Hi I'm new to OPNSenese and after a lot of reading I have a single NIC setup that allows a pc to connect to the net. However I am not confident that I have done this correctly / securely and I'd love to confirm my understanding with those more knowledgeable than me.
I have attached an SVG to illustrate the setup I have.
I've created a new VLAN (VLAN100) in my switch. The only members of VLAN 100 are the
Untagged WAN port (port 5) and the
Tagged OPNSense Firewall port (port 4). In this way I believe LAN devices connected through ports 1 - 3 can only talk to the WAN through the firewall because it's on the only port which is both a member of
VLAN100 and the
default VLAN1I'm fuzzy on why the Firewall port within VLAN 100 is Tagged but I believe it means it can distribute traffic on both the VLANS?
I have assigned
PVID=100 to port 5 and
PVID=1 to ports 1-4. I believe this stipulates which VLAN should be used for packets received on a given port.
- Have I understood correctly?
- Are there any pitfalls in the way I have done this?
- With a default firewall config. Will devices on the Lan ports 1-3 be 'protected' by the firewall.
I'm new to this and keen to learn so any feedback is welcome. Thank you.
Nice first post & welcome to the forum.
Not an expert here, but your setup looks correct to me & should achieve complete isolation between the WAN/modem side, and your local LAN network.
I believe the devices on ports 1 to 3 will be protected by the firewall, as there will be no way for traffic to be relayed between them & the WAN (modem) device, except through the Opnsense firewall.
Is there a reason that you're doing a router on a stick? While it can be made to work, I prefer to avoid the complexity and like to know for sure that my WAN is physically separated from everything else.
Quote from: CJ on February 13, 2024, 06:03:26 PM
Is there a reason that you're doing a router on a stick? While it can be made to work, I prefer to avoid the complexity and like to know for sure that my WAN is physically separated from everything else.
I am repurposing a mini PC for the task which has just one NIC. I did purchase a USB 3.0 NIC ( UGREEN model FBA_20256) but it was totally unreliable and caused everything to hang.
This single NIC solution is working with test speeds comparable with what I had with my ISP's router so it seems viable provided it is secure. Do you feel that my setup is not secure?
Quote from: bangersandmash on February 14, 2024, 02:15:22 AM
I am repurposing a mini PC for the task which has just one NIC. I did purchase a USB 3.0 NIC ( UGREEN model FBA_20256) but it was totally unreliable and caused everything to hang.
This single NIC solution is working with test speeds comparable with what I had with my ISP's router so it seems viable provided it is secure. Do you feel that my setup is not secure?
NICs are cheap enough that I just prefer the reduced complexity of not having to worry if I have the VLANs configured correctly, etc. One less thing to think about.