OPNsense Forum
English Forums => General Discussion => Topic started by: toxic on April 07, 2021, 11:21:00 pm
-
Maybe I just did not understand, but I'm facing an issue where cross-VLAN communication is being difficult simply because my 2 computers are not on the same subnet...
I have VLAN10 using 10.0.10.0/24 and VLAN30 using 10.0.30.0/24
I would like to have each device believe they are part of 10.0.0.0/16 while in fact I can use fw rules to restrict each VLAN to it's matching /24.
Right now, I can pass and filter trafic between the 2 VLANs as I want since except on my opnSense router, both VLANs are entirely separate.
But opnSense does not allow me to serve DHCP on a subnet that the interface is not part of (like keep opnSense on the /24 but tell the DHCP clients they are on /16), and I believe I'll face other issues if I set the 2 VLAN interfaces in opnSense to be on the same subnet...
The end-goal behind that is for example that windows devices on these 2 VLAN believe they are on the same subnet and therfore are visible in the "network neighboorhood", allthewhile enabling me to say "VLAN10 has no access to internet" while VLAN30 has access to internet.
I got this last part working with 1 subnet by VLAN interface, which breaks the windows network discovery (I've tried, WS-discovery, Netbios, WINS, Samba master browser, I'm just not ready to setup a windows server with AD just for that...)
Is what I'm considering a real option (having 2 interfaces on the same subnet and "routing" between them ?)
If yes, some guidance on how to do it would be nice ! (static routes for each /24 ?)
Thanks in advance for any help !
-
This is not how IP works. One broadcast domain (VLAN) - one subnet. All devices in one subnet must share the same prefix and prefix length (subnet mask). Traffic from one subnet to another one must be routed.
If you bridge, it's all one single broadcast domain. One subnet, one address range, one subnet mask.
That's just how it works.
-
Thank you for your kind reply.
From your answer I understand that I need to bridge the VLANs and have only one broadcast domain.
Maybe a last idea I have would be to have one broadcast domain that include another one, but given your explanation I believe this would also not work. The idea here would be to have all devices on VLAN1 10.0.0.0/16 and some devices on VLAN2 10.0.20.0/24.
But if I understand, it will not make devices on the /16 believe they are on the same broadcast domain that those on the /24.
I'll just have to rethink and simplify even more to reduce the number of VLANS since in the end I don't really need to separate my WiFi devices from my wired devices, especially if it breaks the windows network discovery...
I'm thinking about merging/removing the VLANs since my understanding is that once they are bridged there is no obvious way to distinguish from which VLAN a device comes, so no assigning DHCP IP range by vlan or even fw rules by VLAN...
-
Exactly. You cannot have overlapping networks, either. Like 10.0.20.0/24 and 10.0.0.0/16.
Networks on different interfaces must be disjunct.