OPNsense Forum
English Forums => General Discussion => Topic started by: lmnsour on November 20, 2022, 08:34:09 pm
-
Hi, I have a 6 port firewall PC. How do i configure Opnsense to allow PCs on seperate Lan ports discovery each other in Windows Network?
-
Would I need to bridge all the LAN ports together?
-
Im still new at this and would appreciate any help. Attached is my network map. The issue is my laptop can see all the other devices connected through the wifi access point but I can't see any device connected through a different LAN Port on the Opnsense firewall PC.
I just added the OMV NAS and I'm trying to share the drive across all the ports. Thanks.
-
If you do not want to isolate your PCs from each other but simply have a "flat" network, then yes, a LAN bridge is the way to go. Don't expect too much performance-wise, though. OPNSense is not a switch and you might be better off getting a cheap but reliable gigabit switch and only connect one OPNsense LAN port.
The LAN bridge is documented here:
https://docs.opnsense.org/manual/how-tos/lan_bridge.html
-
If you do not want to isolate your PCs from each other but simply have a "flat" network, then yes, a LAN bridge is the way to go. Don't expect too much performance-wise, though. OPNSense is not a switch and you might be better off getting a cheap but reliable gigabit switch and only connect one OPNsense LAN port.
The LAN bridge is documented here:
https://docs.opnsense.org/manual/how-tos/lan_bridge.html
Ahh, thanks! I'm trying to keep it to the firewall 2.5Gbps ports (both PC and NAS are 2.5).
I'll see if I can snag a cheap 2.5Gbps port this black Friday. If not, I'll give my hand at bridging the ports. It's an i7 1165G7 so it's not a slow PC as far firewall standards go.
-
Here's what I'm looking at for switches:
I'm leaning towards the TP-link
https://www.amazon.com/gp/product/B08ZHGT2ZP/ref=ox_sc_act_title_3?smid=ATVPDKIKX0DER&th=1
The Netgear is another option:
https://www.amazon.com/gp/product/B0BGYS9BKY/ref=ox_sc_act_title_2?smid=ATVPDKIKX0DER&th=1
TRENDnet budget option (as "budget" as I want to go)
https://www.amazon.com/gp/product/B08XWK4HNT/ref=ox_sc_act_title_1?smid=ATVPDKIKX0DER&th=1
-
If you do not want to isolate your PCs from each other but simply have a "flat" network, then yes, a LAN bridge is the way to go. Don't expect too much performance-wise, though. OPNSense is not a switch and you might be better off getting a cheap but reliable gigabit switch and only connect one OPNsense LAN port.
The LAN bridge is documented here:
https://docs.opnsense.org/manual/how-tos/lan_bridge.html
Ahh, thanks! I'm trying to keep it to the firewall 2.5Gbps ports (both PC and NAS are 2.5).
I'll see if I can snag a cheap 2.5Gbps port this black Friday. If not, I'll give my hand at bridging the ports. It's an i7 1165G7 so it's not a slow PC as far firewall standards go.
Will the MDNS plug-in work?
-
mDNS didn't work and UDP Broadcast Relay didn't work (port 445). I'd really like to avoid purchasing a $120 switch.
-
Just create a LAN bridge then following the documentation.
-
Just create a LAN bridge then following the documentation.
I'll look it over tonight. That will be plan B but I'd like to try UDP Broadcase Relay a little more. Plan C would be a switch.
-
Ok, I'm reading through a lot of things and my eyes are crossing. Its hard to read "tutorails" for Opnsense when they assume you have an advanced working knowledge of what you're doing.
Option A (UDP Broadcast)
This looks like the best option (and easiest - I don't want to give up on this yet) as I can keep my traffic shaping / Zen armor policies. Once enabled, are there other policies / firewall rules that I need to set to make it work?
Option B (LAN bridge): I need to create a bridge for LAN port 1, 2, and 3.
Once I setup the bridge, how do I setup QoS / traffic shaping to prioritize LAN port 2 (PC) first, followed by LAN Port 3 (OMV NAS), and lastly LAN Port 1 (Wifi Access point).
I have two separate Zenarmor policies for LAN Port 1 and 2. When I make a bridge, will these policies still be valid or will I have to reconfigure?
Option C (Network Switch): Similar issues: How do I setup QoS and Zenarmor policies?
Is there a Opnsense Discord where I can talk through some of these concerns?
Thanks again for the help!
-
If you setup the LAN bridge the devices will be able to communicate with each other as if they were connected with a switch. The OPNsense does not have any say in that part of the communication.
As soon as any device communicates with something that is on another interface (WAN probably) of the OPNsense you can of course apply QoS, Zenarmor, etc. based on the devices IP address or MAC address. You cannot setup policy per port because you have only one LAN "port" (the bridge).
But that's how it's supposed to work.
-
If you setup the LAN bridge the devices will be able to communicate with each other as if they were connected with a switch. The OPNsense does not have any say in that part of the communication.
As soon as any device communicates with something that is on another interface (WAN probably) of the OPNsense you can of course apply QoS, Zenarmor, etc. based on the devices IP address or MAC address. You cannot setup policy per port because you have only one LAN "port" (the bridge).
But that's how it's supposed to work.
Zenarmor is easy enough to configure based on MAC. Its pretty user friendly. Opnsense is not. Even their tutorial does not show to to configure QoS via MAC / IP. I'll look it over when I get home tonight.
I'm still stumped on the UDP Broadcast Relay and why thats not working. Everywhere I've read says that its just enable and go. I'll post a screen shot of how I have it enabled tonight.
-
Do you have "permit all in" rules on all your LAN ports? If yes, what's the point of not using a LAN bridge? If no, you need to explicitly permit all traffic you want to relay via UDP Broadcast Relay. Simply enabling the function does not change the firewall rules.
-
Do you have "permit all in" rules on all your LAN ports? If yes, what's the point of not using a LAN bridge? If no, you need to explicitly permit all traffic you want to relay via UDP Broadcast Relay. Simply enabling the function does not change the firewall rules.
Yes, I have the Permit all rule for all ports. No other firewall rules for the lan ports.
I'm not against a LAN bridge, I just want to try the UDP Broadcast first.
I don't know how to configure QoS via MAC (yet, I'm looking) and I'd rather not load the CPU unnecessarily. But yes, if I can't get the UDP Broadcast to work, I'll go ahead and bridge the ports.
-
Thinking out loud here...
In bridged mode, I can't assign an IP address to the individual LAN ports, correct? So for flow control, I would have to set policies off the IP address of the client which would require static IP addresses.
-
Correct. You csn use MAC addresses to identify the clients.
-
Correct. You csn use MAC addresses to identify the clients.
Are you just mocking me now?
-
No. If you build a LAN bridge you have only a single LAN interface. You turn all ports that are memberd of the bridge into a switch. Switch is just a fancy word for bridge.
So you can either use static assignments in your DHCP config and the IP addresses to identify clients or the clients' MAC addresses where possible. Firewall rules for example permit this.
-
No. If you build a LAN bridge you have only a single LAN interface. You turn all ports that are memberd of the bridge into a switch. Switch is just a fancy word for bridge.
So you can either use static assignments in your DHCP config and the IP addresses to identify clients or the clients' MAC addresses where possible. Firewall rules for example permit this.
Shaper rules don't have the ability to use MAC as destination or source. I don't see how I can create a policy for just one PC.
-
Can they use IP addresses at least? Then you can set static DHCP leases.
-
I was thinking that. I'll try it tonight, thanks.
-
I was thinking that. I'll try it tonight, thanks.
So I created two pipes, both at full bandwidth (300Mbps) and two queues; one with a weight of 100 and the other with the weight of 50.
For rules, I made a rule for my PC IP address (for the 100 weight queue) and the second rule I used the inverted function "Not the PC IP".
Seems to be working.