"
Many thanks bart. Suppose you got a point there! I'm currently dialing back the network a bit to specific VLANs until i'm more familiar, but im getting some issues where i can access things i shouldnt be able to access between VLANs!
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
General Discussion / Re: Best Practices with VLANs, which to assign to LAN Interface?
September 08, 2022, 11:42:04 AM #2
General Discussion / Re: Getting set up with VLANs
September 08, 2022, 07:52:13 AM
Scott,
Happy to hear back. I dont mind long posts at all! The more detail the better in my eyes.
Good to know that at the least. Currently i'm experiencing the issue where I'm able to ping things such as interfaces on other VLANs from my current network when i shouldnt be able to, and i Have pretty bare bones rules. I'm still getting used to all these rules and how they flow/operate so theres that.
I was able to at least remove my regular LAN and now my optional ones are running the network, but i may add it back in as an untagged Vlan for diagnosis like you mentioned, probably limit it to a physical port on the router itself since its running on a little R210 ii.
For the most part it looks like the rest will just be me getting used to how the rules are phrased and getting them set up.
Edit: This is embarassing, i just necro'd a post because i posted a new one similar to my old one! Whoops!
Happy to hear back. I dont mind long posts at all! The more detail the better in my eyes.
Good to know that at the least. Currently i'm experiencing the issue where I'm able to ping things such as interfaces on other VLANs from my current network when i shouldnt be able to, and i Have pretty bare bones rules. I'm still getting used to all these rules and how they flow/operate so theres that.
I was able to at least remove my regular LAN and now my optional ones are running the network, but i may add it back in as an untagged Vlan for diagnosis like you mentioned, probably limit it to a physical port on the router itself since its running on a little R210 ii.
For the most part it looks like the rest will just be me getting used to how the rules are phrased and getting them set up.
Edit: This is embarassing, i just necro'd a post because i posted a new one similar to my old one! Whoops!
#3
General Discussion / Best Practices with VLANs, which to assign to LAN Interface?
September 08, 2022, 06:04:28 AM
Hey all,
So I'm going about and planning on tidying up some networking rules and cutting over to using my VLAN's on my network, as currently I'm just using a classic untagged VLAN1 for everything in 192.168.1.x for my network.
However I have a series of VLAN's set aside with various IDs (10, 20, 30, 40, 50, etc) and are all /24 networks using their VLAN ID as the third octet value.
Though generally speaking I have a question in general for the security of things: Which VLAN should be the "LAN" interface in OPNSense? Currently its VLAN_1, and the others are optional interfaces being trunked to my cisco switch which holds my servers and other things.
So the question stands is what should i set as my default LAN, should i set any of them as the LAN interface? Should i just leave it as VLAN1 so that should anything go belly up i can just easily plug into a port and be able to jump into the router?
I know i'm still learning OPNSense and some elements of networking so bear with me.
Also a bit of a silly question but I just want to make sure I have this right in my head: If my device on the 192.168.40.x Vlan reaches out to the router on 192.168.40.1, the router/firewall then sends that directly out to the WAN interface correct? Or does it need to route it to the interface assigned as the LAN interface which then sends it to WAN. Or do the optional interfaces have the ability to go straight to WAN.
Anything would be helpful. Once i got this nailed down i think i'll be off to the races.
So I'm going about and planning on tidying up some networking rules and cutting over to using my VLAN's on my network, as currently I'm just using a classic untagged VLAN1 for everything in 192.168.1.x for my network.
However I have a series of VLAN's set aside with various IDs (10, 20, 30, 40, 50, etc) and are all /24 networks using their VLAN ID as the third octet value.
Though generally speaking I have a question in general for the security of things: Which VLAN should be the "LAN" interface in OPNSense? Currently its VLAN_1, and the others are optional interfaces being trunked to my cisco switch which holds my servers and other things.
So the question stands is what should i set as my default LAN, should i set any of them as the LAN interface? Should i just leave it as VLAN1 so that should anything go belly up i can just easily plug into a port and be able to jump into the router?
I know i'm still learning OPNSense and some elements of networking so bear with me.
Also a bit of a silly question but I just want to make sure I have this right in my head: If my device on the 192.168.40.x Vlan reaches out to the router on 192.168.40.1, the router/firewall then sends that directly out to the WAN interface correct? Or does it need to route it to the interface assigned as the LAN interface which then sends it to WAN. Or do the optional interfaces have the ability to go straight to WAN.
Anything would be helpful. Once i got this nailed down i think i'll be off to the races.
#4
General Discussion / Getting set up with VLANs
June 12, 2022, 04:56:40 AM
Hey all,
So I'm getting things configured with VLANs and I'm still pretty new to networking, my specialty is in Hardware and Specialty Software, and I'm getting my home network all configured.
I've settled on a few VLANs to use for various things. Guest Network, IoT Network, Personal Network, Home Network, etc. Using the VLANs on their own subnets and dividing things up by security.
However, I'm looking at it now that I have all these VLANs set up to go over my LAGG Connection and.... do I even need my standard LAN Connection anymore? I have DHCP configured for everything else, and i plan on testing a device or two here really shortly on the Home VLAN's wifi, but if that works do I actually need to bother with the dedicated "LAN" connection?
Also I know I've pulled the rules for the VLANs over from the orginal LAN connection, and to my knowledge this allows objects on seperate VLANs to ping/talk to eachother and I'll need to shut that off which I will need a bit of direction on how to do.
but since each VLAN is now set up as an interface to the router across the LAGG, and they have rules to allow inbound traffic, i should be able to just kill the orginal LAN interface and configuring my switch accordingly?
TLDR: What I need to know is:
1) Once my VLANs Interfaces are set can I cut off the LAN Interface entirely with no issue/concequence
2) What Firewall rules do I need to set to isolate VLANs from eachother (Is there a way I can set specific VLANs to access other ones? (Such as my personal network to my servers)
So I'm getting things configured with VLANs and I'm still pretty new to networking, my specialty is in Hardware and Specialty Software, and I'm getting my home network all configured.
I've settled on a few VLANs to use for various things. Guest Network, IoT Network, Personal Network, Home Network, etc. Using the VLANs on their own subnets and dividing things up by security.
However, I'm looking at it now that I have all these VLANs set up to go over my LAGG Connection and.... do I even need my standard LAN Connection anymore? I have DHCP configured for everything else, and i plan on testing a device or two here really shortly on the Home VLAN's wifi, but if that works do I actually need to bother with the dedicated "LAN" connection?
Also I know I've pulled the rules for the VLANs over from the orginal LAN connection, and to my knowledge this allows objects on seperate VLANs to ping/talk to eachother and I'll need to shut that off which I will need a bit of direction on how to do.
but since each VLAN is now set up as an interface to the router across the LAGG, and they have rules to allow inbound traffic, i should be able to just kill the orginal LAN interface and configuring my switch accordingly?
TLDR: What I need to know is:
1) Once my VLANs Interfaces are set can I cut off the LAN Interface entirely with no issue/concequence
2) What Firewall rules do I need to set to isolate VLANs from eachother (Is there a way I can set specific VLANs to access other ones? (Such as my personal network to my servers)
#5
General Discussion / Trouble getting set up with a cable modem
June 08, 2022, 09:11:21 AMBit new to things here. For the longest time i've just used whatever netgear i felt like grabbing off the shelf. However, lately i've run into a bit of an issue. Recently i've set up my home lab to tinker and explore the prospect of expanding my career field into networking and have a way to dink with that stuff at home. I figured a good thing to do would have myself my own router running on its rackmounted hardware. So far it seems like a general reccomendation I've gotten is OPNsense.
Well, I'm pretty much pulling my hair out.
So my situation is as follows:
I got it installed on my little Dell 210 II, clean and simple and I'm pretty much able to access it fine. However. It spat back an IP from my modem of 0.0.0.0/8 on the WAN connection
I've tried configuring just about whatever i can think of between these two. The Modem is in bridge mode, so it should be handing things over to the OPNSense Box just fine, but if i let it try and autoconfigure itself with a factory reset it pulls an ip of 192.168.1.103/24
This doesnt even make much sense to me because if it was the OPNSense box doing this, i have it set to hand out addresses from .50 to .200, and if it was the modem giving it this then it would be starting from .2
There were a few times, back when the Modem was running as a router I could ping the outside world, and the only reason I can post on the forum is because im hooked directly to the modem itself, and it has an internet connection just fine, and my Nighthawk router works just fine if i plug it in. But for whatever reason, either im crazy/stupid/etc but this stupid thing will not link up to the internet no matter how hard i force it.
I'm at my wits end and have tried everything I can think of. I'm working with the device through direct connection to the hardware (good ol' keyboard and mouse with black and white text) rather than the Web GUI. Is there anything I should check, do, start over, etc to try and get this thing on track. Or am I crazy and using the wrong OS entirely and should be on OpenWRT or something?
Its worth noting i do not need wireless from the router itself, I have a Cisco switch i will be using to connect everything up with, and for wireless I plan on getting a Ubiquti arrangement up and running. However, i cant even get my laptop to get internet from this so far.
Anything will help
Scratch that, its up and running.
So turns out the case was, after getting so irritated at the issue I had to get up and walk away from it, that it seems my ISP has an indeterminate amount of time (Presumably about 30 minutes) where when new hardware changes occur that you need to let it sit and get comfy before it will latch onto anything. Discovered this after doing a bit of digging and coming back from having something to drink and cool my nerves. If you run into this issue like i did:
1) Ideally start from factory resetted equipment.
2) Connect the OPNSense box to the Modem, run the setup. It should have an IP assigned to it on the same subnet as the modem
3) Switch to bridge mode on the modem and let it do its thing
4) Go make yourself some tea/hot chocholate/screwdriver/etc whichever you prefer and wait a hot minute
5) Come back and reboot your OPNSense box and you should be all set and have your public IP now.
6) Dont constantly get irritated at the hardware and reset and try again, because doing this prevents it from snatching the IP from the DHCP.
For anyone additionally curious to details:
I'm using WOW Cable, 200mbps service, through an Arris TG2472G Modem, Running into a Dell R210 II with OPNsense 22.1.2_2-amd64 baking on it.
For the time being i have it spitting out the LAN signal into my old Nighthawk router in AP mode until i can get our Ubiquiti WAP's setup, its 6am, im tired.
Cheers lads.
Pages1
