Messages

Although this forum appears to support themes under Profile > Modify Profile > Look and Layout > Current Theme, none of the themes seem to be what we would call a "Dark Mode", with dark background and white fonts.

There are some browser extensions though that will allow you to make any website have a "Dark Mode". Dark Reader is such an extension. It's available for Chrome, Firefox, Safari and Edge.

I am trying to segregate devices in my home network with 2 different VLANs: HOME and IOT. I have the following network devices:

    1 cable modem
    1 OPNsense router with WAN, LAN and OPT1 ports
    1 Netgear MS108EUP managed switch with 8 ports
    1 Netgear WAX630E VLAN capable access point

This is how the connections are laid out:

    Port WAN of OPNsense is connected to the cable modem.
    Port 1 of the switch is connected to the Netgear AP.
    Port 2 of the switch is connected to OPNsense OPT1 port.
    Port 3 of the switch is connected to OPNsense LAN port.
    Port 4 of the switch is connected to a Windows PC.
    Port 5 of the switch is connected to a wired IP camera.

(I created JPG with a diagram to help visualize the network layout. It's attached to this post)

In OPNsense, I have created the following VLANs:

    vlan02[HOME], tag 2, assigned to OPT1 port.
    vlan03[IOT], tag 3, assigned to OPT1 port.

DHCP is enabled in the LAN and both VLANS, as follows:

LAN:

    Subnet: 192.168.1.0
    Gateway: 192.168.1.1
    Range: 192.168.1.100 - 192.168.1.254

HOME:

    Subnet: 192.168.2.0
    Gateway: 192.168.2.1
    Range: 192.168.2.100 - 192.168.2.254

IOT:

    Subnet: 192.168.3.0
    Gateway: 192.168.3.1
    Range: 192.168.3.100 - 192.168.3.254

In OPNsense, I have created firewall rules to allow:

    LAN: Access to the internet and all VLANS.
    HOME: Access to the internet and IOT VLAN.
    IOT: Access to the internet only.

In the switch, I have configured VLANs and ports as follows using Advanced 802.1Q VLAN:

    VLAN ID 1 (Default): Ports 2 and 5 are excluded, all other ports are untagged.
    VLAN ID 2 (HOME): Ports 1 and 2 are tagged. All others are excluded.
    VLAN ID 3 (IOT): Ports 1 and 2 are tagged. Port 5 untagged. All others are excluded.

In the PVID table of the switch, all ports have ID 1, except for port 5, which has ID 3.

In the Access Point, I have created 3 SSIDs:

SSID1:

    Name: admin
    VLAN ID: 1

SSID2:

    Name: home
    VLAN ID: 2

SSID3:

    Name: iot
    VLAN ID: 3

To the SSID2, I have a Windows laptop connected. To the SSID3, I have a Wi-Fi IP camera connected.

All of this seem to work fine for the most part. All devices get assigned to their respective VLAN, with correct DHCP assignments and they all can access the internet. Also, any inter VLAN communication between wired and wi-fi devices (where firewall rules allow) work correctly. For example, I am able to connect to the IOT Wired IP camera from the HOME Wi-fi laptop and likewise I am able to connect to the IOT Wi-Fi camera from the LAN Wired PC desktop. Inter VLAN wired to wired communication also works fine (again, where firewall rules allow).

The issue only arises when I attempt a connection between Wi-Fi devices in different VLANs. If I try to access the Wi-fi IOT camera from the Wi-Fi HOME laptop, the connection cannot be established.

In an attempt to troubleshoot the issue, I connected a linux laptop running an Nginx webserver to the Wi-Fi SSID3 (IOT VLAN). In this laptop, I run tcpstat to show me incoming and outgoing connections. When I try to access the home page hosted in the linux laptop from the SSID2 (HOME VLAN) Windows laptop, the page never loads. tcpstat shows the incoming connection from the Windows laptop, however it stays stuck in SYN_RECV and never reaches ESTABLISHED. Accessing the page from the Wired Windows PC works just fine.

At this point I am at a loss why there is this seemingly inter-VLAN routing issue when both devices are Wi-Fi, but they work correctly when at least one device is wired. Any tips or insights here are highly appreciated.

PS: both AP and the switch are running the latest firmware versions from Netgear.

It is indeed set to hybrid and I did enable static port. Unfortunately, that didn't help either.

It seems I have other underlying issues preventing access across VLANs. I decided to run a few tests to see if Source NAT was working at all, so I connected a laptop to the IOT VLAN, running a nginx webserver (which I am able to access locally). I then ran tcpstat to check on incoming connections to this laptop. In a PC in the MAIN VLAN, I tried to connect to the nginx server in the laptop.

tcpstat did show the incoming connection, but its IP was from the MAIN VLAN, and not the IOT gateway. Furthermore, the connection never established. It got stuck on SYN_RECV. I then disabled the Outbound NAT rule to see if the connection would establish, but even then, it never did.

It seems I have some routing problems in my network, which I'm trying to troubleshoot. At this time, I have no clue what it could be.

Thanks for the reply, Monviech. Unfortunately that rule did not work either. I tried with both the "Destination address" set to "any" and "192.168.2.0/24". I also tried changing the interface back to MAIN in your rule, but again, no dice. Unable to connect in any of these scenarios.

[Rule:]

Hi all. I'm in the process of segregating my home network to separate IOT devices from my main network. I have created two VLANs, one is MAIN (192.168.1.1/24) and the other one is the IOT (192.168.2.1/24) one. To the IOT subnet, I'm connecting 3 Reolink cameras I have. I have created a firewall rule to allow access from the the MAIN subnet to the IOT subnet, like this:

Rule:
Action: Pass
TCP/IP Version: IPv4
Protocol: any
Source: MAIN net
Dest/Invert: unchecked
Destination: reolink_cams
Dest Port: any
Description: Allow access to Reolink cams

Alias:
Name: reolink_cams
Type: Host(s)
Content: (the cameras IP addresses, which are static)
Description: Reolink IP cams

From a Windows PC in the MAIN subnet, I am able to ping all three cameras with this setup, indicating the firewall rule works. However, I am unable to connect to them using the Reolink client via IP address on port 9000. I have created a post in the Reolink forums, and the moderator there said that, by design, Reolink cameras will only accept connections from devices in the same subnet, thus why I can't connect. He suggested that I "Source NAT" my traffic so that traffic from MAIN appears to be originating from the same subnet as devices on IOT.

From my research to this point, it appears that I should be able to accomplish this by creating a rule under "Firewall > NAT > Outbound". In there, I select Hybrid and then I create a rule. This is the rule I have created:

Rule:
Interface: MAIN
TCP/IP Version: IPv4
Protocol: any
Source address: MAIN net
Source port: any
Destination invert: unchecked
Destination address: IOT net
Destination port: any
Translation / target: Interface address

However, this does not appear to work, as I still cannot get the client app to connect to the cameras. I have tried variations of this rule where in "Destionation address:" I use the "reolink_cams" alias or "IOT address" to no avail.

So I ask if this is the correct approach I should take to accomplish my goal of "Source NATing" traffic from the MAIN subnet to the IOT subnet. If yes, what am I doing wrong? If not, what should I do instead?

I appreciate any insight!