OPNsense Forum
Archive => 23.1 Legacy Series => Topic started by: fat_flying_pigs on May 07, 2023, 11:42:59 am
-
Hi, new to opnsense. I've gotten it working for the most part; internet access is working. I'm looking to set up an iot wifi network using openwrt multi ssid -> switch -> opnsense. I have single ssid wifi working. My network map: https://imgur.com/zr7icLz
It suddenly occurred to me that I have no idea the vlans are actually being used, or if stuff is circumstantially giving me internet access.
Is there a way to audit some of the packets opnsense is receiving in order to verify that the incoming/outgoing data is in fact using vlans?
I guess my first objective is to see the packets with whichever vlan is being used for "My PC" (top right of the image) -> switch -> opnsense. Ultimately opnsense has all my firewall logic, so if I can verify that "My PC" is using vlan2 vs openwrt using vlan5, I'll be confident in my firewall rules.
Thanks for any help in advance! :)
-
Probably the easiest way is to use the packet capture function (Interfaces->Diagnostics->PacketCapture).
You need to capture the hardware interface which underlies your vlan. For example, I use a vlan with id 400 and here are the two interfaces of interest on my system:
- igb3 This is the underlying hardware interface
- igb3_vlan400 This is the vlan.
In the example I would select as the capture interface igb3.
Do not select the vlan interface interface itself (igb3_vlan400 in the example).
When you have finished capturing the traffic, download the captured pcap file and view using Wireshark.
Hope that helps.
-
Hi, another option would be to just run tcpdump showing vlan tag on the physical port.
tcpdump -i em2 -e vlan
Hope this helps
-
Hello,
You can either use the inbuild Packet capture and capture the traffic on the Physical or per Logical interface to confirm the VLAN TAG.
OR
I personaly verified it using DHCP. Specific Host are in Specific VLANs, I use DHCP or DHCP Relay. When a BUM traffic for DHCP Discovery from a HOST comes to the OPNSense GW VLAN, the pool for the specific VLAN will answer and the correct IP per VLAN will be assigned.
In case of Relay, The OPNsense converts the BUM into Unicast and the Request for the IP is coming our from the specific VLAN IP (giaddr) OPNSense GW. DHCP Server sees who is the "requestor IP (giaddr)" for the offer thus per its specific VLAN IP offers the correct IP from the specific VLAN pool.
This is enough to confirm the Frames are properly tagged, because if not Host wouldn't receive a correct IP address, and if you are not using any to any rules, but permitting the specific VLAN subnet per the VLAN INCOMING way it would be dropped.
P.S. If you have Switch capable VLANs, Prune the VLANs per need. Meaning allow only those VLANs you need and set the proper VLANs per access ports and TRUNK Ports. This will basically guarantee that a specific HOST can Use only specific VLAN and a TRUNK that only Specific VLANs can pass thru.
Regards,
S.
-
In the example I would select as the capture interface igb3.
Do not select the vlan interface interface itself (igb3_vlan400 in the example).
This was it! Thank you so much - I was selecting the vlans interfaces directly before and wasn't getting the correct info!
(is it possible to close or lock a post on this forum?)