OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: Serius on September 15, 2018, 11:20:52 am

Title: fwd: VLAN for IOT
Post by: Serius on September 15, 2018, 11:20:52 am
Hello, I posted the question bellow in the general forum, but as I was not having any reply (as with the previous one) I thought I could be posting in the wrong section. So I repost here in the hope someone can give me a hand.
For the lazy ones, the thing is that I'm trying to segregate the iot devices in a new vlan, and allow "some" communication with the lan so I can manage the iot server and he can do puntual things like ping a server to monitor it's status.

Quote
I'm in the process of replacing the network devices in my home lab. In my setup I have some servers, a big nas and a domotics system. I'm trying to setup a vlan for this system but I can't make it work. Perhaps someone can give me some advice on how to do it on opnsense.
This is my network structure:
Wan
ISP router (bridge) => opnsense box => dgs-1510 switch -> unifi AP / servers / workstations.
The network is 192.168.0.0/16 and I currently have the devices distributed in "sub networks" as 192.168.50.x for all the iot or ...1.x for the workstations.
I first created the vlan in the managed switch with tag 50 and then changed the WiFi ap so all the devices registered in the iot SSID would get tagged.
Then I came to the opnsense GUI and added the 50 vlan and created an interface linked to it derived from lan. I then went to DHCP and implemented another range for the vlan.

The problem I have is that all the iot WiFi devices don't get an ip. Does anyone knows if I'm forgetting a step? What can I do to diagnose the problem?
Thanks.

So far I managed to get the VLAN50 working. Previously I couldn't get the devices reach the dhcp, but it seems it was a mistake on the configuration for the AP and OPS switch ports. Now I have them like this:
Porteth1/0/11
VLAN ModeTrunk
Native VLAN1 (Untagged)
Trunk Allowed VLAN1-4094
Dynamic Tagged VLAN
Ingress CheckingEnabled
Acceptable Frame TypeAdmit-All

I also changed the vlan50 interface net to 192.168.50.0/24 as after solving the above both dhcp servers started to collide.

So the problem I currently have is that I don't know how to make fw rules that allow communication between interfaces. I have tried anything from general to host rules and also floating with no success. Also I don't know how it's possible for devices that are in different sub-nets to talk between them.

I also think there is another issue in the vlan50 devices as I'm getting those entries in the fw log that seem that inet is being blocked even when I cloned the default allow rules of LAN into the vlan:

Interface   Time   Source   Destination   Proto   Label
IOT   Sep 15 11:19:19   192.168.50.52:44499   172.217.17.10:443   tcp   Default deny rule
Title: Re: fwd: VLAN for IOT
Post by: ab5g on September 17, 2018, 10:45:17 am
So we try it once step at a time
1. Assuming default VLAN is 1 and network is 192.168.1.0/24
2. Assuming IOT VLAN is 21 and network is 192.168.11.0/24

The rules you could create are as attached
1. LAN to any allow
2. IOT to any allow (expect to LAN)

My two cents read up a bit more on how to create firewall rules before you attempt to implement - will save you a lot of pain :)
Title: Re: fwd: VLAN for IOT
Post by: Serius on September 18, 2018, 03:04:46 pm
@ab5g Thank you very much for your aid. As wasn't receiving any help in my 3 posts I was starting to think that I should change of project.
I did read all the documentation but unfortunately it seems more than a services description than a how to, and doesn't explain so well. Perhaps someone used to freeBSD and the underlying services don't have an issue, but for newcomers, well... I've worked with fortinet, unifi prods and some ciscos but I found this firewall interface not so intuitive. (Net addr? Ah ok, is not an address but the gw)
After reading the forum until the 2015 and trying almost all combinations I think I almost understand how to make rules. I've made some so far and they seem to work.
Still have some issues, like dont knowing how iot devices get internet without any rule and how sometimes inter-vlan comms work and sometimes don't.
Title: Re: fwd: VLAN for IOT
Post by: Serius on September 18, 2018, 03:07:14 pm
BTW do you know how to allow only one host that has dhcpd address (my station) in the trusted vlan, to manage the devices in the management vlan (vlan1 or 192.168.0.x)?
Title: Re: fwd: VLAN for IOT
Post by: ab5g on September 21, 2018, 03:22:07 am
You can apply the rules based on the logic that - Rules are always processed from the top of a list down, first match wins. After a match is found no other rules are matched for that packet. There is a default deny at the bottom. Which means that if no rules are matched the packet is dropped by default.

So, if you want to allow an IP from IOT to talk to LAN, but deny other then your logic would be
1. Allow <IOT IP> to LAN <IP>
2. Allow <IOT Network> to Anywhere but LAN
3. Default deny (hidden)

Title: Re: fwd: VLAN for IOT
Post by: Serius on September 24, 2018, 05:18:17 pm
So, if you want to allow an IP from IOT to talk to LAN, but deny other then your logic would be
1. Allow <IOT IP> to LAN <IP>
2. Allow <IOT Network> to Anywhere but LAN
3. Default deny (hidden)

Thanks again for your reply. I think it may not be possible to make a rule for a dhcp host based in his UNC name.

My rules on IOT look like this:
[pass] IPv4 UDP   HomeHub     *   DeathshadowIPMI    portsIPMI     *      Allow IOT managing server IPMI
[block] IPv4 *   IOT net   *   LAN net   *   *      Block local networks

If I understand well the meaning for 2nd rule would be allowing IOT to access to all, including inet but not the trusted/private network. My IOT devices are currently having access to my trusted network (as it's different from LAN) So I must create any "nr.2" rules as networks I want to isolate.

PD: Sorry for my delayed response. I'm not receiving the forum notifications.
Title: Re: fwd: VLAN for IOT
Post by: ab5g on September 25, 2018, 03:50:41 am
You cannot make a rule based on a UNC name - although you can create an alias based on  a FQDN. Firewall: Aliases: View

Rule number 2 will block IOT LAN from aceessing your LAN. It does not give IOT access to internet.

To do so you can have a rule 3 which says allow access from any to any/inet.