it looks like I have a VLAN configured, but I don't have the right firewall rules to make it work. there was a help file on the opnsense wiki, but it seems to have vanished after the latest site rework.
What I want should be a relatively simple set of rules but I'm missing some knowledge that keeps me from doing it alone.
- VLAN shares LAN interface for inbound/outbound traffic
- switch has a trunk for redirecting VLAN traffic to ports
- no need for DHCP/DNS service. Will use external DNS servers for machines on the DMZ
Rules I think I need:
- Permitting LAN to VLAN
- Permitting VLAN use of the LAN interface?
- baring VLAN access to LAN
- VLAN access to the Internet via NAT
- Internet access is VLAN via pinholes in the NAT
what I have tried:
- pinging the VLAN machine and looking for the ICMP packet with tcpdump (nothing visible)
- replicating rules that look appropriate from the LAN interface to try and open a connection.
- added rule with DMZ net as the source and asterisks for all the other fields
Since I am not firewall rule fluent at this level, it's not clear how to handle routing through VLAN by the LAN interface. thanks in advance for any help.
So let me ask just right away,
You are using TAGed and non-TAGed VLANs? If yes this is generally not a good idea, even thou it may work its not "officially supported/recommended".
In regards of Rules, its quiet simple. You close always if not mostly permitt traffic INCOMING way, once its in FW the default rule "Let anything out of GW/FW" will let it go automatically from the OUTGOING way.
For test you can just do a simple rule on the VLAN and LAN and allow any to any IN. Than you can Harden it and disable the default allow any/any rule.
Regards,
S.
yes, I am trying to use the (untagged?) LAN interface to also carry the tagged traffic.
You gave me the right question to Google and found from Cisco/HP advice that tagged networks have a separate interface from your firewall/router. I prefer not to do that because I'm running short of ports on this project and don't want to buy another switch at the moment. Another reason an untagged network was important is that I have a mixture of consumer devices on the network that don't have VLAN capability. It is important to keep domestic harmony by not breaking them.
I googled how to convert tagged VLANs to untagged, and it looks like I need to explore is tagging all traffic from the LAN interface and in the switch using one trunk for the DMZ and another for the general network. Theoretically, if I leave ports untagged, they will convert the tagged traffic to untagged on the way out of the port and tag it on the way in. At least, that's what I gathered from the VLAN write-ups.
yes? no?
That is not fully true "advice that tagged networks have a separate interface from your firewall/router." in the way you present it.
The main reason of VLANs is that you can have several logical segments over 1 cable. A Switch usually is capable to carry over 4096 VLANs from which one of them is NATIVE (Native meaning traffic that doesnt fell under any of TAGGed VLANs falls under this NATIVE VLAN. Native VLAN you can understand as partiually unTAGed VLAN but thats not really true from a perspective of a switch.)
Another point: "Another reason an untagged network was important is that I have a mixture of consumer devices on the network that don't have VLAN capability.". You dont need consumer devices capable of vlan TAGing is just bad mindset. TAGing is done on network interfaces. If you want to TAG a specific end device to a specific HOST that doesn't do or doesn't know TAG all you need to do is to set on a switch on that particular port for a device so called "access VLAN". Switch will then assign a TAG to it once he sees traffic coming from that port and remove it outgoing way.
"Theoretically, if I leave ports untagged, they will convert the tagged traffic to untagged on the way out of the port and tag it on the way in. At least, that's what I gathered from the VLAN write-ups."
This only works if you have a managed switch cable VLAN TAGs. The TAG and unTAG is done on a port configured as access.
There are many uses cases you can do the setup. I personally prefer to have a Portchannel so called LAGG between a Switch and the OPNsense, and on this PO create VLANs + GW per VLAN. This way you have more redundant, resilient and higher capacity connection between OPN and a SWITCH. Switch is then per port per End device set to either Trunk mode (multiple VLANs) - where a server is TAGing several VLANs or access mode - single VLAN like for IoT where switch is TAGing.
Regards,
S.
Quote from: Seimus on September 22, 2023, 05:17:55 PM
That is not fully true "advice that tagged networks have a separate interface from your firewall/router." in the way you present it.
[/quote
I think my misunderstanding came from this article https://techhub.hpe.com/eginfolib/networking/docs/switches/K-KA-KB/15-18/atmg/content/ch01s27.html . Thank you for clearing that up.
Quote
"Theoretically, if I leave ports untagged, they will convert the tagged traffic to untagged on the way out of the port and tag it on the way in. At least, that's what I gathered from the VLAN write-ups."
This only works if you have a managed switch cable VLAN TAGs. The TAG and unTAG is done on a port configured as access.
I will look and see if my switch handles or describes VLANs that way. It looked like it was trunk based and any member of the trunk was tagged on the way in.
QuoteThere are many uses cases you can do the setup. I personally prefer to have a Portchannel so called LAGG between a Switch and the OPNsense, and on this PO create VLANs + GW per VLAN. This way you have more redundant, resilient and higher capacity connection between OPN and a SWITCH. Switch is then per port per End device set to either Trunk mode (multiple VLANs) - where a server is TAGing several VLANs or access mode - single VLAN like for IoT where switch is TAGing.
that sounds like a worthwhile learning experience. I'll give it a shot. Thank you for all the advice and suggestions you gave me.