OPNsense Forum

English Forums => General Discussion => Topic started by: BathToast on September 08, 2022, 06:04:28 am

Title: Best Practices with VLANs, which to assign to LAN Interface?
Post by: BathToast on September 08, 2022, 06:04:28 am
Hey all,

So I'm going about and planning on tidying up some networking rules and cutting over to using my VLAN's on my network, as currently I'm just using a classic untagged VLAN1 for everything in 192.168.1.x for my network.

However I have a series of VLAN's set aside with various IDs (10, 20, 30, 40, 50, etc) and are all /24 networks using their VLAN ID as the third octet value.

Though generally speaking I have a question in general for the security of things: Which VLAN should be the "LAN" interface in OPNSense? Currently its VLAN_1, and the others are optional interfaces being trunked to my cisco switch which holds my servers and other things.

So the question stands is what should i set as my default LAN, should i set any of them as the LAN interface? Should i just leave it as VLAN1 so that should anything go belly up i can just easily plug into a port and be able to jump into the router?

I know i'm still learning OPNSense and some elements of networking so bear with me.

Also a bit of a silly question but I just want to make sure I have this right in my head: If my device on the 192.168.40.x Vlan reaches out to the router on 192.168.40.1, the router/firewall then sends that directly out to the WAN interface correct? Or does it need to route it to the interface assigned as the LAN interface which then sends it to WAN. Or do the optional interfaces have the ability to go straight to WAN.

Anything would be helpful. Once i got this nailed down i think i'll be off to the races.
Title: Re: Best Practices with VLANs, which to assign to LAN Interface?
Post by: bartjsmit on September 08, 2022, 07:58:32 am
I don't tag my LAN traffic. A select few devices (IoT, guest WiFi) get tagged and firewalled (mostly) to WAN. Apply the KISS principle  ;)

192.168.40.1 and WAN are firewall interfaces. If the destination for the traffic is outside, OPNsense will route the traffic from VLAN 40 to WAN and the return traffic back to the source.

Bart...
Title: Re: Best Practices with VLANs, which to assign to LAN Interface?
Post by: BathToast on September 08, 2022, 11:42:04 am
Many thanks bart. Suppose you got a point there! I'm currently dialing back the network a bit to specific VLANs until i'm more familiar, but im getting some issues where i can access things i shouldnt be able to access between VLANs!
Title: Re: Best Practices with VLANs, which to assign to LAN Interface?
Post by: bartjsmit on September 08, 2022, 03:01:34 pm
Make sure you don't have any 'leaks'. I.e. all VLAN tags are managed by your switches and/or your virtual switches in your hypervisors.
Title: Re: Best Practices with VLANs, which to assign to LAN Interface?
Post by: twintailterror on September 15, 2022, 05:58:47 am
Make sure you don't have any 'leaks'. I.e. all VLAN tags are managed by your switches and/or your virtual switches in your hypervisors.

my vlans are made and managed by opnsense itself  and dhcp'd across the vlan.  to the other stuff
im having a heck of a issue with the vlan rules tho i ether get all internet + talk to all vlans or nothing at all
i need to see one set up via picture   dont suppose we can share pics here
Title: Re: Best Practices with VLANs, which to assign to LAN Interface?
Post by: bartjsmit on September 15, 2022, 12:17:05 pm
my vlans are made and managed by opnsense itself  and dhcp'd across the vlan.
All devices along your path; (v)switch, access point, etc. need to use the same VLAN tag to be able to transfer packets between them. You can trunk different tags over the same physical link, but you do need to declare the same VLAN number(s) at both ends.

There are a few image sharing and on-line diagram sites that you can link to.

Bart...
Title: Re: Best Practices with VLANs, which to assign to LAN Interface?
Post by: twintailterror on September 15, 2022, 07:46:47 pm
my vlans are made and managed by opnsense itself  and dhcp'd across the vlan.
All devices along your path; (v)switch, access point, etc. need to use the same VLAN tag to be able to transfer packets between them. You can trunk different tags over the same physical link, but you do need to declare the same VLAN number(s) at both ends.

There are a few image sharing and on-line diagram sites that you can link to.

Bart...

https://ibb.co/PY6pZzQ

https://ibb.co/PY6pZzQ      assignments
https://ibb.co/kQMMs0J     lan dchp set up
https://ibb.co/x2TqJy8   lan dchp set up pt2
https://ibb.co/s20kVgh   lan interface set up p1
https://ibb.co/ZhdwkTQ   mom fire wall rule 1
https://ibb.co/R0FB5fs  lan fire wall rule 1http://

here is the OG post i made https://forum.opnsense.org/index.php?topic=30303.0

that shows all my seettings

to be fair its stock mostly  im still havng ssues with how to do the rules tho blocking order and such even if its a fake valn can you set something up similar so i can see how it should look (also my vlans are correct) no worries front to pack they get dchp my issue is they are "open" and i want to block them off

so they cannot see each other ping each other or anything else
minus the server that has 1 ip opn
and the cams that have 1 ip open to view camreas id like to use dns local or some kind of thing for "jellyfin" "security " 

im just beyond stuck and nbody i know uses this or vlans ;/ 


Title: Re: Best Practices with VLANs, which to assign to LAN Interface?
Post by: dudeman2009 on September 23, 2022, 07:58:47 pm
I'm just going to go start to finish, to bear with me if I am just going on about things you already know or have setup. I see a lot of confusion on various subreddits about VLANs and their setup.

The interface assignments look fine, rules are applied on the interface they sit as they enter the interface, inbound. So a device on your LAN will be filtered by rules on the LAN interface. For your VLANs you allow or block traffic from the net and into the firewall interface on their respective tabs. To allow the server VLAN access to the internet but not say seccam, you would put allow/block rules on the server VLAN only. No need to put rules anywhere else for the server VLAN, the only exception being floating rules but they aren't needed for a basic setup.

As for the VLANs, I assume you are using a switch, not just a bunch of interfaces on the firewall. You need to setup vlans on the switch. The attached picture for example is my main switch, I have VLANs setup for those I am actually using currently. I am in the process of reconfiguring my network and in order to add another vlan on the firewall I must login to the switch and add it here. Otherwise the switch will not tag anything and you will only see untagged traffic entering the firewall and it will also allow traffic between untagged ports on the switch, or trunk ports where untagged traffic is allowed. Some switches also have the ability to route VLANs internally, you'll not want to enable this. It should be disabled by default, but it will completely bypass the firewall if enabled.

I think you mentioned this already being setup, which prevents interVLAN routing on the switch itself, it must traverse the firewall. It doesn't have to exit and enter the WAN, just enter the VLAN interface and travel to the next. As far as default VLAN for LAN. I don't use VLAN1 for anything, but I have never seen outside a testing lab where VLAN hopping has happened.