Morning.
Currently my OPNSense has a STATIC WAN IP via PPPoE and then 1 DHCP Server, 192.168.5.0.
I was wanting to split my network into 3 vlans, using a L3 Switch, as such;
vlan1 - 192.168.1.0 Home Wifi [will connect to wifi router]
vlan2 - 192.168.2.0 Home Ethernet [any devices physically plugged in]
vlan2 - 192.168.3.0 Home Servers [OMV, Email Servers etc]
Currently said Switch [connecting to LAN of OPNSense] is in L2, all connecting to 192.168.5.0, but I want to restructure my network.
Would I create the 3 vlans as mentioned on the L3 and then create a 4th network [from opnsense to L3] or could vlan1 be an extension of Opnsense DHCP?
I would assume having the network from opnsense to l3 would be it's own network outside of the 3 vlans. Bring that the vlans would be L3, I assume the automatic "communication" of the inter-vlan wouldbe automatic (so like 192.168.2.88 could ping 192.168.3.55 without static routes cause the L3 would already know?).
This will obviously get deeper as I do have a block of static IP's that need to be directed to specific LAN Ip's, but for now I wanna establish the ground rules.
Or would I create all 3 vlans on the OPNSense and create a tunnel from LAN to Switch and leave in L2 but assign groups of interfaces on Switch to each vlan and let OPNSense do the routing/directing?
Quote from: fbeye on November 15, 2023, 06:21:43 PM
Or would I create all 3 vlans on the OPNSense and create a tunnel from LAN to Switch and leave in L2 but assign groups of interfaces on Switch to each vlan and let OPNSense do the routing/directing?
Both scenario's will work but if you want full control and a (relative) simple network design use switch for L2 and OPNsense for L3. Your switch can filter only stateless (ACL) and with OPNsense as default GW for all your VLANs you can easy benefit from it's many services without any special setups and configs.
Just assign an interface (or more if you like redundancy with LACP if your switch supports that) on your OPNsense firewall that's directly connected to your switch and use this as a Trunk port for all your VLAN's.
This interface is the "parent" where you can stack up all your (tagged) VLANs, just assign the different ports on your switch to these specific VLAN's and you're King!
not sure if you explained what kind of manages switch you are using, or if...
but if you do then a trunk (not a tunnel) interface is what you need to set up and allow the vlans thru the trunk. Then you would need to configure the switch for each port to the specified vlan you have like...
Alright, yeah I think what I will do is use the OPN as the "router" and create the Trunk... Upon looking, it seems my Cisco SG500X can indeed do LACP but being that is all new to me, I may for now, keep it simple Trunk will will indeed look into it.
The OPN is running via VM on Proxmox so I only have 2 Interfaces [lan/wan] so this LACP would be assigned on the LAN Interface..
After I create the 3 vlans on OPN, and then the Trunk and assign those vlans to/through the Trunk, on my Switch I will use Port GE 1 as the Trunk port, assign/allocate vlan1-3 to it, and then on the remaining 47 Ports, just assign them to their vlans.
Would the GE 1 on the Switch need to be a L3 or keep it L2, but keep it out of any vlan and just assign it [interface/trunk] to the GE 1.
Quote from: fbeye on November 15, 2023, 07:58:08 PM
Upon looking, it seems my Cisco SG500X can indeed do LACP but being that is all new to me, I may for now, keep it simple Trunk will will indeed look into it.
The OPN is running via VM on Proxmox so I only have 2 Interfaces [lan/wan] so this LACP would be assigned on the LAN Interface..
If running virtualized there isn't much reason to use LACP with OPNsense, in that case it's more relevant for your (physical) Proxmox hosts. But leave that for later....
Quote
Would the GE 1 on the Switch need to be a L3 or keep it L2, but keep it out of any vlan and just assign it [interface/trunk] to the GE 1.
Just L2 for your initial plan, if you want to do something L3 you can create a seperate VLAN for that and play with it, not needed for your OPN setup.
FYI, your switchport will always use a VLAN if you "do" nothing, that's VLAN1 aka "default VLAN". You can use VLAN1 like any other VLAN, but it's best practice to just leave it as is. You have 4095 other digits to choose from :D.
Ah alright that makes sense. Yeah we will go Trunk. That makes sense, I wouldn't need to set the Switch Port to anything as it will be a trunk port anyway, and the remaining Ethernet ports on the switch will look to its assignments to which vlan, on the trunk. Cool.
I assume LACP is like multiple physical links as backups of main trunk fails, like redundancy? Either way, this is for home I am just having fun with a little "advanced" setup.
Also I assume each Vlan will all use the same default opnsense PPPOE WAN IP as their Internet address. Unless specified.