Text only | Text with Images

OPNsense Forum

English Forums => 25.1, 25.4 Production Series => Topic started by: Benderisgreat on March 08, 2025, 05:45:18 PM

Title: VLan configuration question
Post by: Benderisgreat on March 08, 2025, 05:45:18 PM
Hey, new setup of opnsense and want to segregate my web facing servers from my internals.

I want to put all of the internet facing servers in a VLan using opnsense allowing segregation from my internal servers.

I have Proxmox on HP proliant server configuration as below:

Internet -- Eth 0 (opensense WAN)
Eth 1 -- Managed switch (opensense LAN)
Eth 2 -- Managed switch (segregated servers)
Eth 3 -- Managed switch (internal servers)

My question is do I add Eth 2 as an interface and then create a VLan and use Eth 2 as the parent?

Or do add new VLan and add Eth 1 as the parent ?

Will this then segregate Eth 3 and Eth 2 traffic or do I need to add rules ?

Also can I have Eth 2 on a different subnet Vs Eth 3 e.g. 10.0.10.x and 192.168.1.x ??  This just helps me remember where I am when I am logged in to each server.

Side note - I have managed to use rules to block traffic from Eth 2 to Eth 3 but I his doesn't seem efficient or safe / right to do.

Thanks for help
BiG
Title: Re: VLan configuration question
Post by: EricPerl on March 08, 2025, 09:26:57 PM
Assuming Eth_X are physical NICs, you have physical isolation and don't really need VLANs.
VLANs are used to get logical isolation over a physical network.
Title: Re: VLan configuration question
Post by: Benderisgreat on March 08, 2025, 11:09:42 PM
Yeah they are physical nic in the server.
Does VLan offer anything over NIC??

And also I suppose I just create rules in opnsense to isolate the interfaces??
Title: Re: VLan configuration question
Post by: Patrick M. Hausen on March 08, 2025, 11:16:20 PM
Quote from: Benderisgreat on March 08, 2025, 11:09:42 PMDoes VLan offer anything over NIC??

As long as you have enough NICs - no. But you can run 20 VLANs over a single NIC. Or a redundant pair of NICs. That is kind of the point.

Interfaces on routers and firewalls are few and expensive. Interfaces on switches are plenty and cheap. So you connect your firewall with 2x 10G to your switch, define 20 VLANs, and now have 20 switch ports each of which is its own "firewall interface". Or five ports in VLAN 1, two ports in VLAN 2, whatever ...

Quote from: Benderisgreat on March 08, 2025, 11:09:42 PMAnd also I suppose I just create rules in opnsense to isolate the interfaces??

Yes. VLANs or not - this is always the same.
Title: Re: VLan configuration question
Post by: Benderisgreat on March 08, 2025, 11:45:28 PM
Great thank you. Currently only need the four interfaces on the server, so it's all cool. For now :-)
Text only | Text with Images