"
Hey there,
As my name suggests, I'm a newbie in networking.
I have a specific problem on my network, which led me to VLANs:
I have two Access Points TP-Link M4R in my LAN and they served my home well for about now 2 years.
Recently, I've set up OpnSense and came to the conclusion that both of my TP-Link Access Points are responsible for more than 10% of my entire internet traffic:
As you can tell from the uploaded image, this orange line is all the telemetry those access points share with google, live.com, reddit, amazon, linkedin etc...
I want to put an end to this.
I've thought about some possible solutions and came to the conclusion that I can create multiple VLANs and then restrict those specific VLANs how I like.
Here is how I imagine how in the end the interfaces in OpnSense should look like:
LAN (10.0.0.0) - unrestricted access only for me, the admin
VPN (10.0.1.0) - access to selfhosted service + internet (homeserver as Exit Node) through TailScale plugin, also only for me
FAMILY (10.0.2.0) - access to devices on interface IOT + internet
UNTRUSTED (10.0.3.0) - access to internet
IOT (10.0.4.0) - no access to internet, neither to any other devices on home network
As far as I understand it, because OpnSense is by default a stateful firewall any requests from "higher" VLANs such as FAMILY to IoT devices won't be blocked by the firewall unless IoT devices "request first". So I should be able to safely put in there my printer, the access points etc... without loosing functionality because devices in FAMILY can get replies back from my IoTs.
Please let me know if my assumption is correct.
I'm looking forward to assign the interfaces FAMILY, UNTRUSTED and IOT each a different wireless SSID.
So to differentiate connected devices through WLAN by their corresponding VLANs, I'd need VLAN tagging, which needs to be supported by my switch as well as my access points, am I right?
THE ISSUE - This is the point where I'm having trouble understanding how to apply my network in the way I have described and envisioned:
My family runs most of their devices through WLAN provided by the TP-Link access points.
Then there are also the devices, which I'd rather have under the UNTRUSTED VLAN: Two LAN connected devices at home and the rest of them will be guest devices also connected through WLAN.
Assuming the access point delivers the switch with connections of 3 separate VLAN tags, which are inherited by the origin of their corresponding WLAN network (SSID), I'd still have to figure out a way to assign my access points to the IOT VLAN. Is there such possibility (maybe in their software settings)? They run through ethernet cables so I won't be able to distinguish by the SSID like I'd do for the devices on WLAN. The two devices that are also connected through ethernet, which I want to have on UNTRUSTED, strike me with this similar problem. One of them runs through its own NIC so AFAIK it should be possible to tag a specific NIC on my switch to UNTRUSTED and that should do it (correct me if I'm wrong please). The other device - let's call it Benny from now on for the sake of ease - is connected by ethernet through the same NIC of one of the access points (there is no way for me to put it in a different NIC).
So there you have the problem in conclusion:
There is an access point connected to the only NIC in the room. That access point has to be in IOT. Then there is Benny (the other device), which needs to run through the same NIC as that access point does, but Benny has to go to UNTRUSTED. How am I supposed to differentiate that in software? The only solution I currently see is to distinguish by Bennys MAC address - since its unusual for ethernet-connected devices to spoof their MAC address this should work - but seems for me a bit unreliable. Isn't there something I'm missing out?
What do you suggest?
Am I misunderstanding anything wrong or would you do something different than I've imagined?
Do you have recommendations for products (access points + switch) / brand that could help me best with my needs? I really don't want to break my bank, just something reliable that does the job.
Sorry for the long text, I just thought it's important to tell the whole story so that I don't appear confusing.
Thanks in advance!
As my name suggests, I'm a newbie in networking.
I have a specific problem on my network, which led me to VLANs:
I have two Access Points TP-Link M4R in my LAN and they served my home well for about now 2 years.
Recently, I've set up OpnSense and came to the conclusion that both of my TP-Link Access Points are responsible for more than 10% of my entire internet traffic:
As you can tell from the uploaded image, this orange line is all the telemetry those access points share with google, live.com, reddit, amazon, linkedin etc...
I want to put an end to this.
I've thought about some possible solutions and came to the conclusion that I can create multiple VLANs and then restrict those specific VLANs how I like.
Here is how I imagine how in the end the interfaces in OpnSense should look like:
LAN (10.0.0.0) - unrestricted access only for me, the admin
VPN (10.0.1.0) - access to selfhosted service + internet (homeserver as Exit Node) through TailScale plugin, also only for me
FAMILY (10.0.2.0) - access to devices on interface IOT + internet
UNTRUSTED (10.0.3.0) - access to internet
IOT (10.0.4.0) - no access to internet, neither to any other devices on home network
As far as I understand it, because OpnSense is by default a stateful firewall any requests from "higher" VLANs such as FAMILY to IoT devices won't be blocked by the firewall unless IoT devices "request first". So I should be able to safely put in there my printer, the access points etc... without loosing functionality because devices in FAMILY can get replies back from my IoTs.
Please let me know if my assumption is correct.
I'm looking forward to assign the interfaces FAMILY, UNTRUSTED and IOT each a different wireless SSID.
So to differentiate connected devices through WLAN by their corresponding VLANs, I'd need VLAN tagging, which needs to be supported by my switch as well as my access points, am I right?
THE ISSUE - This is the point where I'm having trouble understanding how to apply my network in the way I have described and envisioned:
My family runs most of their devices through WLAN provided by the TP-Link access points.
Then there are also the devices, which I'd rather have under the UNTRUSTED VLAN: Two LAN connected devices at home and the rest of them will be guest devices also connected through WLAN.
Assuming the access point delivers the switch with connections of 3 separate VLAN tags, which are inherited by the origin of their corresponding WLAN network (SSID), I'd still have to figure out a way to assign my access points to the IOT VLAN. Is there such possibility (maybe in their software settings)? They run through ethernet cables so I won't be able to distinguish by the SSID like I'd do for the devices on WLAN. The two devices that are also connected through ethernet, which I want to have on UNTRUSTED, strike me with this similar problem. One of them runs through its own NIC so AFAIK it should be possible to tag a specific NIC on my switch to UNTRUSTED and that should do it (correct me if I'm wrong please). The other device - let's call it Benny from now on for the sake of ease - is connected by ethernet through the same NIC of one of the access points (there is no way for me to put it in a different NIC).
So there you have the problem in conclusion:
There is an access point connected to the only NIC in the room. That access point has to be in IOT. Then there is Benny (the other device), which needs to run through the same NIC as that access point does, but Benny has to go to UNTRUSTED. How am I supposed to differentiate that in software? The only solution I currently see is to distinguish by Bennys MAC address - since its unusual for ethernet-connected devices to spoof their MAC address this should work - but seems for me a bit unreliable. Isn't there something I'm missing out?
What do you suggest?
Am I misunderstanding anything wrong or would you do something different than I've imagined?
Do you have recommendations for products (access points + switch) / brand that could help me best with my needs? I really don't want to break my bank, just something reliable that does the job.
Sorry for the long text, I just thought it's important to tell the whole story so that I don't appear confusing.
Thanks in advance!
