Hi, I run opnsense on a mini PC along with home assistant on a raspberry pi running some IoT devices. I plan to move the home assistant and all IoT devices to a separate vlan from my laptop and phone for security purposes.
I'm a networking newbie so wanted to ask, will this break any of my automations or functionality? I assumed it wouldn't matter as long as home assistant and the IoT devices are on the same VLAN. I also assume I'll have to put in a rule to allow me to access the web GUI for home assistant as well (perhaps only allowing port 8123). Any other rules I might need to setup?
I was also thinking I could seperate the VLANs and initially allow all traffic but measure traffic crossing the VLAN boundary to see what rules I might need to apply. How would I go about logging the traffic between the VLANs like this?
Thanks
You need separate IP subnets for your network VLANs. You can either change the LAN or IoT subnet to have a different range, or better still both.
E.g. if your current internal network is 192.168.1.0/24 you would split that into two VLAN/subnet parts, like IoT on 192.168.101.0/24 with VLAN number 101 (VLAN and subnet numbers don't have to be the same but it makes things easier to remember) and LAN on 192.168.42.0/24 without a VLAN tag.
Make your internal VLANs different from 192.168.1.0/24 and 192.168.0.0/24 as you will often come across those at coffeeshops, libraries, friends, etc. Having a different number will make it easier to set up VPN remote access later. You can use anything from RFC 1918: https://www.rfc-editor.org/rfc/rfc1918
You will need a VLAN capable managed switch and/or Multi-SSID access point(s). If your IoT devices use ESPHome or ZHA there won't be much to change but if they don't then you may want to consider having your IoT network inherit your current SSID/password. That way you don't have to do hand-to-hand combat with loads of devices.
Bart...
Ok that makes sense. Thanks for your prompt reply
I have an opnsense router with quad NIC with 3 of the ports setup with a LAN bridge and the 4th being WAN. Tonight, i tried creating two VLANs with tags 10 & 20, with the parent set as the one of the bridged ports (igc0). I created firewall rules for the two VLAN interfaces to allow all traffic and also enabled DHCP on both interfaces. Then i went to my access point which is plugged into to igc0 and assigned VLAN tags 10 & 20 to the 5ghz and 2.4Ghz SSIDs. Upon doing this, i immediately lost all network access through wifi and couldn't ping anything. Actually, my wifi connected laptop stopped being assigned an IP adress and had to self assign.
Any reason why this would happen, considering i only had a single allow all rule assigned to the interface? i feel like it might be related to the fact that i have a LAN bridge set up linking 3 ports on my router (in place of a switch)
Why are you using vlans if you have enough physical interfaces?
Just assign the interfaces to each subnet.
Using a bridge as a switch is never a good idea.
I only have one access point and want to divide the devices connected into two subnets
You cannot have a VLAN on a port that is also part of a bridge interface. FreeBSD limitation, not a bug. Well documented and not going to change.
What you need to do:
- Remove one port from your bridge
- Create VLANs on that port and connect to access point
- Add the VLAN interface that is supposed to be "LAN" to the bridge
- Assign OPT1 to the remaining VLAN and use for your IoT network
- Map SSIDs to VLANs on you access point
Like this - VLAN 20 is LAN:
┌────────────────────┐
│ ┌───────┐ │
│ │ │ │
│ │ WAN │ │
│ │ │ │
│ └───────┘ │
│ │ ┌────────────┐
│ ┌───────┐ │ │ ┌───────┐ │
│ │VLAN 10├─────────┼────────────────────────┼─┤VLAN 10│ │
│ ├───────┤ │ Trunk │ ├───────┤ │
│ X│VLAN 20│X────────┼────────────────────────┼─┤VLAN 20│ │
│ X└───────┘X │ │ └───────┘ │
│ X┌───────┐X │ └────────────┘
│ X│ │X │
│ X│ │X │ Access Point
│ X│ │X │
│ X└───────┘X │
│ X┌───────┐X Bridge │
│ X│ │X │
│ X│ │X │
│ X│ │X │
│ X└───────┘X │
│ XXXXXXXXXXX │
│ ... │
└────────────────────┘
OPNsense
Thank you pmhausen, your answer has helped me a lot. I didn't know you couldn't have a VLAN on a port that is part of a bridge. I carried out your instructions almost exactly except that i put my IOT VLAN into my LAN bridge and kept my trusted VLAN outside the bridge since i only have 4 trusted devices (two laptops and two phones) so it's easier to seperate them out rather than all the individual IoT devices.
Do i still have to enable DHCP on the VLAN contained within the bridge or is this handled by the bridge? Also if i have an allow all rule for my trusted VLAN, can it connect via telnet and ssh to devices in the other VLAN? I tried telnet from my laptop and it said connection refused despite being able to ping the destination device
If there is a bridge, IP address, DHCP, ... must go on the bridge. In OPNsense this is conveniently achieved in the Interfaces > Assignments section. A bridge member interface must not have an IP address. Again, documented FreeBSD network stack feature.
If there is just an isolated VLAN connected via trunk to your AP, the assignment goes to the VLAN.
If you have a rule permitting from trusted VLAN to any, you should be able to connect to devices on the IoT VLAN. Since you have been running the bridge setup for a while already, did you adjust the tunables changing where the filtering is applied as in the OPNsense LAN bridge documentation?
https://docs.opnsense.org/manual/how-tos/lan_bridge.html#step-six
I did adjust the tunables as per the opnsense documentation. I'll try disabling DHCP on the VLAN within the bridge and see if that improves my problem. I think it's also probably time to buy a switch and stop messing with this bridge too!
Don't assign the VLAN to a logical interface in Interfaces > Assignments. Assign the bridge interface instead. The VLAN and the ports in the same bridge are just "switch ports", layer 2 only.
I went and bought a tp link managed switch so that I could get rid of my bridge and then assigned ports 1 and 2 of the switch as tagged for a test vlan (these ports are connected to my opnsense PC and my access point). I set this vlan up in opnsense (with Lan port as parent), assigned it to an interface and enabled dhcp server for the vlan interface. I then cloned the allow all rules from my Lan interface to the vlan (only changing the interface and source). When I add an extra ssid mapped to this test vlan on my access point, my laptop is not assigned an IP and has to self assign again and I can't ping anything.
Any idea why the vlan is not working? Thanks
You might wanna post pics.
Like a diagram of the setup? Any advice on what application I can use to create a diagram like this?
No, I mean screenshots of your config. Router, switch and AP.
Quote from: rama3124 on February 13, 2023, 03:57:34 AM
Like a diagram of the setup? Any advice on what application I can use to create a diagram like this?
Diagrams are always helpful. Dia and Inkscape are good general purpose apps with possibly KiCad as an outside choice if you have loads of wires.
Bart...
Screenshots of configs attached
More screenshots, please let me know if anything else is helpful
Assuming the first pic is the AP, you have the vlan section "disabled".
I don't know what model AP that is but I would take a look at the manual for it.
Can't believe the vlans should be disabled if you're trying to use vlans with it.
I had vlans disabled for the SSIDs that were already running, but the test SSID had VLAN enabled as per the screenshot. Yet when i connect to this test SSID, i get no network access and don't get assigned an IP
DHCP server is active?
So I'm assuming switchport 1 is going to the router, 2 to the AP?
If so, set port 2 to vlan10 untagged, go to the pvid page and set port 2 to 10.
Plug a pc into port 2, does it get an address?
This will tell you if the problem is towards the router or towards the AP.
DHCP server is enabled on the VLAN interface and yes switch port 1 goes to router and 2 to AP.
I left port 1 & 2 tagged, but added port 3 as an untagged member port of the VLAN 10 and adjusted the PVID to 10 for port 3. When i connected my laptop, it didn't receive an IP
Any idea why opnsense isn't giving network access if the DHCP server is enabled?
So either the DHCP server isn't working or the vlan isn't configured correctly.
Looks like the switch is correct.
On the vlan interface, you didn't show what IP was set.
Try and set a static IP in the same subnet and plug into port 3.
Does that work?
Do you have a nic that a vlan can be set on?
If so, set it to vlan 10 and plug directly into the router.
Does that work?
I have already set a static IP on the VLAN of 192.168.10.1 and have a range of 192.168.10.50-192.168.10.100 on the dhcp server.
I've tried changing the vlan interface parent from the LAN port to another unused NIC port and plugging directly into the router but my laptop still didn't receive an address. I'm thinking of trying a full factory reset to see if it helps or perhaps plugging the AP directly into the router without my switch