Text only | Text with Images

OPNsense Forum

English Forums => 24.7, 24.10 Legacy Series => Topic started by: mwolfe60 on November 21, 2024, 11:23:20 PM

Title: [Resolved]Wifi vlan 30 can't acces the internet
Post by: mwolfe60 on November 21, 2024, 11:23:20 PM
I'm attempting to segregate my network into VLANs for lan-wifi, iot, wired-lan. and phones. My setup is a mix of hardware.

AP is a TP-link Omada EAP670 
Switch is cisco 2960s 48 port
opnsense firewall on a four-port network appliance.

Firewall LAN - LAGG01 port 2 and 3 connected to a port channel made up of ports 47-48 trunked with a native vlan10 on the switch and a subnet of 10.100.10.0/23

The switch is configured for routing. I know the 2960s is not a full layer3 switch but it can do intervlan routing

it has the following VLANs configured

Lan VLAN10 - 10.100.10.0/23
wireless lan ssid 1 VLAN20 - 10.100.20.0/23
iot ssid 2 - VLAN30 - 10.100.30.0/24
Servers - VLAN50 - 10.100.6.0/25
network - VLAN60 - 10.100.6.128/25

the AP has two SSIDs configured

1 - no vlan and can access the internet 10.100.10.0/23 subnet
2 - vlan30 can't access the internet 10.100.30/24 subnet

I want to have the ssids have vlan 20 and 30 to limit the broadcast domains and to block IOT traffic from the Lan

I have attached the switches show run if that helps

I'm missing something but I need some help fixing it.
Title: Re: Wifi vlan 30 can't acces the internet
Post by: bartjsmit on November 22, 2024, 08:18:50 AM
How do your two routers (Cisco and OPNsense) exchange routing tables?
Title: Re: Wifi vlan 30 can't acces the internet
Post by: dseven on November 22, 2024, 09:41:40 AM
If you do inter-VLAN routing on the Cisco switch, OPNsense will not be in the path, and so will not be able to filter that traffic. Is that what you want?

If you're OK with that, OPNsense will need to know how to reach those other subnets, so you'll need static routes (or some routing protocol, but that's probably overkill for this situation). You might be able to get away with a static route for 10.100.0.0/16 pointing to 10.100.10.1.

You'll also need firewall rules to allow internet access for the other subnets, as the "Default allow LAN to any rule" applies only to "LAN net" (10.100.10.0/23)
Title: Re: Wifi vlan 30 can't acces the internet
Post by: mwolfe60 on November 22, 2024, 10:37:28 PM
so the cisco switch only does static routes.  so not routing protocol there.  IT may be better to move the routing to the opnsense rather than doing static routes and firewall rules.

would this be a better solution for this based on my hardware?

I very very rusty on networking.  I took some network classes in college about 20 years ago.

Title: Re: Wifi vlan 30 can't acces the internet
Post by: mwolfe60 on November 23, 2024, 04:26:16 AM
I decided to remove the switch from the routing and use my Opnsense firewall to handle it all.  I've got it working now.

Thanks for help me out.
Title: Re: [Resolved]Wifi vlan 30 can't acces the internet
Post by: bartjsmit on November 23, 2024, 09:43:05 AM
Good outcome from a security perspective as well. As dseven mentioned, having your policy enforced on only one device makes for easier management.

Hang around on this forum if you want to hone your networking skills  ;)
Text only | Text with Images