Messages

I don't know if it's any different with recent Asus routers, but at least on my old RT-N66U I required 3rd party firmware in order to do this WLAN & VLAN ID association.  Asus did not provide VLAN configuration options in the stock AsusWRT firmware for that generation of routers.  If they do now then that is a positive development, but in case not then you'll have to investigate which (if any) 3rd party firmware options you have for the AXE-16000.

Note that Asus have taken active measures in recent years to prevent users from being able to modify their device firmware.  Also, flashing carries a risk of bricking the device.

The basic steps I followed:

1. Set a static DHCP reservation by MAC address for the Asus in OPNsense (either Kea or ISC, doesn't matter).  This is so that you can access the Asus on an IP address of your choosing after you flash it, otherwise it will try to take 192.168.1.1 and may cause conflicts.

2. Flash FreshTomato (not available for AXE-16000).  You will need to connect a PC/laptop directly to the Asus via one of its LAN ports to do this or you will be disconnected mid-process.  Do not go over your network/switch when flashing.

3. Set up a trunk port on the switch for the new access point.  It at least needs the default/native VLAN (usually VID 1) to be untagged.  You can add additional VLANs (tagged) up to however many bridges your Asus has internally.  This is usually tied to the number of LAN ports.  4 ports == 4 VLANs, including the native untagged one.

4. Connect the Asus to the trunk port and boot it.  Bring up the management UI on whatever address you configured e.g. http://192.168.1.2

5. Go through your firmware's settings.  You'll want to:

- Enable Access Point mode, which will disable routing, NAT, etc.  This may also disable the WAN port on some models.  You won't be using it anymore.
- Disable the built-in DHCP server on the Asus, in case the AP mode setting didn't do that.  OPNsense will handle this.
- Disable any IGMP proxy, STP, etc.  Your switch will handle these.
- Set the Gateway, NTP, and DNS IPs to the OPNsense IP.  These are not given out to clients, they are for your AP itself.
- Configure bridge interface br0 with VLAN ID 1, or whatever your untagged VLAN ID is.  Mark this as 'default'.  Assign this bridge an IP address on the VLAN.
- Configure bridge interface br1 with another VLAN ID if you need it.  Mark this one as 'tagged'.  Repeat for however many VLANs/bridges you want to set up.
- Configure a wireless SSID for each of the bridges/VLANs you added.

In the end it looks something like this:

You cannot view this attachment.

You cannot view this attachment.

You don't need to assign any SSID to the Management VLAN if you don't want to (just leave it off) and you can optionally break out some of your SSIDs into separate 2.4 and 5 GHz bands as I've done for my IoT network.  I have some legacy devices which only support 2.4 GHz.

Hope this is helpful as a rough guide, though there may be errors in my setup.  I won't be offended if the networking gurus here point out any flaws.

Based on the options i have on Merlin firmware, i dont think vlan tagging is possible for AP mode and only offered on router mode. There is a way to use scripts to do exactly what you are saying, but is rather avoid scripts because that could introduce more security issues. Im not sure which open source firmware supports my routers, but i really like the range and speed they offer. I can get 500mbs everywhere in the house with 6e for better reliability in my congested area. Thanks for your detailed response. I'll see if the 3 major 3rd party firmwares support my router. They were pretty expensive,  so i don't want to retire them.

[virtual LANs]

it would isolate them at the ap and then send them to the lan port where opnsense can tag them.

The AP needs to tag them. VLANs need to cover all your layer 2 infrastructure. Think of them as separate interfaces on the OPNsense side and separate switches/APs in the rest of the network. They are virtual LANs.

You cannot tag frames based on IP address. Two different layers.

HTH,
Patrick

Thanks for the explaination. Im going to see is this is possible with the current Merlin 3rd party firmware i use. I know it's possible with scripts run on the router, but it would be nice to not use them as i disable those scripts for security purposes.

So OPN - Asus-RT-16000 - devices?

If the Asus is in router mode, all OPN is going to see is NATted traffic originating from the Asus. No individual device, no VLAN.
Nothing comes up directly from this model number. I'm not spending time guessing.

The router also supports 6 guest wifi that can be isolated. If i set them and have devices defined as static routes in each vlan subnet, like i do now, it would isolate them at the ap and then send them to the lan port where opnsense can tag them. Since i know opnsense can assign the vlan tag and set the ip based on mac filtering, that should work, correct?

So OPN - Asus-RT-16000 - devices?

If the Asus is in router mode, all OPN is going to see is NATted traffic originating from the Asus. No individual device, no VLAN.
Nothing comes up directly from this model number. I'm not spending time guessing.

https://rog.asus.com/networking/rog-rapture-gt-axe16000-model/

I was naming it off the top of my head since most asus routers are called rt-*. The rog routers are called gt-*.

I looked this up on the asus router dedicated forums and it does support vlan, vlan trunking, etc. The caveat is that asus routers in AP mode turn off all nat, firewall, etc., and rely on the wan connection. I am pretty sure it passes the vlan tag, but it does not add the vlan tag. I have computers on a vlan currently and they have the correct ip, so it seems to work. It is also possible to linux network tools, like ip, in a script since it is basically running linux. Technically, the support can be created with persistent scripts that are supported (different router model, but same open source firmware base called merlin):
https://www.snbforums.com/threads/rt-ac68u-guest-wifi-via-vlan-in-ap-mode.72244/

The above is not used by me, but if that is needed, i can script it. To me, it seemed to be working without it, but i guess it is not isolated at the AP.

It's not clear that you have appropriate HW to make this work.
Is your AP VLAN aware? This typically manifests itself by exposing one SSID per VLAN (the tagging happens in the AP on the basis of the SSID used, all traffic on the Ethernet port of the AP is tagged accordingly).

https://rog.asus.com/networking/rog-rapture-gt-axe16000-model/

It is vlan aware, but only in router mode. In AP mode, asus routers turn off nat, firewall, dhcp, etc.

I am currently using a vlan for my work laptops with the same setup and it does appear in the correct vlan with the correct ip for the device. It does not create a new vlan based ssid, though. It uses the same ssid, but traffic is routed to the vlan and in the same subnet as my work vlan. The rules for zen armor also dont apply since that vlan is excluded.

I also wanted to add information. I have my work laptops on a vlan and they are assigned the correct ip in opnsense. I have most devices running on lan, but my work mac and windows laptops both use the vlan instead.

I wanted to add that i have 2 managed switches that i use for vlan trunking to support two networks going through existing cat5e run through the house and a second asus rt-11000 that i use as an extender/mesh.

I dont think my routers support open source router firmware due to incompatible chips. I do like and need the wifi 6e.

I have an asus rt-16000 that supports vlans and trunking, but i think it is only in router mode and not AP mode.I think know the answer, but is it somehow possible to use it in router mode and still have devices appear in opnsense. Im pretty sure in router mode it will not work that way,  but I'm willing to try radius, but i have IOT devices that might be an issue. Im not sure if opnsense supports mac based bypass for radius or some other way to support iot devices that might not have radius support.

On the opnsense hardware, i have plenty of headroom with 27GB of ram and 7 cores/14 hyperthreads and 500 gb drive.

I have a similar setup. Here is what is would suggest:

Use two physical lan interfaces for opnsense and another for proxmox. Using the same interface, without firewall rules on proxmox, will allow users on lan to access your vm admin page.

If you dont have physical ethernet ports, you can use 2 dongles. Connect the first dongle and install promox. Set the first dongle as the promox interface with a unique address on a cidr you dont plan on using (like 192.168.200.200 on 192.168.200.1/24). Once you go through the setup for proxmox power off the computer, connect the second dongle and power back on. Now setup opnsense as a vm and assign only the second dongle to opnsense. Use proxmox to connect to the vm and go through the opnsense setup for the second dongle. If you cant see the new interface in opensense, you have a compatibility issue and will need to change the interface type in proxmox. The third dongle/interface will connect to wan. Once you configure opnsense, you can connect a laptop to the second adapter and navigate to the ui by using the ip address you set in opnsense (windows requires you to set the ethernet subnet). You should be good to go.

I dont know how many physical interfaces you have, so I am assuming you only have 1 ethernet interface.

You can use a single dongle, but that would require firewall setup on promox. Good luck.

Hi, all.

I am switching over to kea dhcp from isc v4. I have a router set up as an access point connected to the lan interface. I have all devices connected to the ap.

Currently, i am using just the lan interface with statis addresses for all devices defined on the lan section of isc dhcp v4. I am looking to segragate the network based to have fine control to devices, like local devices do not connect to Wan or only certain ports accisble for my server from specific vlans, but i seem to have an issue.

I set my access point in a vlan, but i think this may have been the issue since the ap is currently in lan and everything works with isc. When i switch to kea, the ap, though dhcp on opnsense, is not able to provide an ip to wifi devices. I had placed the aps and the switches in a vlan that has a rule to allow out to any. This did not seem to work.

Since opnsense is deployed as a promox vm, if I mess it up to the point where i cant reach the ui or ssh port, i have connect via a separate lan to access proxmox and go through the console, with ssh turned on, or restore from a vm back up. Both are tedious.

Can someone please advise on how they would set up the following:
Opnsens kia dhcp
AP on lan
All devices connect to lan
All devices connected to AP have static address in vlan via the specificed subnet/static ip in kea dhcp

I dont need firewall rules for the specific devices, just for the dhcp request to make it from device to AP to Opnsense. Have tje rest covered.

Note- not interested in not using the AP. I just want to connect to the AP and use vlans for all devices. I cant do a bunch of trial and error since it takes a long time.

Thanks in advance.

There is no entry in Interfaces: Diagnostics: ARP Table for the ip address.

I just removed every trace of it, reset the camera, and gave it the same static ip. Issue resolved.

Thanks for looking.

Hi all,

I have a device that has been connected for over a year and it recently started doing this a couple days ago.

I have a camera that is connected to opnsense. Opnsense is the dhcp server, dns server, and firewall, but i have two routers connected as APs for a strong wifi signal. I also have all my devices on static addresses (for over a or two year) on isc ipv4 with a limited pool of ips for adding new devices. The app firewall also denies new devices until trusted.

When i add a new device, i uncheck deny unknown hosts and start setup. Then trust the device and add it to the static config. Recently, I did that and my camera on wifi went on the dhcp pool address for some reason. I have tried to restart opnsense, select ignore client uids, restarted the camera several times, changed dhcp pool and updated the max lease time to 2 hours.

It wont go back to the static address it was using. The hostname has not changed either. I have tried to save the device on the dhcp address as on the same static address in the lease section, but that also changed nothing.

If i turn on deny unknown clients again, the camera will go offline. If i turn it off, it connects with dhcp pool even if i change the cidr. What is going on here? Should be reinstalling opnsense? I dont see anything unusual related to this in any logs.

Anyone have any clues?

Hi, all.

I am trying to block a set of devices from reaching any address except a particular lan address and port. Here is my setup:

I have open sense connected to my ONT. On the lan port, I have a wireless router and other wireless mesh devices. I am using the router as a wireless AP and using open sense dhcpv4 server.

On my firewall, I have aliased devices I want to prevent from reaching the Internet with a rule in floating rules:

Rule 1
Dir: out
Interface: lan
Source: myAlias
Dest: mySpecific Lan Address and port on lan with cidr 32
Allow

Rule 2
Dir: out
iFace: lan
Src: myAlias
Dest: any
Block

Apply all rules

I would think this should be enough, but those devices can both ping, traceroute via open sense, and browse the internet. I have tried to restart fp and restart fw server. The traffic seems to go through an auto generated rule for "let out anything from firewall host itself. I can use DNS to block address translation, but that defeats the purpose of a firewall.

I have looked at firewall sessions to find the rule that is allowing traffic out. I can't disable this rule with the UI and it seems if this is really a default rule, it is a bad rule or something is not right with my setup. I have a bunch iot devices and many other android devices from China that I don't want to reach the internet at all. They are only allowed to connect to an internal server UI or specific port, like rtsp, and I want to block all outgoing and incoming traffic. All the devices have static ipv4 addresses and are included in the alias. This was a similar setup to pfsense, where rules worked, but it seems opnsense is just not blocking anything at all via firewall.

I'll be happy to provide more info without external ips or other info that would compromise security.

I am a technical user in a related field with experience in bsd, Linux, and lots of related stuff. I know it is possible to remove the auto rules, but this whole thing seems wrong, so I'm questioning my own setup. I'm coming from pfsense and wanted to use opnsense for sensie, suricata, etc. what is wrong here?