Hi
I am new to Opnsense and watching related videos.
I have a 5 port firewall device where 1 is WAN and the other is LAN by default.
Just wondering without buying managed switches, use the existing unmanaged switches that I have and use:
The default LAN port for trusted network (192.168.1.0 range)
The 2nd LAN port for Guest network (192.168.10.0 range)
The 3rd LAN port for IoT devices
(192.168.20.0 range)
And add use the remaining LAN port same way if required.
The ports do not have to communicate with each other, as long as there are assigned correct IP ranges and have access to the internet, that will be a start for me.
Can you explain briefly or send me links to read how this can be done?
VLANs using the same physical port and managed switches will be my next step forward.
You can totally do that. You just create assign logical interfaces to the physical interfaces, then configure them with the network adresses of your choice. After that, you would have to create firewall rules to allow interbet access. There are default "Allow All" rules on LAN which you have to create for each new LAN.
If you want to limit access to other LANs, you would have to create rules before that which block access to the other networks (or RFC1918 altogether). There are different styles on how to do this.
That being said, you have to consider that doing this via separate physical interfaces needs to connect clients to that specific port. If there is more than one device per network, you would need one switch per network. Many APs can also use multiple SSIDs, but have one physical port only. In order to carry more networks over one physical port, you need to use VLANs, i.e. managed switches or APs that can map SSIDs to VLANs.
You can then use only one physical port of your OpnSense with multiple VLANs or, as an alternative, configure the managed switch to map specific port to the respective VLANs and use multiple physical (V)LAN OpnSense ports. The latter solution may also be better because on OpnSense, you should not mix tagged VLANs and untagges LANs on the same port, which is often neccessary for some equipment (like Unifi), which usually has the default LAN untagged.
In the latter case, you would have LAN as untagged on one port, while using another port to carry only tagged VLANs only or multiple separate ports for each VLAN. That way, each port only carries either tagged or untagged traffic.
Thank you,
As a starting point, I will try as you have suggested, 1 network range for each physical interface.
So from what I understand, these separate LANs still can communicate with each other and to eliminate this, I will need firewall rules to block traffic. I need a search on this.
Out of curiosity, if my whole network is good enough with 3 separate LANs, and I already have separate ports on the firewall, I won't need to implement any VLANs?
Is there any advantage to implement VLANs, I believe the goal is to create separate networks, which I am already doing it with separate physical ports?
The purpose of VLANs is to save physical ports. And separate physical switches, of course. If you are fine with your three ports there is no need to use VLANs.
@leony, I formerly had pretty much what you are discussing, with three LAN ports and some physical switches. Rules are pretty straightforward and it all worked.
My current setup is more complex, yet can still be implemented comfortably with or without VLANS (mine is without). It depends what suits if or when your system grows. There is nothing wrong with your starting point, especially if it can re-use existing equipment effectively.
not sure if this switch would be helpful but this is a switch with "fake" vlans
BrosTrend 8-Port 2.5G Ethernet Network Switch
https://www.brostrend.com/pages/s1-v2-specification
ports 1 to 6 are separated from each other's but not from 7 and 8
Quote from: reefer123 on November 03, 2025, 08:51:38 PMports 1 to 6 are separated from each other's but not from 7 and 8
So it's not a switch but a piece of junk. A managed VLAN capable 1G switch is way below 50 $/€/£.
E.g. https://www.amazon.de/NETGEAR-GS308E-400EUS-Netgear-neu/dp/B0D4NTDSFR/
One L2 plane and broadcast from various subnets is typically the thing to avoid.
I would at least seek out a L2-only switch that allows you to do L2 things like vlan's
OR
One Gb 5port unmanaged per subnet, these devices are like $12(usd) on amazon.
Quote from: Patrick M. Hausen on November 03, 2025, 09:23:31 PMQuote from: reefer123 on November 03, 2025, 08:51:38 PMports 1 to 6 are separated from each other's but not from 7 and 8
So it's not a switch but a piece of junk. A managed VLAN capable 1G switch is way below 50 $/€/£.
E.g. https://www.amazon.de/NETGEAR-GS308E-400EUS-Netgear-neu/dp/B0D4NTDSFR/
not arguing - just seeing this as an option to separate the devices (if needed) without any IT knowledge
also you can use it as a "normal" (Unmanaged) one with the slider on the "standard" position