OPNsense Forum
Archive => 23.1 Legacy Series => Topic started by: Colenat on February 10, 2023, 06:20:59 pm
-
Hello everyone!
It's not very clear to me how VLANs work. To be more precise:
I created a VLAN where I put my security camera in it, so I could block internet access to it.
I have to problems with it:
1) I can't understand for the life of me which rule I have to create to achieve it
2) Since I put the camera on the VLAN, Home Assistant (which is on the LAN subnet) can't see it anymore. Do I have to make a rule to make the VLAN visible to LAN, too?
Thank you in advance
-
Say you have a 24 port switch, and you're only using 10 of the ports.
Now you need to add another subnet, but it will only need 8 switchports.
So you can either go out and buy an 8 port switch, or you can use vlans on your existing switch.
Every switch operates in a vlan, usually vlan1 (which you should always change before you even use the switch).
So now, you can leave 10 ports in the existing vlan, and assign 8 of the spares to the new vlan.
You now know what a vlan is. They were created to make use of unused switchports and still keep network integrity between subnets because each vlan is it's own broadcast domain.
What that means is, you can just assign a different subnet to those 8 devices and plug them into 8 spare ports on your switch and they will work. But anyone on the original network can see all of the traffic on the new network. There would be no isolation. Vlans are completely isolated from each other.
They make 1 switch, into 2 or more logically separated switches.
So now your questions.
1. No rules means everything is blocked. You won't even be able to ping the interface.
So you'll probably want to add some rules, like NTP for example, but up to you.
2. The LAN has a default allow any rule, did you change that?
If not, then you aren't configuring your vlan correctly.
What model switch are you using?
Do you have a separate switch for the LAN and the vlan or using the same?
Did you trunk the port going to the router if using one switch?
Many other questions but it would be easier to just post your config. Everything relevant.
-
Say you have a 24 port switch, and you're only using 10 of the ports.
Now you need to add another subnet, but it will only need 8 switchports.
So you can either go out and buy an 8 port switch, or you can use vlans on your existing switch.
Every switch operates in a vlan, usually vlan1 (which you should always change before you even use the switch).
So now, you can leave 10 ports in the existing vlan, and assign 8 of the spares to the new vlan.
You now know what a vlan is. They were created to make use of unused switchports and still keep network integrity between subnets because each vlan is it's own broadcast domain.
What that means is, you can just assign a different subnet to those 8 devices and plug them into 8 spare ports on your switch and they will work. But anyone on the original network can see all of the traffic on the new network. There would be no isolation. Vlans are completely isolated from each other.
They make 1 switch, into 2 or more logically separated switches.
So now your questions.
1. No rules means everything is blocked. You won't even be able to ping the interface.
So you'll probably want to add some rules, like NTP for example, but up to you.
2. The LAN has a default allow any rule, did you change that?
If not, then you aren't configuring your vlan correctly.
What model switch are you using?
Do you have a separate switch for the LAN and the vlan or using the same?
Did you trunk the port going to the router if using one switch?
Many other questions but it would be easier to just post your config. Everything relevant.
Are you sure about this? Unless things have changed, the switch has to be VLAN aware in order to assign ports to VLANs as you (correctly) describe. The point being not just any switch can be made to use VLANs.
-
You're right. But if he setup vlans we have to assume he has a vlan capable switch, right? ;D
Obviously not, that's why I asked him what switch he's using.
Guessing there's a whole lot wrong here.
-
:)
OP, please confirm if you have a managed switch or at least a VLAN aware switch. Your post doesn't tell so we're having to assume or ask more questions :)
-
So sorry, I'm such a noob when it comes to this.
My setup is as follows:
ISP Modem --> Eth0 --> WAN in OPNsense
Archer AX50 Router --> Eth1 --> LAN in OPNsense
Eth0 and Eth1 are two separate network adapters plugged in the proxmox server, then passed to OPNsense.
Every device is connected to the AX50, both ethernet and wifi (it is set as an Access Point)
The security camera is connected via wifi
Not sure if it's VLAN aware or managed. The only reference I found about VLAN was in the IPTV section.
-
According to its documentation, the Archer AX50 has no VLANs, only a guest WLAN. If configured as an AP, I would guess it does not even have that. That is, the IPTV camera is probably on the same subnet as every other device in your LAN.
-
Unfortunately the wireless router set to Access Point won't be able to give you what you need, unless the manufacturer allows you to set VLAN tags when in AP mode which I very much doubt.
The problem is that OPN will be routing between networks including virtual ones (VLANs) but the devices need to "plug into" network ports that are segregated in those VLANs. At present you have a single network that ll devices "plug into", even the wifi ones, albeit they are by radio waves instead of an ethernet port.
There are ways I believe to map SSDs to VLANs but again the AP needs to play. Check yours.
And finally, if what you want to do is isolation of the single camara, maybe some inventiveness could do the trick.
-
Ok so, if I got this right, I should use a managed/vlan aware switch plugged to my LAN network adapter, then assign one of the ports to the VLAN dedicated to my camera, and then plug a wireless access point to that port so that the camera can connect to it. Once this setup is done, I can proceed to create a firewall rule that blocks internet traffic on that specific VLAN.
Did I get this right?
-
There is a bit more to it than just blocking internet access to some VLAN, because you still have to enable access between that VLAN and your LAN in one way or another.
But if your goal is only to block access from and to the internet for that camera, what about giving it a static DHCP assignment and creating firewall rules for that IP?
-
If this is a possibility, than I have a couple more questions.
1)Is there a cheat sheet somewhere where I can learn how to make such a rule? There are a lot of options that I can't understand if are useful to my use case. And besides this, what is the difference between a firewall rule and port forwarding?
2)What is a possible/common case use of a VLAN if you can achiece isolation via firewall rules in the same subnet?
-
If this is a possibility, than I have a couple more questions.
1)Is there a cheat sheet somewhere where I can learn how to make such a rule? There are a lot of options that I can't understand if are useful to my use case. And besides this, what is the difference between a firewall rule and port forwarding?
Just remember, rules are evaluated on the inbound side of the interface that network is attached to.
ie OPT1 can never be a source on LAN net since the rules on LAN will be evaluated from the directly connected network, into the interface. So LAN and it's devices will be the source.
Always put rules on the interface itself. Floating rules have a place but only use them when you can't avoid it.
2)What is a possible/common case use of a VLAN if you can achiece isolation via firewall rules in the same subnet?
The same subnet will never even get to the firewall since that would be layer 2 traffic only.
-
@Colenat: You should definitely learn something about networking in general. Firewalls are all about security, so you will have to get the basics first (e.g. layer 2/3, bridging vs. routing, subnets, VLANs, NAT).
Without that, you risk to do something wrong. Invest a day or two in it, there are plenty of youtube videos on that.
There are neither quick wins by asking basic questions you do not understand the answers to nor any cheat sheets.