Show Posts
1
General Discussion / Q: Setting up OPNSense on a mini PC and 2 smart switches
« on: October 12, 2020, 03:20:07 pm »
Hi All,
So, I decided to dive into this with the hope of saying goodbye to a flat home network and hello to a more secure network setup, or so I thought.
Hardware:
- Router: el cheapo mini PC with 6 LAN ports (Intel I211-AT), i5-8365U, 8GB RAM and 256GB SSD. Current provider supplied a separate MODEM and a separate router. This mini PC replaces the router supplied by the ISP.
- Switch 1: Netgear Prosafe GS116Ev2 16 port smart switch (no change here)
- Switch 2: Cisco SLM 2008 8 port smart switch (no change here)
- WiFi: Two TL-WA1201v2 Access points (support up to 4 SSIDs with VLAN tags) To replace the WiFi capability of the ISP provided router, and a small extender that was wired to Switch 2.
With the optimistic attitude of a network noob and a tiny bit of reading @ https://homenetworkguy.com/how-to/configure-vlans-opnsense/ and @ https://docs.opnsense.org/manual/how-tos/lan_bridge.html I created a plan of action to establish a network that look like the attached PDF.
From the default setup, where R1 is assigned to WAN and R2 is assigned, I followed on to create a bridge (BRIDGE0) that now includes R2, R3 and R4. Each port is plugged into a single machine. Connectivity so far appears fine (even created some NAT rules for port forwarding).
Now it is time to implement the rest and I am not sure of the better way that would allow a balance between manageability and fl flexibility.
Before starting, I thought that it would be as simple as:
- Define another bridge (BRIDGE2) that includes ports R5 and R6
- Define 4 VLANs and with BRIDGE2 as the parent interface
- Setup the VLAN and DHCP settings so each VLAN will sit on a separate subnet and with a defined range of IPs available on DHCP.
- Setup the VLAN tagging on the necessary switch ports to mirror the tags defined within OPNSense
- Setup the WIFI SSIDs with the correct tags
- Plug it all together and go have some fun
After a little head scratching, and google searching and documentation reading, I realised that VLANs are allowed by the interface to have a bridge as a parent interface, in practice that setup is not functional.
So I moved on to setup the VLAN so they have R6 (for argument's sake) as the parent interface. So that setup worked fine (with some really relaxed dummy firewall rules).
Now, I could plug Switch 2 to Switch 1 (got enough spare ports there), start messing about with the firewall rules and call it a day. However in my mind, two cables feel better than one, i.e. having each switch on a separate router port (i.e. one on R5 and one on R6) feels as if there will be more bandwidth available when the router filters packets that are exchanged between devices that "sit" on the two switches.
The question(s) are:
1. Is there a way to achieve what I originally thought as possible with VLANs having a bridge as a parent interface (i.e. define each VLAN once, assign it once, have one DCHP setting for each VLAN etc. etc.)?
2. Is what I perceive as a bottleneck (i.e. 1 router port and two switches vs 2 router ports and two switches) really a bottleneck here?
3. If the perceived bottleneck I described in 2 above, is real and painful, how can one proceed making life easier when creating and managing multiple VLAN entries for the same tag IDs. I have 2 switches to setup, but it could easily be 3 or 4 (depending on how gear is retrofitted over time).
Thank you all for spending the time to read this, and even more if you can contribute towards clarifying next steps.
Regards,
Georgios
So, I decided to dive into this with the hope of saying goodbye to a flat home network and hello to a more secure network setup, or so I thought.
Hardware:
- Router: el cheapo mini PC with 6 LAN ports (Intel I211-AT), i5-8365U, 8GB RAM and 256GB SSD. Current provider supplied a separate MODEM and a separate router. This mini PC replaces the router supplied by the ISP.
- Switch 1: Netgear Prosafe GS116Ev2 16 port smart switch (no change here)
- Switch 2: Cisco SLM 2008 8 port smart switch (no change here)
- WiFi: Two TL-WA1201v2 Access points (support up to 4 SSIDs with VLAN tags) To replace the WiFi capability of the ISP provided router, and a small extender that was wired to Switch 2.
With the optimistic attitude of a network noob and a tiny bit of reading @ https://homenetworkguy.com/how-to/configure-vlans-opnsense/ and @ https://docs.opnsense.org/manual/how-tos/lan_bridge.html I created a plan of action to establish a network that look like the attached PDF.
From the default setup, where R1 is assigned to WAN and R2 is assigned, I followed on to create a bridge (BRIDGE0) that now includes R2, R3 and R4. Each port is plugged into a single machine. Connectivity so far appears fine (even created some NAT rules for port forwarding).
Now it is time to implement the rest and I am not sure of the better way that would allow a balance between manageability and fl flexibility.
Before starting, I thought that it would be as simple as:
- Define another bridge (BRIDGE2) that includes ports R5 and R6
- Define 4 VLANs and with BRIDGE2 as the parent interface
- Setup the VLAN and DHCP settings so each VLAN will sit on a separate subnet and with a defined range of IPs available on DHCP.
- Setup the VLAN tagging on the necessary switch ports to mirror the tags defined within OPNSense
- Setup the WIFI SSIDs with the correct tags
- Plug it all together and go have some fun
After a little head scratching, and google searching and documentation reading, I realised that VLANs are allowed by the interface to have a bridge as a parent interface, in practice that setup is not functional.
So I moved on to setup the VLAN so they have R6 (for argument's sake) as the parent interface. So that setup worked fine (with some really relaxed dummy firewall rules).
Now, I could plug Switch 2 to Switch 1 (got enough spare ports there), start messing about with the firewall rules and call it a day. However in my mind, two cables feel better than one, i.e. having each switch on a separate router port (i.e. one on R5 and one on R6) feels as if there will be more bandwidth available when the router filters packets that are exchanged between devices that "sit" on the two switches.
The question(s) are:
1. Is there a way to achieve what I originally thought as possible with VLANs having a bridge as a parent interface (i.e. define each VLAN once, assign it once, have one DCHP setting for each VLAN etc. etc.)?
2. Is what I perceive as a bottleneck (i.e. 1 router port and two switches vs 2 router ports and two switches) really a bottleneck here?
3. If the perceived bottleneck I described in 2 above, is real and painful, how can one proceed making life easier when creating and managing multiple VLAN entries for the same tag IDs. I have 2 switches to setup, but it could easily be 3 or 4 (depending on how gear is retrofitted over time).
Thank you all for spending the time to read this, and even more if you can contribute towards clarifying next steps.
Regards,
Georgios