Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - markusmnm

Pages1
#1
General Discussion / Re: New uncertain OPNsense user - insanity check
December 24, 2024, 05:41:25 AM
I fixed the ES2065 naming that I C&P-ed all over the place and added toasters and fixed some sentences in my post.

I previously had something like a vlan241 and vlan111 set up on the router and that worked, too. Then I trialed many different setups and was unsure about the "why".
Scaling is a good consideration too add.

I think I need to reread tagging and about mixing tagged and untagged traffic and I'll look for the post where Patrick nudged.

This gives me a few things to follow up, which was what I was hoping for. Thank you, for your response!




#2
General Discussion / New uncertain OPNsense user - insanity check
December 22, 2024, 02:27:43 AM
Hi!

Like many first time posters here, I decided to set up a segregated networks for all my robot vacuums and such.
This is as much a project to learn as it is scratching that paranoia itch.
I usually try to make things more difficult for myself by not following guides and trying to do things differently. This creates an elevated opportunity to learn why others do it the normal way.
I learned quite a bit. After failed attempts, the set-up is mostly complete and seems to be working fine.

This forum helped me resolve all of my setup problems without me having to ask a single question, yet.
I learned a lot from posts of people like Patrick.
Thank you!

The setup is possibly stupid, but this forum is not to blame.
After using this experience to learn about VLANs, I failed to understand why I should set them up at the opnsense/fw/router level.
I found strongly voiced opinions for either option.

I am not sure if the below description is good or bad, but always assume that I don't understand anything.
For context, I went the Linux route 25 years ago and have rarely interacted with BSD flavors. I have basic networking knowledge.
I have problems keeping posts short.

I bought a Deciso dec677 and a TP-Link ES205G (managed switch) and later found that my old Netgear GS105Ev2 switch is semi-managed and 802.1Q compatible.
I also have an 8 yr old Netgear Orbi RBR50 which was handling pppoe before the dec677 and it is now running in AP mode.
It is not 802.1Q/VLAN capable.



The dec677 WAN (pppoe, on igc0) interface is connected to a modem/FTTP NTDd/connection box.
There seems to be a some pppoe single threading issue that I don't care about for today.
Additionally I set up LAN (igc3) and amber241 (igc2).
No VLANs setup on the dec677.

I typically call LAN (10.0.1.0/24) "green": it is the networkof my NAS and desktop.
And amber241 (10.0.241.0/24) just "amber": this is where all the potentially dodgy devices go.

ES205G
Code Select
port 1 <=> GS105E port 1 (trunk)
port 3 <=> dec677 amber241  interface
port 4 <=> Orbi (doesn't seem to matter which port, it is on the Orbi wan port)
port 5 <=> dec677 LAN interface
  VLAN1: port  1(U)                    , 5 (U)
VLAN241: port  1(T), 2 (U), 3 (U), 4 (U)
(T) tagged,  (U) untagged

Anything connected to Orbi RBR50, wired and wireless is amber and all the vacuums and toasters are connect to it.

Netgear GS105E
Code Select
port 1 <=> ES205G port 1 (trunk)
port 2,3,4  <=>  amber : speaker, Chromecast, work laptop
port5  <=> green: SX105
  VLAN1: port 1(U)                    , 5 (U)
VLAN241: port 1(T), 2 (U), 3 (U), 4 (U)


DEC, modem, Orbi, ES205G are downstairs
GS105E is upstairs, with wired Chromecast and speaker (amber) and
a unmanaged switch (TP-Link TL-SX105) for speed for NAS desktop (green)

dec677 FW rules are simple:
No amber initiate connections from amber to green, apart from a rarely running scanner/printer to upload to the NAS.
Anything on green can start connections to green and amber network devices.

All amber devices can connect to any other amber device. Currently my toaster is still able to hack my vacuum robots.

More might happen in the future. Ie "red" network for toasters

So far all my tests like connecting to different points and checking tcp access as well as dhcp work fine.
I haven't yet started listening to traffic from different spots to see what passes by.

Are there gaps in how I describe the network?
(This will be relevant when I start whinging about FW state in a future post.)

Is this particular setup a bad idea? Apart from the firewall rules, that will not see most traffic, can I only use the two switches to segregate green/amber traffic?


Thank you,
Markus
Pages1