OPNsense Forum
English Forums => General Discussion => Topic started by: Asperamanca on January 05, 2021, 03:41:14 pm
-
I would like to rebuild my network around an OPNsense-based Firewall, and I have one configuration questions. The topic has been discussed in several threads, but the answers there were mostly focused on specific configuration issues. My question is more about understanding the basic concepts.
What I need:
-) OPNsense Firewall connected to existing internet router
-) A switch connected to the firewall for cable LAN
-) An internal Wifi and a guest Wifi.
Internal Wifi has full network access, but is protected both by password and MAC address whitelisting.
Guest Wifi has internet access, and nothing else.
From what I understand so far, I can achieve this using only a single Wifi access point, provided this AP supports VLANs. Is this correct?
If so, will it work with any vendor's VLAN implementation, or are there differences to watch out for?
Do you have such a configuration running, and if so, which access point vendor do you use?
-
Hi,
I've a similar setup up and running since years (personal non-business use).
I'm using TP-Link Omada Controller and APs and SmartManaged Switches (with PoE).
VLANs (802.1Q) is a standardized protocol, so any Vendor which implements the standard should work.
br
-
Does this mean that I have to assign two VLANs to the port which connects to the AP, then configure the AP to use each VLAN with the correct SSID (internal/guest)?
-
Does this mean that I have to assign two VLANs to the port which connects to the AP, then configure the AP to use each VLAN with the correct SSID (internal/guest)?
Yes right, the port must be configured as trunk and you assign the VLAN ID to the different SSIDs on the AP.
There are several ways to perform the VLAN assignment (with Radius) but his is how I've implemented it.
br
-
I use the same TP access points, but my Omada server is run as a service on one of my servers. The other option you have is to choose an access point that allows guest access and isolates the LAN from the guest, i.e. only allows traffic to the gateway, there are plenty around if you look. If you are only using a single WAP that may be a simpler option.
-
choose an access point that allows guest access and isolates the LAN from the guest, i.e. only allows traffic to the gateway, there are plenty around if you look.
Good hint. This will be the easiest solution.
The more flexibel one (e.g VLANs for IoT, Kids, ..., Firewall rules, ...) is VLAN based. But if you just need one guest WIFI the solution from marjohn56 is sufficient.
br
-
I have been researching possible configuration (and availability and pricing...), and although my questions stray a little from OPNsense topics in the narrow sense, I would really value your input:
Since I want to keep my Wifi AP for a while, I aim for Wifi-5 (ac) at least, and I would like to have WPA3. The only (halfway) affordable solutions I can find are Cisco access points which run on PoE. Only one Wifi router I found has both WPA3 and VLAN, and it's ridiculously expensive.
Now the OPNsense-based firewall aren't going to have PoE ports. So I found a suitable switch (unmanaged) which has some PoE ports, and enough ports in total. I would connect the Wifi AP on a PoE port, and my other devices on the remaining ports.
However, what does this mean for the VLAN configuration? It would mean that I have to configure the port on the firewall which connects to the whole switch as "trunk" (as Mks posted, although I'm not familiar with the term).
Does this have unintended consequences for the ports connected to computers and other devices where I can't do a VLAN configuration?
-
what I have is
opnsense server
ubiquiti managed switch
and ubiquiti ap (ACLR and ACPRO)
ubiquiti controller (could be installed in a existing PC, or buy there controller device)
simple setup, the ubiquiti ap is capable of assigning vlan id to siid. then opnsense will just catch that.
you just need a manage switch(ubiquiti or not) so the vlan tags will not be lost (unmanaged switch may remove the vlan tags).
-
Well, none of the Ubiquiti APs has WPA3. If I relax this requirement, I suddenly get lots more options.
But thank you for pointing out the possible issues with VLAN tags. Maybe a PoE injector could do the trick (I hope it just wires the network signal to the port, and adds the wires for PoE)
-
I aim for Wifi-5 (ac) at least, and I would like to have WPA3.
My recommendation. If you go for controller based solutions (central controller which provision APs) like from TP-Link Omada or Ubiquity, buy now cheap WPA2 APs and replace them once WPA3 is cheaper. WIFI 5,6 + WPA3 is still quite new and the APs are expensive.
So I found a suitable switch (unmanaged) which has some PoE ports, and enough ports in total. I would connect the Wifi AP on a PoE port, and my other devices on the remaining ports.
If you want to use VLANs, the switch must support it. There are a lot of SOHO switches available with PoE and VLAN. You could also use PoE Injectors, but then you need a power plug at each AP.
However, what does this mean for the VLAN configuration? It would mean that I have to configure the port on the firewall which connects to the whole switch as "trunk" (as Mks posted, although I'm not familiar with the term).
The VLAN IDs must be transferred to the switch, this is done via the trunk.
On the switch you configure the VLAN assignment to the ports. As you want to have multiple VLANs on the AP the connection to the AP must also be configured as trunk. On the AP controller you define the VLAN to SSID assignment.
br
-
;) You don't have to have a power point by the AP with POE injectors, they just need to be in the line to the AP somewhere.
One other thing that needs to be remembered here, once you have one managed switch, anywhere else on the wired network will also require managed switches, unless you can set the vlan ID on each endpoint, not all NICs support that.
-
I'm not a fan of buying hardware today that I know I'll throw out in two or three years, even if it's the most economical thing to do. So I'd rather find a Wifi solution that I can live with for the coming 5-10 years.
I currently have one Wifi router, and I get some spotty coverage in some rooms. So I think I can either use two AP or one AP and one Repeater. Since Wifi coverage goes down in a pretty linear fashion as I increase distance to the router, I think that 1 AP + 1 Repeater should do the trick.
It turned out that APs with Wifi-5 + VLAN + WPA2 capability are almost as expensive as the next level (business APs with 10 year warranty and Wifi-5 + VLAN + WPA3). Since I intend to go for quality, that sounds good to me.
So my plan is the following:
- Deciso 3-port Firewall running OPNsense
- Wifi-AP with PoE injector connected directly to firewall ("trunk" port)
- Wifi-Repeater to improve coverage
- Unmanaged switch connected directly to firewall ("internal VLAN" port, so all devices connected to it belong to the internal VLAN)
;) You don't have to have a power point by the AP with POE injectors, they just need to be in the line to the AP somewhere.
I don't think I fully understand this statement. What do you consider a "power point" in this context?
One other thing that needs to be remembered here, once you have one managed switch, anywhere else on the wired network will also require managed switches, unless you can set the vlan ID on each endpoint, not all NICs support that.
Will this spell trouble in the above configuration? If I designate the whole (unmanaged) switch to a certain VLAN, won't the firewall be able to treat any incoming and outgoing traffic on that port accordingly?
-
I meant you do not need to have a power 'socket' for the POE injector near the WAP, the POE injector just can be anywhere convenient.
Not too sure about your idea of using a trunk port carrying both VLANs and a single port carrying one of the VLANs. Opnsense is a firewall/router, not a managed switch, I also don't think you'll be able to get Opnsense to work with both VLANs on one port and only one of VLANs on another. You are better off using a managed switch after Opnsense. Take the trunk carrying both VLANs into the switch - another port on the switch needs to be configured as a trunk and you connect that to the WAP. Then one of the other ports on the switch is defined as your primary vlan ( not guest ) , use that to connect to all your physical devices. The advantage of that is that you can easily expand your system then. managed 8 port switches are cheap. A DLink DGS 1100-08 would suffice, that's what I used when I first started with VLANs.
-
Yes, managed switches are not that much more expensive. I guess I just hoped for one less device I had to configure...
However, the idea with the PoE injector falls apart in two places:
1) I can't find a PoE injector where the documentation mentions VLAN tags to be maintained
2) I can't find the required voltage in the documentation of the Wifi AP, so I can't use a passive PoE injector with fixed voltage
It seems that every time I feel I got the configuration right, I learn something new...
Back to the drawing table.
-
Ok, more research. Trouble is, 8 ports just isn't enough.
So I can use one managed 4 port PoE switch, and one manage 8 port non-PoE switch. Still more devices to configure, but I hope this combination will do the trick.
-
Yes, managed switches are not that much more expensive. I guess I just hoped for one less device I had to configure...
However, the idea with the PoE injector falls apart in two places:
1) I can't find a PoE injector where the documentation mentions VLAN tags to be maintained
POE has nothing to do with VLANs, it's merely away of passing power over the unused cores in an ethernet cable
2) I can't find the required voltage in the documentation of the Wifi AP, so I can't use a passive PoE injector with fixed voltage
POE is a standard, if the WAP supports POE any POE injector will work. The only difference is POE+ which is a higher power version, used usually for higher load devices, such as loads such as Loudspeakers.
Look at something like the TP-Link EAP225, it comes with a POE injector too.
-
POE has nothing to do with VLANs, it's merely away of passing power over the unused cores in an ethernet cable
How can I know that a PoE injector isn't really an unmanged PoE switch internally, if the specifications don't tell me?
POE is a standard, if the WAP supports POE any POE injector will work. The only difference is POE+ which is a higher power version, used usually for higher load devices, such as loads such as Loudspeakers.
All the cheap PoE injectors I found are "passive". I read elsewhere that those injectors don't really fulfill the standard, but just provide a fixed voltage on a single port, and that's it. So I would have to know the required voltage.
The PoE injectors fulfilling the standard are not much cheaper than small managed PoE switches
Look at something like the TP-Link EAP225, it comes with a POE injector too.
The PoE injector doesn't seem part of the package, but at least they specify the voltage. Might be an alternative...
-
If you look at the EAP-225 it says, 802.3af POE or 24v Passive, it will accept either 802.3af which is industry standard 48v+ or 24v Passive POE.
No inline POE injectors are switches, they are all passive. As a sidenote, I have a number of POE injectors, some are 48v, some are 24v.
Passive PoE is 24v and is either on or off, so no autosensing on ports.
802.Xaf/at is 48v and is autosensing so it will only turn the power on if it detects a PoE device connecting to it.
if you go to https://www.tp-link.com/uk/business-networking/ceiling-mount-ap/eap225/ there are an image of the EAP 225 with a number of thumbnails underneath, if you select the 6th thumbnail it will show you what's in the box... one of those things is a POE injector.
-
Hi,
So my plan is the following:
Deciso 3-port Firewall running OPNsense
Wifi-AP with PoE injector connected directly to firewall ("trunk" port)
Wifi-Repeater to improve coverage
Unmanaged switch connected directly to firewall ("internal VLAN" port, so all devices connected to it belong to the internal VLAN)
I've never heard anything positive when it comes to WIFI-Repeater.
I would rather go for 2xAP configured via dedicated controller. So my recommendation for your (home) setup is:
- Firewall at least with 3 ports
- 8 port managed Switch (VLAN capable) with 4 PoE ports
- WIFI controller software or small appliance with PoE
- 2xAP connected to the Switch (no configuration needed this is done with the controller
br
-
Hi,
So my plan is the following:
Deciso 3-port Firewall running OPNsense
Wifi-AP with PoE injector connected directly to firewall ("trunk" port)
Wifi-Repeater to improve coverage
Unmanaged switch connected directly to firewall ("internal VLAN" port, so all devices connected to it belong to the internal VLAN)
I've never heard anything positive when it comes to WIFI-Repeater.
I would rather go for 2xAP configured via dedicated controller. So my recommendation for your (home) setup is:
- Firewall at least with 3 ports
- 8 port managed Switch (VLAN capable) with 4 PoE ports
- WIFI controller software or small appliance with PoE
- 2xAP connected to the Switch (no configuration needed this is done with the controller
br
✔
-
I've never heard anything positive when it comes to WIFI-Repeater.
I would rather go for 2xAP configured via dedicated controller.
We're talking about extending the Wifi range by about 6m (maybe less if the new AP is better, and better positioned). If this is not a case for a repeater, I don't know what is.
Trouble is, existing cabling limits my positioning options for the second AP. So what's better: An ideally positioned repeater, or a non-optimally positioned AP?
Is an AP with a "controller" mode the same as having a separate controller and two APs?
I think I'll start with a single AP and see what I can do by positioning, then I'll add stuff when and if needed.
-
We're talking about extending the Wifi range by about 6m (maybe less if the new AP is better, and better positioned). If this is not a case for a repeater, I don't know what is.
Try those Long Range APs, may this will fix your issue.
Personal opinion, avoid whenever possible the repeater.
Trouble is, existing cabling limits my positioning options for the second AP. So what's better: An ideally positioned repeater, or a non-optimally positioned AP?
Only god knows ;),
Is an AP with a "controller" mode the same as having a separate controller and two APs?
Usually all the APs can also be configured without controller. The controller just reduces the effort when it comes to managing multiple APs. There are some additional feature like captive portal etc ... but this is another story.
br
-
Thank you all for your valuable input! I certainly learned a lot in this thread (and doing research because of points you raised).