Hello,
I am new to the Opensense domain. I am exploring it and quite like it so far.
Currently, I have a router provided by my ISP, which I want to replace to enhance the security of my home network.
Attached, you will find the network diagram I have envisioned.
I aim to achieve the best energy efficiency, which is why I prefer not to add more network devices (e.g., no managed switches).
I have attempted to configure Opnsense to implement this infrastructure, but I have realized that Opnsense is not well-suited for managing VLANs, as it is not a switch.
I am posting on this forum to see if anyone has a similar infrastructure setup that I want to create and to find out if it is possible or not.
Thank you very much.
- create VLAN interface with tag 10 on first trunk port
- create VLAN interface with tag 10 on second trunk port
- create a bridge interface with the two VLAN interfaces as members - do not bridge the trunk ports!
- same for VLAN 20, create on both trunks, create another bridge with the two VLAN interfaces as members
- for "VLAN 30" don't create a VLAN at all - simply create another bridge interface with the three physical ports as members
Use the three bridge interfaces for IP address assignment, firewall rules, etc.
Don't forget the two mandatory tunables from step 6 of the documentation: https://docs.opnsense.org/manual/how-tos/lan_bridge.html#step-six
Done.
Hi M. Hausen
Thanks a lot for your answer. I can't wait to try this.
Now I need to configure the trunk port on the Openwrt access point side. :)
However, I have one last little question if that's ok with you.
In this diagram (updated), is it possible to have a management IP on the openwrt access points in the same range as the LAN so i can manage them from the LAN ? example 192.168.30.1 & 2.
If yes, how ?
- I thought about creating a bridge between the "LAN bridge" and the "VLAN bridges"... but I'm not too sure of the result and afraid of multiplying the broadcast domains
- Or create 2 /30 networks on trunk's parent interfaces (this would be an untagged trafic)
- Or simply add trunk's parent interfaces to the "LAN Bridge" ?
Add two VLAN tag 30 interfaces to the trunk ports. Add the two VLAN 30 interfaces to the bridge that already contains the three untagged ports.
Never add the parent port of tagged VLANs to a bridge.
Thank you very much Patrick.
It worked very well.
Coming from Cisco environment, I'm not familiar with software managed vlans
This thread can be archived :D
Cisco IOS *routers* [1] without a switching fabric work very similar:
interface gi0.30
encapsulation dot1q 30
no shutdown
no ip address
bridge-group 30
interface gi1.30
encapsulation dot1q 30
no shutdown
no ip address
bridge-group 30
bridge 30 protocol ieee
Kind regards,
Patrick
[1] 2500, 4000, 3600, 7200 series ... really old school ;)