Hey everyone
First post here, banging my head against a wall so figured I'd post and see if anyone has any advice for me. Any help is greatly appreciated.
I have a PC running OPNSense, trunking VLANs to a managed switch which works great. Due to the cost of power and the amount of draw the managed switch takes, I bought a couple unmanaged switches (one 8-port, one 9 port POE) along with a 4-port PCIe network card. My hope was to have one LAN port for the unmanaged switch for general networking, and one other for the POE switch which will power some IP Cams. I've read from some peoples posts that bridges aren't well supported, and others that say multiple LAN ports isn't a great idea (wish I had of researched more before making purchases, but here I am). Tried using ChatGPT but have had no luck there.
Right now, all I want is to separate out LAN (re0), and CAM (re1). LAN should have normal internet access, but access to CAM should be restricted to RTSP to NVR (on LAN at the moment) and NTP to the router.
I'm not really up to snuff on my networking, this is as much of a learning opportunity as it is functional. I can share what I've tried so far, but I'm hoping to get an opinion from someone more knowledgeable on how they would recommend setting this up, or if it's even feasible to do without just trunking all the traffic to a managed switch.
Thanks
Quote from: recips on July 22, 2025, 03:00:30 AMwish I had of researched more before making purchases
This also applies to the network card. Realtek NICs doesn't work well with FreeBSD.
Quote from: recips on July 22, 2025, 03:00:30 AMRight now, all I want is to separate out LAN (re0), and CAM (re1). LAN should have normal internet access, but access to CAM should be restricted to RTSP to NVR (on LAN at the moment) and NTP to the router.
Not clear, what's your actual trouble with this. You just need to create quite basic firewall rules to permit, what you want.
Just keep in mind, that rules on an interface are processed from the top to the bottom. If any's conditions match the rule is applied, followings will be ignored.
To limit a rule to upstream traffic only, it's best practice to create an RFC 1918 alias of type network and add all private network ranges to it.
Then create a firewall rule on the LAN, specify any for the source, check "Destination / Invert" and state the RFC1918 alias. Put this rule to the top of the rule set.
The alias with "invert" ensures, that the rule only matches to outside destinations.
Below create rule for permitting access to local destinations, like DNS, and then rules allowing certain source IPs to access the cams or whatever.
Disable the default allow any-to-any rule.
To get sure you can also create a block any rule below of your pass rules.