OPNsense Forum

Archive => 16.1 Legacy Series => Topic started by: Julien on July 08, 2016, 04:40:28 pm

Title: [SOLVED] From Cisco to OPNSENSE
Post by: Julien on July 08, 2016, 04:40:28 pm
Good day Guys,
i hope someone can help me.
right now we have Cisco Firewall with the 4 Ports, WAN, LAN1, LAN2 , LAN3
we have 2 different switches .

Switch 1 is connected to LAN1 on the Cisco
Switch 2 is connect to LAN 2 on the Cisco
on the Cisco we have QOS for Telephone VOIP

in The cisco we have VLANS , 1,2,3,4,5
when i am connected on the switch 2 i can reach VLAN1, VLAN2,VLAN3 and from the switch 1 side as well.
the tagging on the switches side will remain the same, so i believe OPNSENSE will share the same VLANS, and the switches will understand the VLANS from the OPENSENS.

i've been looking to create the same configuration with 5 VLANS to reach them from two different Switch.
i have created the VLANS on the OPNSENSE.
Should i create some Firewall rules to allow the connections between the VLANS ?
how i am supposed to have 5 VLANS on two different interfaces ? or i don't need to have them on both interface and allow the connections between the VLANS ?

hope someone can put me on the right direction as i am planning to do the migration next week.
a big thank you guys
Title: Re: From Cisco to OPNSENSE
Post by: franco on July 08, 2016, 06:10:06 pm
Hi jamerson,

Glad you're making progress. :)

VLANs are always terminated so OPNsense will only ever see the contents of the VLANs and make them routable with all other configured interfaces.

By default all OPTX (V)LAN interfaces do not have an automatic pass rule, so you will have to add that depending on the policies you want to enforce. If these are just different LAN segments, it could typically end up with a "pass all" rule.

I don't understand your last question "5 VLANS in two different interfaces". Each VLAN is a dedicated interface, because all of the VLANs have (hopefully) different subnets. Can you explain this more?


Good luck,
Franco
Title: Re: From Cisco to OPNSENSE
Post by: Julien on July 08, 2016, 11:14:15 pm
Franco,
thank you so much for your answer, i mean to trunk the both ports on the opnsense .
the productions is the next :
VLANS 10.11.12.13.14.15
the tagging on the switches sides is already working with the Cisco.
Switches are 6 stacked switches each switch is sharing a VLAN
Switch 1 = VLAN10
Switch 2 = VLAN 11
Switch 3 = VLAN 12 ....
there is one up link from the Cisco Firewall to the up link switch 1.
so if i create those VLANS on the OPNSENE and connect up link of the switches to the pfsense LAN1 everything should works ?
VLAN 15 = Switch 15 is a guest VLANS, i want to block it from accessing the rest of the VLANS. should i create a Deny Rules to the rest of the VLANS ?
i have created two Groups on the Interfaces >> Other Types >>Group.
Productions and Guest
on the Productions i've selected the LAN1/LAN2/LAN3/VLAN10/VLAN11/VLAN12/VLAN13/VLAN14
on the Guest i've Add the interface VLAN15
right now i have two extra interfaces on the firewall >> Rules called Productions and Guest.
i have created a deny rule on the Guest interface Source Guest Destination Productions.
is this the correct way to deny the Guest from accessing the productions ?
what about the routing between the VLANS, is this gonna be automatically done by opnsense ? or i have to create a rule for ?
please advise as i need it tomorrow on production.
much appreciate it
thank you
Title: Re: From Cisco to OPNSENSE
Post by: franco on July 11, 2016, 11:05:55 am
Hi Julien,

Having multiple VLANs on one parent interface is no problem.

You don't need to set up any routing as long as you assign VLAN routing endpoints (IP addresses) to each VLAN.


Cheers,
Franco
Title: Re: From Cisco to OPNSENSE
Post by: Julien on July 11, 2016, 05:21:08 pm
Thank you Franco.
i am going to start the migration soon.
i'll keep you posted in case i have some difficulties.
Title: Re: From Cisco to OPNSENSE
Post by: Julien on July 11, 2016, 09:26:08 pm
i have installed the opnsense on production
hope someone can help me here, which rules need to be created.
on the em0 : i have VLAN 4.5.6 and on the em2 i have VLAN 7.8.9 on each interface of the VLANS and LAN there is allow rule to any.
on the em2 VLAN 8 have Wifi access point providing DHCP of VLAN 5. somehow the wifi users are not receiving a dhcp from the VLAN 5 over the em2.
do i have to create some firewall rules between the LANS or VLANS ?

also VLAN 9 is a Guest VLAN and want it to be restricted from accessing the rest of the network. which rules i am supposed to create in order to get this fixed ?

thank you guys
Title: Re: From Cisco to OPNSENSE
Post by: Julien on July 11, 2016, 09:28:27 pm
Quote
on the em2 VLAN 8 have Wifi access point providing DHCP of VLAN 5. somehow the wifi users are not receiving a dhcp from the VLAN 5 over the em2.

This is an odd configuration. Both networks can't terminate on the same LAN unless you specify a bridge that you put on both VLANs, but it would probably be easier to terminate both as the same VLAN 5 or VLAN 8.

Quote
do i have to create some firewall rules between the LANS or VLANS ?

LAN is a fully trusted zone so it doesn't need extra rules. This doesn't apply to any other OPTX interface, which needs manual pass rules in order for their traffic to reach their destination.

Quote
also VLAN 9 is a Guest VLAN and want it to be restricted from accessing the rest of the network. which rules i am supposed to create in order to get this fixed ? should i create on each VLAN a Block Rules , Source VLAN  Destination VLAN50 ?

Yes. Exactly the reason why OPTX do not have default allow rules. You add your access rules and/or restriction rules in their respective firewall rule tab to specific other interfaces.


Cheers,
Franco
Title: Re: From Cisco to OPNSENSE
Post by: Julien on July 12, 2016, 07:24:34 am
Quote
on the em2 VLAN 8 have Wifi access point providing DHCP of VLAN 5. somehow the wifi users are not receiving a dhcp from the VLAN 5 over the em2.

This is an odd configuration. Both networks can't terminate on the same LAN unless you specify a bridge that you put on both VLANs, but it would probably be easier to terminate both as the same VLAN 5 or VLAN 8.

how i am supposed to get this working with the bridge ? can you please explain more ? this is new for me.
if i configure the the wifi devices to use vlan40 everything should works ?
so no rules are needed. everything should works out of the box ?
Title: Re: From Cisco to OPNSENSE
Post by: franco on July 12, 2016, 07:34:15 am
I know Cisco stretches the definition of a VLAN where it can to allow flexible configuration, but generally, the VLAN is an aggregation of a set of traffic belonging together. It doesn't make much sense to fuse different VLANs together. The only thing this will do is separate both traffic streams until you plug them into the termination device. Switches support this fine, routers may not as you assign separate LANs to them.

In your case you'd need to specify two endpoints for the same LAN on both VLANs and bridge thm, but if you haven't done the config yet it may be better to look for the alternative...

You could flip VLAN 8 to VLAN 5 on the last switch before OPNsense so it sees all the traffic belonging to the same network, removing the need for VLAN 8 on your box, but keeping it for network segmentation in your switch setup.
Title: Re: From Cisco to OPNSENSE
Post by: Julien on July 12, 2016, 10:54:24 am
i managed to fix it Franco,
one UP link for all switches,
tagged the VLANS on the up links of each switch et voila stuff works.
now the opnvpn is not starting . i have rebooted the firewall twice. but its not starting at all.
any suggestions why ?


thank you
Title: Re: [SOLVED] From Cisco to OPNSENSE
Post by: franco on July 12, 2016, 10:31:36 pm
Hi Julien,

Ok, great, let's tackle the OpenVPN issue in the other thread. Check the log file (it's in the menu).


Cheers,
Franco
Title: Re: [SOLVED] From Cisco to OPNSENSE
Post by: Julien on July 13, 2016, 12:23:40 am
We noticed the wifi users are facing some slowness on the internet side however the cable users are getting a high speed.
as i mentioned early the wifi users are on the switch with managed on VLAN40 and Access point are sharing VLAN20.
maybe is this why its cause the slowness ? should the access point share the VLAN40 over the wifi to speed up the process ?
thank you
Title: Re: [SOLVED] From Cisco to OPNSENSE
Post by: franco on July 13, 2016, 11:44:58 am
Not sure if setup problem. Impossible to debug from here. You'll need to pinpoint the issue in your network infrastructure.
Title: Re: [SOLVED] From Cisco to OPNSENSE
Post by: Julien on July 13, 2016, 12:53:31 pm
Not sure if setup problem. Impossible to debug from here. You'll need to pinpoint the issue in your network infrastructure.
this is also fixed by now.
after a reboot of the appliance everything is back to normal.
i can't wait for the release of the 16.7 to apply it on the productions.