OPNsense Forum

English Forums => General Discussion => Topic started by: z0rk on February 08, 2018, 09:24:48 pm

Title: n00b question; 1st time setup with VLANs and Managed Switch
Post by: z0rk on February 08, 2018, 09:24:48 pm
I am a hobbyist interested in improving the network security of my SOHO network. I am familiar with basic networking terminology / principles and I’ve deployed open source devices like LEDE and Tomato before. Small potatoes.
I have a x86 64bit desktop with one Ethernet port on the board and a 2x port NIC. The NIC supports link aggregation to provide redundancy. The core of my topology would be like this:

Internet > Managed Switch (VLANS: WAN, Trusted, Untrusted, DMZ) > OPNsense (VLANS: WAN, Trusted, Untrusted, DMZ).

All other Managed Switches, WiFi / Wired Bridges, etc. would be connected to the 1st Managed Switch.

Network access and security for all network nodes would be managed through VLANs. OPNsense would function as a Router / Firewall and provide DHCP, DNS, DDNS services; and possibly IDS, Web Proxy, Content Filter, Virus Scanner and VPN access; but that’s optional.

I believe this can be accomplished with OPNsense, but I would like to get a sense, if all of this can be setup and managed through the GUI?

I am usually comfortable with facing a learning curve challenge, if the GUI is intuitive and logically organized; and I wouldn’t shy away, if CLI intervention is required for more complex configurations, but I would prefer not having to deal with it for the initial setup.

Is this a reasonable expectation?  :P

Thanks
Title: Re: n00b question; 1st time setup with VLANs and Managed Switch
Post by: bartjsmit on February 09, 2018, 08:38:58 am
You'll have no problem and you won't have to resort to the command line.

Interfaces, other types, VLAN to define your VLAN. Then go to Interfaces, Assignments, New interface to create a firewall interface to set your rules on.

Bart...
Title: Re: n00b question; 1st time setup with VLANs and Managed Switch
Post by: z0rk on February 09, 2018, 05:38:24 pm
You'll have no problem and you won't have to resort to the command line.


Awesome... I will check it out!
Title: Re: n00b question; 1st time setup with VLANs and Managed Switch
Post by: z0rk on February 22, 2018, 06:47:20 pm
Interfaces, other types, VLAN to define your VLAN. Then go to Interfaces, Assignments, New interface to create a firewall interface to set your rules on.
Bart...

Ok,... silly questions. After I created my VLANs and created a new interfaces per VLAN, how do I assign DHCP zones to each VLAN, i.e. I want each VLAN to be on a seperate subnet of 192.168.1.x/27. I don't see where to trun on the DHCP server and get this all set up. I guess Static DHCP addresses are supported as well? Maybe I am just blind.   :-[
Title: Re: n00b question; 1st time setup with VLANs and Managed Switch
Post by: bartjsmit on February 22, 2018, 07:41:26 pm
The IPv4 DHCP services are under Services, DHCPv4. You will find the interfaces with a static IP address listed by name under the service. The static entries are at the bottom of each page.

Bart...
Title: Re: n00b question; 1st time setup with VLANs and Managed Switch
Post by: z0rk on February 25, 2018, 05:32:21 am
WAN interface em0: 172.16.1.10
WAN gateway: 172.16.1.1

Sorry I think I am missing something here. Part of it might be because I've never set up a firewall with a single interface on a managed switch before.
Once I set up my Vlan, assign an interface to the Vlan and enable the interface and save it, I loose access to the GUI. At the OPNsense console I can ping any device on the 172.16.1.x network including the laptop that I use to access the GUI at 172.16.1.10. But at the laptop I can't ping 172.16.1.10. What I am missing here?
Title: Re: n00b question; 1st time setup with VLANs and Managed Switch
Post by: bartjsmit on February 25, 2018, 09:33:53 am
The default 'allow all' and 'anti lockout' rules are only on the LAN interface. Any new (VLAN) interface you set up starts off with zero access until you assign rules to it.

This behaviour is by design - the principle of least privilege ;-)

Bart...
Title: Re: n00b question; 1st time setup with VLANs and Managed Switch
Post by: z0rk on February 25, 2018, 07:35:36 pm
Well, that totally makes sense; but then I fail to see how can I configure OPNsense from the GUI? I am at a loss here.

In my test setup I have port 1 connected to my 172.16.1.x network (considered WAN for this test setup). Port 1 is untagged for Vlan10 (WAN) on the switch. On port 2 OPNsense is connected. Port 2 is tagged for Vlan10 on the switch.

Instead I’ve also tried to keep all ports on the switch untagged for Vlan 1 which is the default / native and management Vlan; and none of the ports tagged. Plain vanilla just as the switch came out of the box.

At the OPNsense CLI I assign interface em0 (my only Ethernet port) to WAN with DHCP enabled. It grabs an address and I can access the GUI from the 172.16.1.x network. I don’t have LAN configured or any VLANs at this point.

Can you help me how to logically approach the setup steps from here on so I can configure and enable my VLAN interfaces, etc. without loosing access to the GUI? Is there anything else I need to configure at the CLI?

Or maybe there’s a how-to for this type of setup hat you could point me to?

Thanks Bart!