't need to register your devices mandatorily. But then I never used their "dream machine". You just deploy their free controller software via Docker, in a Linux VM, in a FreeBSD jail, whatever suits your environment best.
If you have multiple locations, tell the APs the address of the controller via DHCP.
And stretched layer 2 is a problem regardless of the VPN technology. You can't cheat with physics (bandwidth x delay).
I was told you can't use a VM anymore and that the USB-thing they used to have only works for some of the APs. Ubiquity has never been forthcoming with information of any kind.
And docker? That's a container, isn't it? I don't like containers and rather use VMs. (Try to get fail2ban to work in a container ...)
Are you saying that stuff happening on layer 2 is designed and/or required to work with the bandwidths and delays only layer 1 provides and that when you introduce bandwidth limitations and delays by tunneling the connection over some kind of VPN, the ghosts residing in the wires hit the fan and it all comes apart?
PS: https://docs.opnsense.org/manual/dhcp.html :
"To configure options that are not available in the GUI one can add custom configuration files on the firewall itself. Files can be added in /usr/local/etc/dhcpd.opnsense.d/ for IPv4"
So I'll try that ...
Quote from: defaultuserfoo on June 05, 2022, 07:37:44 PM
I was told you can't use a VM anymore.
Well, the Unifi controller software is available as a FreeBSD package and via a custom apt repo for Debian or Ubuntu yo you jet set up an environment of your choice - hardware, VM, jail - and use "pkg install" or "apt-get install" and you have a Unifi environment. I still run one @work ;)
But you decided not to use Unifi, so that's rather irrelevant to you, I guess. I know how bad their documentation is and I am not happy with their attitude to support, either.
Quote from: defaultuserfoo on June 05, 2022, 07:37:44 PM
Are you saying that stuff happening on layer 2 is designed and/or required to work with the bandwidths and delays only layer 1 provides and that when you introduce bandwidth limitations and delays by tunneling the connection over some kind of VPN, the ghosts residing in the wires hit the fan and it all comes apart?
Spot on. Any ARP request, IPv6 neighbor discovery packet - which are mechanisms designed for a local link - must be sent over the VPN link, too, if you want layer 2 connectivity. Layer 2 relies on these mechanisms. That's why among network professionals "stretched layer 2" is generally frowned upon. Lookup Ivan Pepelnjak oder Greg Ferro, of you don't trust Patrick M. Hausen :)
No with a gigabit link and a limited number of stations on both sides it will probably work but then again it might fail in unexpected ways and is hard to debug. Layer 3 (IP) was invented for "Internetworking", i.e. connecting networks.
Quote from: defaultuserfoo on June 05, 2022, 07:37:44 PM
PS: https://docs.opnsense.org/manual/dhcp.html :
"To configure options that are not available in the GUI one can add custom configuration files on the firewall itself. Files can be added in /usr/local/etc/dhcpd.opnsense.d/ for IPv4"
Custom DHCP options can be configured right in the UI. The mechanism you cited is for unsupported (by the UI) dhcpd configuration options. Not necessary for e.g. Unifi controller discovery. See my screenshot above.
HTH,
Patrick
It may have been an option to switch to access points from Ubiquity some day. Maybe it's still an option, especially when it's easy to run their controller software. Apparently they're making good APs --- and their EdgeMax hardware is/was good, too, especially for the price.
It's not like I don't believe you. I haven't tried it yet and you're probably right.
I put a config file, and it's being nicely appended to /var/dhcpd/etc/dhcpd.conf . However, it doesn't work. It seems like the DHCP server doesn't receive DHPC requests on that VLAN interface.
Won't it listen when it's not enabled in the GUI for that interface? I can't enable it in the GUI because my configuration file won't work when it is.
I disabled the DHCP server in the AP controller andI disabled an AP by disabling a port on a switch the AP is connected to, and the controller shows one less AP. When I re-enable the switch port, the AP apparently retains its IP address, talks to the controller and synchronizes and continues to work as usual. There are no leases showing up in OPNsense, not in the GUI and not in /var/dhcpd/var/db/dhcpd.leases. There are no corresponding entries in the log file of the DHCP server, either. I added firewall rules to the VLAN interface like the automatically created ones on the interfaces for which the DHPC server is enabled.
Is it not possible to get the required configuration to work?
Quote from: defaultuserfoo on June 05, 2022, 09:03:15 PM
Won't it listen when it's not enabled in the GUI for that interface? I can't enable it in the GUI because my configuration file won't work when it is.
As far as I know it doesn't. Why do you need an extra configuration file? What precisely do you need to set in the DHCP server that you cannot achieve through advanced options in the UI?
Docker or any container allowes you to install software natively regardless which OS you use (for example Steam uses container to install games to Linux and SteamOS), so ease of use is down to which OS you run the container in.
What comes to Ubiqity, you can either buy cloud key (physical device with Ubiqitys own OS installed on it) and connect that to Ubiqity switch.
If you don't have a switch from Ubiqity, then you can install the free software and run it on either physical machine or VM image of windows, Linux or Mac OS (just read the instructions)
Yes, you have to register a local user for Ubiqity (without it Web GUI won't work), but you don't have to register online.
VLANs share their bandwidth and delay on physical ports (for example if you have 200 computers on VLAN 20 and 100 computers on VLAN 30 and both VLANs are signed to 1 single 10Gb port, overall bandwidth of both VLANs is 20Gb/s, then it can go below 10Gb/s due to physical limitation of the NIC, you can't exceed physical hardware limitations with VLANs.)
Delay depends on the length and type of the cable and hardware your firewall has. Now you can improve delay and bandwidth within internal networks by adding switch, then firewall only needs to take care of internet side of things.
VLANs are generally used by schools and corporates to separate networks (1 example would be 1 VLAN to manage your network including having SSH and Webgui access to switch and firewall, 2nd which has access to only internet and 3rd which has access to intranet stuff like IP phones and internet)
You certainly can setup VLAN for VPN, but unless you have speciffic requirement (for example you would have to allow internet and / or intranet access, but blog web and SSH access to firewall etc.), it's pretty pointless.
If you are trying to achieve something on home network and instructions won't make any sense to you, then just leave it there, read more documents about things in question, so that you have general knowledge of things and try again.
VPN doesn't require much knowledge, but VLANs require NIC that supports 802.1q Tagging (IEE 802.1q) and switches with VLAN tagg support and quite a bit knowledge to get them up and runnign well.
Just an FYI about Ubiquiti AP's, you don't NEED to use a controller at all.
You can use the mobile app and configure them as stand-alone AP's.
They call it "limited functionality" or something like that but all that means is without their control over them that their controller provides.
I have quite a few of them out there without a controller and they work just like any other AP would.
Just something to keep in mind.
What is a "mobile app"? Don't they have a cli built in or at least a WEB GUI?
Even if they do, I don't want to configure more than 3--5 APs individually. More than 2 is already bad enough ...
Quote from: pmhausen on June 05, 2022, 09:06:09 PM
Quote from: defaultuserfoo on June 05, 2022, 09:03:15 PM
Won't it listen when it's not enabled in the GUI for that interface? I can't enable it in the GUI because my configuration file won't work when it is.
As far as I know it doesn't. Why do you need an extra configuration file? What precisely do you need to set in the DHCP server that you cannot achieve through advanced options in the UI?
I would need to do what they describe in Appendix E7 of this documentation: https://support.hpe.com/hpesc/public/api/document/c02704528?docVersion=1#pdfjs.action=download
(And I seem to remember that I tried it with an ISC DHCP server on Linux when I first tried to configure the AP controller and didn't work back then. I'll have to look into the name server option, maybe that works. But it seems to require to pre-configure the APs, which would suck.)
Quote from: Vilhonator on June 05, 2022, 09:07:41 PM
Docker or any container allowes you to install software natively regardless which OS you use (for example Steam uses container to install games to Linux and SteamOS), so ease of use is down to which OS you run the container in.
So it's still a container? If that is what steam uses, how come that they keep steam processes running even after you closed their programs, like they are a virus, and how come that I can kill these processes just like that? Is it for monitoring you and stealing your data? A container shouldn't allow you to kill processes running in it from the outside just like that. And whatever runs in the container shouldn't be allowed to use my screen, for example. It doesn't matter if you call it "Docker" instead of "container" --- or isn't it a container?
Quote
What comes to Ubiqity, you can either buy cloud key (physical device with Ubiqitys own OS installed on it) and connect that to Ubiqity switch.
I was told you can't really use the USB thing anymore because it's limited to some models of APs only. There was some other reason why you couldn't use the software that runs on Linux. Maybe the information is false, but when the European distributor for Ubiquity (who's trying to sell me their APs which I can't buy when I can't configure them) tells me this, what am I supposed to believe?
Besides, the MSM422 costs about EUR 15 each off ebay, including the mounting plate. It's not their fault, but Ubiquity can't beat that. And wich of the APs Ubiquity makes have metal housings?
Quote
If you don't have a switch from Ubiqity, then you can install the free software and run it on either physical machine or VM image of windows, Linux or Mac OS (just read the instructions)
There are instructions? Don't get me started about documentation when it comes to Ubiquity. If you need documentation or instructions, don't touch anything from Ubiquity.
Quote
Yes, you have to register a local user for Ubiqity (without it Web GUI won't work), but you don't have to register online.
That's not what I read on their forum. People there clearly said you have to make an account with them and register your hardware (i. e. their so-called dream machine) or you will not be able to even configure it.
I guess Ubiquity dreams that someone would do that. And when a bunch of people have done it, they will just discontinue the accounts and the machines become worthless after they got their money and their data. Or they will tell you which hosts you can connect to and what you can do and not do with your hardware. Keep dreaming ...
Maybe ask on their forum what kind of SLA you get when you buy one of their DMs and what guarantees they have that they will fulfill it :)
Quote
VLANs share their bandwidth and delay on physical ports (for example if you have 200 computers on VLAN 20 and 100 computers on VLAN 30 and both VLANs are signed to 1 single 10Gb port, overall bandwidth of both VLANs is 20Gb/s, then it can go below 10Gb/s due to physical limitation of the NIC, you can't exceed physical hardware limitations with VLANs.)
10GB switches are freaking expensive. I wish I had one, but they aren't affordable yet.
Quote
Delay depends on the length and type of the cable and hardware your firewall has. Now you can improve delay and bandwidth within internal networks by adding switch, then firewall only needs to take care of internet side of things.
Are you sure that the length of the cable makes a noticable difference in latency? How would that happen?
Routing between VLANs with switches isn't such a great idea when you use the VLANs to keep different networks apart instead of using separate cabling.
Quote
VLANs are generally used by schools and corporates to separate networks (1 example would be 1 VLAN to manage your network including having SSH and Webgui access to switch and firewall, 2nd which has access to only internet and 3rd which has access to intranet stuff like IP phones and internet)
You certainly can setup VLAN for VPN, but unless you have speciffic requirement (for example you would have to allow internet and / or intranet access, but blog web and SSH access to firewall etc.), it's pretty pointless.
Why would you set up your networks without VLANs?
Quote
If you are trying to achieve something on home network and instructions won't make any sense to you, then just leave it there, read more documents about things in question, so that you have general knowledge of things and try again.
VPN doesn't require much knowledge, but VLANs require NIC that supports 802.1q Tagging (IEE 802.1q) and switches with VLAN tagg support and quite a bit knowledge to get them up and runnign well.
VPN is one of the most complicated things you can try to set up. It's easy in OPNsense now, but you should have tried it 20 years ago ... VLANs are easy, unless you're using switches from Ubiquity. VLANs on HP switches are a blaze and fun to configure (And HP treats them different than Ubiquity and Cisco do, but where is that documented with switches from Ubiquity?).
Quote from: defaultuserfoo on June 05, 2022, 10:18:51 PM
What is a "mobile app"? Don't they have a cli built in or at least a WEB GUI?
Even if they do, I don't want to configure more than 3--5 APs individually. More than 2 is already bad enough ...
Android or IOS apps.
Actually not sure if they have an IOS app but I use the Android app and it's very simple to setup AP's.
Quote from: Vilhonator on June 05, 2022, 09:07:41 PM
VLANs are generally used by schools and corporates to separate networks (1 example would be 1 VLAN to manage your network including having SSH and Webgui access to switch and firewall, 2nd which has access to only internet and 3rd which has access to intranet stuff like IP phones and internet)
You certainly can setup VLAN for VPN, but unless you have speciffic requirement (for example you would have to allow internet and / or intranet access, but blog web and SSH access to firewall etc.), it's pretty pointless.
If you are trying to achieve something on home network and instructions won't make any sense to you, then just leave it there, read more documents about things in question, so that you have general knowledge of things and try again.
VPN doesn't require much knowledge, but VLANs require NIC that supports 802.1q Tagging (IEE 802.1q) and switches with VLAN tagg support and quite a bit knowledge to get them up and runnign well.
I don't think you understand vlan's very well. You do realize they are just Virtual LAN's, right??
If you have a switch on any network, you're using a vlan. Not just schools and corporations, any network with a switch. Now you can segment a switch with multiple vlans and this is the equivalent of adding another switch, it becomes 2 broadcast domains instead of 1. Doesn't really take a lot of knowledge compared to VPN's.
Quote from: Demusman on June 06, 2022, 01:26:04 AM
Quote from: defaultuserfoo on June 05, 2022, 10:18:51 PM
What is a "mobile app"? Don't they have a cli built in or at least a WEB GUI?
Even if they do, I don't want to configure more than 3--5 APs individually. More than 2 is already bad enough ...
Android or IOS apps.
Actually not sure if they have an IOS app but I use the Android app and it's very simple to setup AP's.
You want to use a phone to configure access points? Seriously? Do they deliver a phone when you buy an AP so you can try to configure it on a tiny screen where you can't see anything?
Quote from: Demusman on June 06, 2022, 01:31:47 AM
Quote from: Vilhonator on June 05, 2022, 09:07:41 PM
VLANs are generally used by schools and corporates to separate networks (1 example would be 1 VLAN to manage your network including having SSH and Webgui access to switch and firewall, 2nd which has access to only internet and 3rd which has access to intranet stuff like IP phones and internet)
You certainly can setup VLAN for VPN, but unless you have speciffic requirement (for example you would have to allow internet and / or intranet access, but blog web and SSH access to firewall etc.), it's pretty pointless.
If you are trying to achieve something on home network and instructions won't make any sense to you, then just leave it there, read more documents about things in question, so that you have general knowledge of things and try again.
VPN doesn't require much knowledge, but VLANs require NIC that supports 802.1q Tagging (IEE 802.1q) and switches with VLAN tagg support and quite a bit knowledge to get them up and runnign well.
I don't think you understand vlan's very well. You do realize they are just Virtual LAN's, right??
If you have a switch on any network, you're using a vlan. Not just schools and corporations, any network with a switch. Now you can segment a switch with multiple vlans and this is the equivalent of adding another switch, it becomes 2 broadcast domains instead of 1. Doesn't really take a lot of knowledge compared to VPN's.
No. Switches don't add domains and you would need one anyway to properly setup a VLAN.
Way how VLANs work, is that you use some form of detection (802.1q tagging being most common). Opnsense only supports tagged VLANs, meaning you can assign multiple VLANs on single physical interface port.
Proper switch supports both, tagged and untagged VLANs (untagged means you can sign 1 vlan per physical port).
Let's say you have to setup 3 VLANs for school classrooms (1 each) which have 10 computers each and have gateway with just 2 ports of which 1 is connected to firewall like opnsense. You will need at least 3 16 port switches to accomplish this. Way I would do this, is assign VLANs to gateway and setup DHCP for each, then put ports 0-2 on switches to trunk mode for VLANs and assign ports 3-14 for respective VLANs and setup ports 13-15 for spanning tree protocol, impliment ports 0-2 and 13-15 to accept only specific MAC address and configure QoS, blacklists and rest on opnsense.
That way all VLANs have internet access and receive their IPs from gateway and each switch handles internal network stuff and so on.
I have my work computer, PS4, TrueNAS and Personal computer all connected to different VLANs.
I use 2 Cisco SG-300 - 16 switches and only way I can access my TrueNAS, switches or Opnsense via SSH or Webgui, is physically connecting my computer to Opnsense.
TrueNAS shares work on all VLANs except where my work computer is connected to, but none of the VLANs have access to eachother or firewall, TrueNAS and switches remote management, which is how it should be done, if security is your concern.
You don't need VPN for anything else other than connecting to a network, which is restricted (for example connecting to your work network from home or watching movies on Netflix, which aren't available in your country).
There are 3 modes VLANs have and 1 is available mostly on switches.
1. Trunk mode, which is used to connect switch to another switch or gateway port with tagged VLANs, traffic for each VLAN goes thru that and switch will route it to correct VLAN.
2. Tagged mode, means your computers NIC must support VLAN tagging, otherwise it won't connect to any network.
3. Untagged mode. Any computer, AP, router or gateway can be connected to this, it is used to connect devices which don't have VLAN tagg support to specific VLAN, which is why you can sign only single VLAN as untagged on that port.
Switches might add your domain name to different VLANs, because that happens to any device you connect to a network with certain domains. You might get confused because of it, due to fact that most consumer routers and modems don't have DNS nor even let you assign a domain to them, but that's pretty common for enterprise level network devices.
Quote from: defaultuserfoo on June 05, 2022, 06:42:57 PM
Quote from: meyergru on June 05, 2022, 05:51:34 PM
What do you mean by having to register the Unifi devices mandatorily? I used those devices for years and never had to do anything like that.
I have been reading that you can not deploy their so-called dream machine without creating an account with them and registering it with them. Apparently you can turn off the connection to that account later on but should you ever want to sell your hardware, the next buyer won't be able to use it because of that account.
And how else would you configure their access points?
The dream machine is, like their edgemax line, another point. As Tom Lawrence pointed out it his videos, the former really have a vendor lock-in and limited capabilities in trade for useability, the latter are an abandoned product line. Their access points, however, can be configured with a Unifi controller, which is available per Dream Machine, an appliance and also as free self-hosted software implementations for Linux, Windows, Android, iOS, virtual machines, docker images and are also as hosted solutions like Hostify.
As to the other point: There are good reasons to segment a network into different broadcast domains. A VPN almost always serves a need to protect traffic that intermediately passes over the internet. I would not expect it to provide more than routing. More often than not, you will also want to limit traffic to certain machines and/or services between the coupled networks, for example when you VPN to a friend's network. This is even more true for businesses, where you segment departments via VPN even when they are in the same location with no need for a VPN.
P.S.: Reading manuals often helps. I found the relevant section in the HP manual by just googling.
Quote from: defaultuserfoo on June 06, 2022, 02:27:55 AMYou want to use a phone to configure access points? Seriously? Do they deliver a phone when you buy an AP so you can try to configure it on a tiny screen where you can't see anything?
Why would they deliver a phone when you buy an AP???
You already have a phone, don't you?
It's very easy to configure them with the app. As far as seeing your phone screen... really?
Quote from: Vilhonator on June 05, 2022, 09:07:41 PM
No. Switches don't add domains and you would need one anyway to properly setup a VLAN.
Yes, a switch absolutely is a broadcast domain. You really need to do more research on all of this. Basic networking.
Quote from: meyergru on June 06, 2022, 11:27:39 AM
Quote from: defaultuserfoo on June 05, 2022, 06:42:57 PM
Quote from: meyergru on June 05, 2022, 05:51:34 PM
What do you mean by having to register the Unifi devices mandatorily? I used those devices for years and never had to do anything like that.
I have been reading that you can not deploy their so-called dream machine without creating an account with them and registering it with them. Apparently you can turn off the connection to that account later on but should you ever want to sell your hardware, the next buyer won't be able to use it because of that account.
And how else would you configure their access points?
The dream machine is, like their edgemax line, another point. As Tom Lawrence pointed out it his videos, the former really have a vendor lock-in and limited capabilities in trade for useability, the latter are an abandoned product line. Their access points, however, can be configured with a Unifi controller, which is available per Dream Machine, an appliance and also as free self-hosted software implementations for Linux, Windows, Android, iOS, virtual machines, docker images and are also as hosted solutions like Hostify.
As to the other point: There are good reasons to segment a network into different broadcast domains. A VPN almost always serves a need to protect traffic that intermediately passes over the internet. I would not expect it to provide more than routing. More often than not, you will also want to limit traffic to certain machines and/or services between the coupled networks, for example when you VPN to a friend's network. This is even more true for businesses, where you segment departments via VPN even when they are in the same location with no need for a VPN.
P.S.: Reading manuals often helps. I found the relevant section in the HP manual by just googling.
Well when it comes to security, all that VPN does, is using same SSL encryption as HTTPS does, it won't protect you against malware, viruses, snooping or anything really (just check github, there are some scripts available which even decrypt some VPN connections).
VPN won't protect your data anymore than HTTPS does, difference is that it also encrypts HTTP connections (and nowadays 90% of internet is encrypted, heck you might not be able to even connect to any HTTP website, without your browser warning about it)
If you want truly secure connections, create proxy network, only downside of proxies that I can think of, is having to add things like windows update, game and website servers to whitelist, which is a lot of work.
Quote from: Demusman on June 06, 2022, 11:32:04 AM
Quote from: defaultuserfoo on June 06, 2022, 02:27:55 AMYou want to use a phone to configure access points? Seriously? Do they deliver a phone when you buy an AP so you can try to configure it on a tiny screen where you can't see anything?
Why would they deliver a phone when you buy an AP???
You already have a phone, don't you?
I have a Polycom 1500D on my desk. I much doubt their software works on that --- and even it did, why would I compromise my phone? It has a tiny screen, barely large enough to be somewhat useful even, but I have it not for the screen but because I like the design, and the only reason I bought it is that Polycom phones have excellent voice quality.
Quote
It's very easy to configure them with the app. As far as seeing your phone screen... really?
Yes, really. Have you ever seen the screens phones have? They are ridiculously tiny and you can't see anything on them.
Quote from: defaultuserfoo on June 06, 2022, 12:14:50 PM
Quote from: Demusman on June 06, 2022, 11:32:04 AM
Quote from: defaultuserfoo on June 06, 2022, 02:27:55 AMYou want to use a phone to configure access points? Seriously? Do they deliver a phone when you buy an AP so you can try to configure it on a tiny screen where you can't see anything?
Why would they deliver a phone when you buy an AP???
You already have a phone, don't you?
I have a Polycom 1500D on my desk. I much doubt their software works on that --- and even it did, why would I compromise my phone? It has a tiny screen, barely large enough to be somewhat useful even, but I have it not for the screen but because I like the design.
Quote
It's very easy to configure them with the app. As far as seeing your phone screen... really?
Yes, really. Have you ever seen the screens phones have? They are ridiculously tiny and you can't see anything on them.
And your phone doesn't have USB port to which you could dock it or any other method that would enable you to display the phone screen on your monitor?
Quote
And your phone doesn't have USB port to which you could dock it or any other method that would enable you to display the phone screen on your monitor?
Ah just saw what phone is question. You can still purchase cheap tablet to use the app.
Also you might be able to run the app on windows 11
https://www.androidauthority.com/android-apps-on-windows-11-3048569/
Quote from: Vilhonator on June 06, 2022, 12:22:16 PM
And your phone doesn't have USB port to which you could dock it or any other method that would enable you to display the phone screen on your monitor?
It does have an USB port, but monitors don't connect to USB ports. Even if you could find a monitor that does, you wouldn't get an image.
Quote from: Vilhonator on June 06, 2022, 12:42:45 PM
Quote
And your phone doesn't have USB port to which you could dock it or any other method that would enable you to display the phone screen on your monitor?
Ah just saw what phone is question. You can still purchase cheap tablet to use the app.
Also you might be able to run the app on windows 11
https://www.androidauthority.com/android-apps-on-windows-11-3048569/
Cheap tablets suck, and their screens are also tiny and tend to be of bad quality. On top of that, they are all about Google here and Google there and don't really work without. But I have no business with Google and sure don't need them to spy on me, to steal my data and to control me. Apple isn't any better. 99.999% of all software for Android or IOs doesn't work anyway. It's funny because it's like what we had like 30 years ago. People really do like bad soft- and hardware, and I'll never understand why anyone puts up with that. Now it's even worse because you can't even connect a decent keyboard and a trackball to your device, and the GUI is horrible.
I don't have Windoze, either. Why would I? It has always been a security risk, and now it's spying and trying to control you with no way out of that.
Anyway, it doesn't matter. Ubiquity has made reasonably priced hardware and their customers had to pay for that with bad support and their documentation being a bad joke at best. They probably still do that (or at least want to), but they have taken a path that has taken them out of consideration.
Quote from: defaultuserfoo on June 06, 2022, 04:14:01 PM
Quote from: Vilhonator on June 06, 2022, 12:42:45 PM
Quote
And your phone doesn't have USB port to which you could dock it or any other method that would enable you to display the phone screen on your monitor?
Ah just saw what phone is question. You can still purchase cheap tablet to use the app.
Also you might be able to run the app on windows 11
https://www.androidauthority.com/android-apps-on-windows-11-3048569/
Cheap tablets suck, and their screens are also tiny and tend to be of bad quality. On top of that, they are all about Google here and Google there and don't really work without. But I have no business with Google and sure don't need them to spy on me, to steal my data and to control me. Apple isn't any better. 99.999% of all software for Android or IOs doesn't work anyway. It's funny because it's like what we had like 30 years ago. People really do like bad soft- and hardware, and I'll never understand why anyone puts up with that. Now it's even worse because you can't even connect a decent keyboard and a trackball to your device, and the GUI is horrible.
I don't have Windoze, either. Why would I? It has always been a security risk, and now it's spying and trying to control you with no way out of that.
Anyway, it doesn't matter. Ubiquity has made reasonably priced hardware and their customers had to pay for that with bad support and their documentation being a bad joke at best. They probably still do that (or at least want to), but they have taken a path that has taken them out of consideration.
Well all I can recommend for Ubiqity is running the controller on some machine laying in the corner. Another option is to use plain wireless router in AP mode like Asus RT-AC1900U and use repeaters to extend the signal if needed.
To my knowledge, AP is just device which allows wireless access to network and you need to connect it to a wireless network which allready is password protected, uses RADIUS or Voucher (https://docs.opnsense.org/manual/captiveportal.html) or use app of some sort to secure it with password. Otherwise it's just plain wireless repeater without password protection.
But I do have to agree with Ubiqity (used their devices at one of my jobs) and without building your network purely using their products and installing controller to a off site server, their products are just fancy looking toys.
Cisco is usually my choice when it comes to APs and switches pretty much for that reason (though Meraki series is just plain madness).
My personal favourite though, are Buffalo wireless routers <3 LOVED them, but sadly they aren't available in my country if the companny still even makes routers.
Quote from: defaultuserfoo on June 06, 2022, 03:37:25 PM
Quote from: Vilhonator on June 06, 2022, 12:22:16 PM
And your phone doesn't have USB port to which you could dock it or any other method that would enable you to display the phone screen on your monitor?
It does have an USB port, but monitors don't connect to USB ports. Even if you could find a monitor that does, you wouldn't get an image.
I know that.
To display phone screen on your PC, you would have to use docking station and phone which supports displaying screen via USB (also docking station has to have display port, HDMI port or VGA/DVI port.)
Now you might not be able to use your keyboard and mouse, but you can display your phone screen that way. This is same method how laptop docking stations work (except instead of USB, they connect to thunderbolt port on the Laptop)
2nd way you might be able to display phone screen, is using bluetooth and right software.
3rd way to share your phone display to PC, is using software that came with it and connect the phone to USB port on the PC (mine does that, though I do have a smart phone and don't know what is the case with IP phones or desk phones).
Quote from: Vilhonator on June 06, 2022, 04:56:56 PM
To my knowledge, AP is just device which allows wireless access to network and you need to connect it to a wireless network which allready is password protected, uses RADIUS or Voucher (https://docs.opnsense.org/manual/captiveportal.html) or use app of some sort to secure it with password. Otherwise it's just plain wireless repeater without password protection.
Well, take a look at normal access points like the MSM422 from HP or the later models from Aruba. The Aruba APs have an access point controller built into the AP so you don't need an extra device, which is cool for redundancy.
I guess I'd be totally disappointed if I had APs from Ubiquity ...
Quote from: Vilhonator on June 06, 2022, 06:36:25 PM
Quote from: defaultuserfoo on June 06, 2022, 03:37:25 PM
Quote from: Vilhonator on June 06, 2022, 12:22:16 PM
And your phone doesn't have USB port to which you could dock it or any other method that would enable you to display the phone screen on your monitor?
It does have an USB port, but monitors don't connect to USB ports. Even if you could find a monitor that does, you wouldn't get an image.
I know that.
To display phone screen on your PC, you would have to use docking station and phone which supports displaying screen via USB (also docking station has to have display port, HDMI port or VGA/DVI port.)
Now you might not be able to use your keyboard and mouse, but you can display your phone screen that way. This is same method how laptop docking stations work (except instead of USB, they connect to thunderbolt port on the Laptop)
2nd way you might be able to display phone screen, is using bluetooth and right software.
3rd way to share your phone display to PC, is using software that came with it and connect the phone to USB port on the PC (mine does that, though I do have a smart phone and don't know what is the case with IP phones or desk phones).
I expect to be able to connect through RDP or at least VNC. Anything else doesn't make sense.
Quote from: defaultuserfoo on June 07, 2022, 10:38:36 AM
Quote from: Vilhonator on June 06, 2022, 04:56:56 PM
To my knowledge, AP is just device which allows wireless access to network and you need to connect it to a wireless network which allready is password protected, uses RADIUS or Voucher (https://docs.opnsense.org/manual/captiveportal.html) or use app of some sort to secure it with password. Otherwise it's just plain wireless repeater without password protection.
Well, take a look at normal access points like the MSM422 from HP or the later models from Aruba. The Aruba APs have an access point controller built into the AP so you don't need an extra device, which is cool for redundancy.
I guess I'd be totally disappointed if I had APs from Ubiquity ...
You APs don't have controllers build into it, one that can be managed by connecting to network and typing right ip to browser without having to install controller has a firmware which has webgui.
There are benefits in having to install controller to manage network devices.
Thanks to controllers, you are able to solve network issues when you can't access webgui or SSH/CLI of the device and being able to monitor and manage all devices from the controllers GUI.
Another advantage is that you are able to expand network, monitor and manage all devices from single GUI
Downside is that you pretty much are forced to use single brand and even could be limited to devices of certain series from that brand.
Another downside is that you might actually have to get additional hardware to have full control over your network
So Ubiquity is generally quite decent brand, their devices are more suitable for enterprises, schools and tech savy network geeks.
@Vilhonator you are not being helpful. The OP is trying to come to a decision about how best to connect two sites via VPN. While I did go off-topic, too, I kept it to a single post or two.
Could a moderator please split this thread if the forum software permits?
Quote from: pmhausen on June 07, 2022, 11:57:28 AM
@Vilhonator you are not being helpful. The OP is trying to come to a decision about how best to connect two sites via VPN. While I did go off-topic, too, I kept it to a single post or two.
Could a moderator please split this thread if the forum software permits?
Yes I went off topic, but answer to the question of OP is this: Best VPN of choice is one of which you are familiar with and have relatively good knowledge on. That is if you want to just get things working without major complications.
Quote from: Vilhonator on June 07, 2022, 11:21:31 AM
Quote from: defaultuserfoo on June 07, 2022, 10:38:36 AM
Quote from: Vilhonator on June 06, 2022, 04:56:56 PM
To my knowledge, AP is just device which allows wireless access to network and you need to connect it to a wireless network which allready is password protected, uses RADIUS or Voucher (https://docs.opnsense.org/manual/captiveportal.html) or use app of some sort to secure it with password. Otherwise it's just plain wireless repeater without password protection.
Well, take a look at normal access points like the MSM422 from HP or the later models from Aruba. The Aruba APs have an access point controller built into the AP so you don't need an extra device, which is cool for redundancy.
I guess I'd be totally disappointed if I had APs from Ubiquity ...
You APs don't have controllers build into it, one that can be managed by connecting to network and typing right ip to browser without having to install controller has a firmware which has webgui.
The ones from Aruba I have configured do.
Quote
[...]
So Ubiquity is generally quite decent brand, their devices are more suitable for enterprises, schools and tech savy network geeks.
Ubiquity is ok for home usage, that's all. Their lack of documentation alone makes for that.
Quote from: Vilhonator on June 07, 2022, 01:00:41 PM
Quote from: pmhausen on June 07, 2022, 11:57:28 AM
@Vilhonator you are not being helpful. The OP is trying to come to a decision about how best to connect two sites via VPN. While I did go off-topic, too, I kept it to a single post or two.
Could a moderator please split this thread if the forum software permits?
Yes I went off topic, but answer to the question of OP is this: Best VPN of choice is one of which you are familiar with and have relatively good knowledge on. That is if you want to just get things working without major complications.
So you still didn't understand the question I was asking.
I'll try to follow pmhausens advice to avoid trying to get a layer 2 connection to work. Like he pointed out, it seems it is not necessary because there are other ways. I studied the documentation some more, and it seems that the access points can get the IP address of the controller through DNS when they are reset to factory defaults. I can test that in a couple days.
(Documentation like that is what Ubiquity needs to learn to create before their products are suitable for more than casual home usage. And I do mean casual.)