When I was setting up my OPNsense install I was learning as I went and I think I have ended up making some errors in the configuration of the VLANs against the physical interfaces and I would like to understand how to fix it without tearing everything down and starting again.
I am using an HP T620+ thin client with a 4 port Intel NIC
During the install em0 on the Intel NIC was used for the WAN and em1 was used for the LAN.
I have then created 4 VLANs (opt1, opt2, opt3, opt4) using em1 as the parent.
The LAN network still exists and is using the IP range 192.168.1.0/24 which I believe is the default. All of the VLANs are using 10.69.x.0/24. The box responds on 192.168.1.1 and traffic can use the LAN network.
My questions are:
Can I remove the LAN network as it is redundant in my set up and if so how?
Would it be better to disable rather than remove the LAN network?
Will removing or disabling the LAN network have any detrimental effects on the configuration? i.e. anti-lockout rules etc.
How should I have configured things from the start? Should I have used the LAN network instead of one of the separate VLANs that I created?
If I haven't provided enough info then please let me know.
Thanks in advance
Hello,
I did 2 months ago migration from L3 Interface to a VLAN setup, so I will try to answer few of your questions (hopefully I remember correctly all).
Quote from: bangcrash on June 02, 2023, 12:06:22 PM
My questions are:
Can I remove the LAN network as it is redundant in my set up and if so how?
Yes you can do it. but is advised to have the Parent interface assigned/listed. This is how I have it. I am running at TOP of the LAN physical interface as well a LAGG.
Quote from: bangcrash on June 02, 2023, 12:06:22 PM
Would it be better to disable rather than remove the LAN network?
Not sure here what you mean disable it, you need to have it admin UP. Its best practice to have the Parent interface assigned/listed. Strip the old LAN of its L3 configuration and let it as L2 only and have it assigned. This is recommend setup.
Quote from: bangcrash on June 02, 2023, 12:06:22 PM
Will removing or disabling the LAN network have any detrimental effects on the configuration? i.e. anti-lockout rules etc.
So this is an interesting one. I believe what will happened in your case, if you remove the LAN Interface completely the default (system) rules should apply to the next interface in order in this case opt1. By this I mean anti-lockout etc. For example I have opt1 for Wireguard interface so the moment I removed the LAN the system rules applied to that interface. The system rules will not apply to all VLANs, here is recommend you create the rules to prevent yourself to be locked out from the GUI/management access.
Quote from: bangcrash on June 02, 2023, 12:06:22 PM
How should I have configured things from the start? Should I have used the LAN network instead of one of the separate VLANs that I created?
Depends on your design, you for example can still use the default LAN you had created for management only purposes and production traffic have in the VLANs. When I did my migration I did at the end remove the LAN L3 completely and run 6 VLANs where one of them is only used for management and NW dedicated traffic like DNS etc.
Regards,
S.
Thanks very much for the info.
I went into the LAN interface and disabled the IPV4 addressing (I don't use IPV6) as you suggested and everything seems to be fine. As a result of this change I did find a weird DNS problem where querying router.localdomain returned a AAAA record that contained the IP addresses of the OPNsense box on all interfaces. To fix this I went to Services > Unbound DNS > General and enabled "Do not register system A/AAAA records". I then created an override in Services > Unbound DNS > Overrides to return the IP address on my primary VLAN for queries for router.localdomain.
As a final precaution I created a replica of the antilockout rule on the firewall for my primary VLAN just in case.
Thanks again