OPNsense Forum
English Forums => General Discussion => Topic started by: rama3124 on January 24, 2023, 11:53:25 am
-
Hi,
I'm new to opnsense and have a very simple network with no switches and opnsense running on a mini PC connected to Asus 86u as access point (+asus 68u as added mesh point). I have about 20 IOT clients including smart light bulbs, xiaomi gateway with child clients, conbee zigbee gateway with child clients and also a Kodi media server + home assistant server. I want these components to be blocked from contacting my phones and laptops so wish to setup two VLANs for trusted and non trusted clients.
I don't really understand how to configure the VLANs as some of my non trusted clients connect ethernet to the access point while others connect via Wifi. Do i have to have all the IOT components connected to the same Wifi SSID for this to work? If not, how can i separate the components into the two VLANs? Also, from what i understand Asus AC86u is a pain to setup VLANs so plan to purchase some Unifi access points. Do i have to do this or can i get away keeping my current setup?
Thanks in advance
-
You need an access point that supports multiple SSIDs and can map these to individual VLANs. Then you can connect this AP to your OPNsense via a so called "trunk port" that carries all the VLANs and configure the VLAN interfaces and respective policies in OPNsense.
-
To add, you'll need a vlan capable switch also.
You did say some devices are wired.
-
Given enough free ports on the OPNsense device you can build a port based VLAN with a bridge interface.
-
Given enough free ports on the OPNsense device you can build a port based VLAN with a bridge interface.
This idea appeals to me since I have a quad NIC and am currently only using two ports (lan and wan). Does this mean I need separate access points for the IOT and trusted networks though?
Thanks
-
Also until I purchase the new access points and switches, is there an option to make a firewall rule blocking all communication from my non trusted devices to my trusted devices? I only have two laptops and two phones so couldn't I just make aliases for the trusted IPs and non trusted IPs and only allow one way communication from trusted to non trusted? What are the disadvantages of this versus VLANs? Thanks again for the help
-
The communication on the same VLAN is not regulated by the firewall, because they are in the same network, there is no routing, UNLESS the switch or APs provide client isolation, That is a feature you will usually find only when the insfrastructure also supports VLANs.
The systematic approach is to categorize devices and put them in separate VLANs and regulate communications between the categories, not between individual clients.
-
Given enough free ports on the OPNsense device you can build a port based VLAN with a bridge interface.
This idea appeals to me since I have a quad NIC and am currently only using two ports (lan and wan). Does this mean I need separate access points for the IOT and trusted networks though?
Thanks
Keep in mind, a bridge is not a switch.
What you want is switching, so get a switch.
-
A bridge is a switch and a switch is a bridge. A device that makes forwarding decisions based on layer 2 information. A layer 3 switch is a router. A device that makes forwarding decisions based on layer 3 information.
An Odroid with 4 interfaces bridged for LAN and 1 interface for WAN is a four port switch and a router/firewall at the same time.
I refer you to Ms. Radia Perlman if you don't believe me. She invented spanning tree.
https://books.google.de/books/about/Interconnections.html?id=AIRitf5C-QQC&redir_esc=y
-
A switch is a bridge, but a bridge is definitely not a switch. Especially in FreeBSD.
-
He wants a couple of ports in a single broadcast domain without buying another device. Also I definitely fail to see the difference of a FreeBSD system with e.g. 4 bridged gigabit interfaces and an unmanaged 4 port gigabit switch.
-
A bridge is designed to connect 2 network segments. When a packet arrives at the bridge, if it's destined for that side of the bridge, no problem. If it isn't destined for that side it sends it on hoping it gets to the destination.
A switch is designed to connect devices to a network. It knows what device is where so it knows where to send a packet.
If a bridge was a switch it would be called a switch. There would be no bridges. Got any hubs in your network???
No, I wounder why?
As for FreeBSD, and I should've specified pf, when you have a bridge every packet through that bridge still gets inspected. So if you have a powerful enough processor, no problem. If not, you're gonna take a huge performance hit.
When you want switching, use a switch. That's why they make them.
-
A bridge can have more than 2 ports. A multiport bridge is commonly called a switch. Read up on network basics. You can bridge 4 ports, then you have a 4 port unmanaged switch. You can disable filtering on the bridge members - and should.
The FreeBSD bridge has for a more that five-fold increase in performance, is multi threaded, now, thanks to the work of Kristof Provost sponsored by the FreeBSD foundation.
-
A multiport bridge may be a hub, but not a switch. Switch has a MAC table, hub does not.
-
I'm out. I linked to a book that clearly defines those concepts.
-
The communication on the same VLAN is not regulated by the firewall, because they are in the same network, there is no routing, UNLESS the switch or APs provide client isolation, That is a feature you will usually find only when the insfrastructure also supports VLANs.
The systematic approach is to categorize devices and put them in separate VLANs and regulate communications between the categories, not between individual clients.
This makes perfect sense. If I end up getting some unifi access points, I assume I need to make a few different SSIDs (for trusted and non trusted) and assign different vlan tags go these different SSIDs using the unifi software and then the same tags on opnsense. Is this correct?
-
This makes perfect sense. If I end up getting some unifi access points, I assume I need to make a few different SSIDs (for trusted and non trusted) and assign different vlan tags go these different SSIDs using the unifi software and then the same tags on opnsense. Is this correct?
Correct.
-
I'm out. I linked to a book that clearly defines those concepts.
Books have mistakes in them too. :D
Using your book, Patrick. Looking at page 10:
"... The broadcast storm with IP can incapacitate a LAN. When two LAN are connected with a bridge, the bridge merges the LANs, and the broadcast storm on either LAN will incapacitate both LAN..."
This statement above is true of a Hub. A switch, even the dumbest of all knows MAC/port knowledge which eliminates storms.
just to clarify, that's all. :D
-
The communication on the same VLAN is not regulated by the firewall, because they are in the same network, there is no routing, UNLESS the switch or APs provide client isolation, That is a feature you will usually find only when the insfrastructure also supports VLANs.
This needs to be clarified here. Firewall mentioned above is referred to as Layer 3 firewall. Layer 2 based Firewalls have ability to set MAC based ACL's that block particular MAC from communicating on the ethernet frames. Many smart switches have this ability to do so. You can specify which MAC can connect to which port.
-
This statement above is true of a Hub. A switch, even the dumbest of all knows MAC/port knowledge which eliminates storms.
A hub is a simple electrical repeater broadcasting every packet out every port, even the unicast ones and without store and forward including collisions. Thus preserving the CSMA/CD property of Ethernet.
Both a bridge and a switch are in contrast store and forward. (Yes I have heard of cut-through switching - nonetheless switches in 2023 are all full-duplex and collision free. Bridges too.)
A switch does not in any way prevent broadcast storms. Broadcast packets to the FF:FF:FF:FF:FF:FF MAC address are also forwarded out every port. The same is true for multicast packets unless the switch is capable of IGMP snooping.
The reason why I am insisting on these properties is simple - not to prove my experience in networking but because some of the advice given to the IP was plain wrong. He does not need a switch given his OPNsense device has got enough ports.
If he has got e.g. 6 ports on some Odroid or similar, he can use
1 port for WAN
1 port as a trunk to the single access point with multiple SSIDs and VLANs
4 ports bridged with 1 of the VLANs or with different ones for wired devices
This is known to work. Why should he need to buy a switch just to use VLANs between OPNsense and the AP?
-
"Why should he need to buy a switch just to use VLANs between OPNsense and the AP?"
Because he want switching. Use a switch.
Yes the bridge will work but at a huge performance cost.
Again, do you have any hubs in your network?? No, because switches replaced them.
If a bridge was a switch, switches would have replaced them too.
There's a place for bridges, but it's not switching.
-
The communication on the same VLAN is not regulated by the firewall, because they are in the same network, there is no routing, UNLESS the switch or APs provide client isolation, That is a feature you will usually find only when the insfrastructure also supports VLANs.
This needs to be clarified here. Firewall mentioned above is referred to as Layer 3 firewall. Layer 2 based Firewalls have ability to set MAC based ACL's that block particular MAC from communicating on the ethernet frames. Many smart switches have this ability to do so. You can specify which MAC can connect to which port.
I think I already made that distinction clear, as "firewall" implicitely meant OpnSense - which is on level 3 - and my comment was directed at this:
Also until I purchase the new access points and switches, is there an option to make a firewall rule blocking all communication from my non trusted devices to my trusted devices? I only have two laptops and two phones so couldn't I just make aliases for the trusted IPs and non trusted IPs and only allow one way communication from trusted to non trusted? What are the disadvantages of this versus VLANs? Thanks again for the help
My point was that "just making client-specific rules on OpnSense" at level 3 would not work without a switch (level 2) prohibiting ARP and direct communication. This on the other hand usually can be handled by the same kind of switch that has VLANs anyway and thus there is a better (i.e. more general) option to the approach @rama3124 presented and asked about.
While smart switches exist that can not only isolate clients on level 2, but also provide some kind of level 3 routing, I would not consider that when I can centrally manage that in OpnSense. I would consider that even less on a client-specific level, because it is way too easy to forget that the whole network configuration is that much decentralised in case something changes. Been there - done that.