Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
19.7 Legacy Series
»
2 Subnets on One Interface?
« previous
next »
Print
Pages: [
1
]
Author
Topic: 2 Subnets on One Interface? (Read 8201 times)
spetrillo
Hero Member
Posts: 721
Karma: 8
2 Subnets on One Interface?
«
on:
November 29, 2019, 09:16:10 pm »
I have a dedicated interface that connects my wireless APs together and provides wireless only. I would like to subnet this /24 into two /25s. The reason is to setup two wireless subnets, one for home WiFi access and one for guest WiFi access. If I can do this I can then shape the traffic on the guest wireless subnet, so its only there for email and web browsing.
Logged
Sirius1
Newbie
Posts: 20
Karma: 1
Re: 2 Subnets on One Interface?
«
Reply #1 on:
November 29, 2019, 10:21:17 pm »
So 'dedicated interface' sounds like a single physical ethernet port on your OPNSense that you use for wireless. Then is that 2 separate access points: 1 for home and 1 for guest? Or does your access point support multiple SSIDs at the same time?
And 'traffic shaping' would really be firewall rules to restrict the traffic on Guest to only allow what you want, and restict other internal access.
Either way, multiple subnets on the same interface sounds like separate VLANs over a trunk to me. So then means that you need VLANs on the OPNSense firewall, separate Firewall rules for each segment, and a switch that supports VLANs.
Option with single interface sounds like this:
Firewall >>> 2 subnets/VLANs (trunk) >>> smartswitch >> Home AP VLAN/SSID
>> Guest AP VLAN/SSID
You could do without the VLANs if you have another physical ethernet interface from your firewall (OP is not specific) and can get a 'home run' from those interfaces to the APs. Each 'network' would be a physical interface rather than a VLAN. Still need separate Firewall rules for each.
Direct connect from Firewall to Access Points:
Firewall port 1 >>> Home WiFi >>> Home AP
Firewall port 2 >>> Guest WiFi >>> Guest AP
If you have 2 Firewall interfaces available, but need a switch between that and the APs, then also need a 'smartswitch' with VLANs on the switch, or 2 separate 'dumb' switches.
Firewall port 1 >>> Home WiFi >>> Switch 1 (or VLAN1 on smartswitch) >>> Home AP
Firewall port 2 >>> Guest WiFi >>> Switch 2 (or VLAN2 on smartswitch) >>> Guest AP
Finally, if the Access Points support multiple SSIDs, then could do any of these options, but then also need to trunk the multiple VLANs (SSIDs) from a 'smartswitch' over the single link to the access points.
You need to think about physical connections first to define what you need to plan and configure for.
Logged
spetrillo
Hero Member
Posts: 721
Karma: 8
Re: 2 Subnets on One Interface?
«
Reply #2 on:
November 29, 2019, 10:50:56 pm »
So I have the Netgear Orbi as my WiFi APs. They are a mesh WiFi and support multiple SSIDs, in my case Home and Home-Guest. The APs are tied together via a switch, which then uplinks to one port on my OPNsense firewall. Separate VLANs sound like the route.
So VLANs would be your choice?
Logged
spetrillo
Hero Member
Posts: 721
Karma: 8
Re: 2 Subnets on One Interface?
«
Reply #3 on:
November 30, 2019, 12:02:35 am »
OK I think I made good progress and got my VLANs set and subnets assigned to VLANs. One last question...could I change the static IPv4 setting to DHCP, and then just set my subnets appropriately? In my mind this would allow me to continue to use 192.168.1.0 rather than setting up a whole new subnet this. Am I on the right track?
Logged
Sirius1
Newbie
Posts: 20
Karma: 1
Re: 2 Subnets on One Interface?
«
Reply #4 on:
November 30, 2019, 12:37:51 am »
Mesh is a different animal I was not considering. Sorry. Again the details fill out the picture.
More than likely your Orbi is going to control (or rather restrict) what you can do then. I am not familiar at all, so anyone who has mesh WiFi, or more specifically Orbi experience, would be better at answering.
Generally
, mesh is implemented for end-user ease of use. Meaning that you can't really control what it does, or how it does it. My guess is that the 'guest' is controlled one of two ways: 1) you see the IP addresses assigned to your 'guest' vs. 'home' devices are different networks, and the device controls either routing or firewalling or 2) the devices are in the same 'network' IP space, but somehow firewalled/restricted from each other within the mesh AP (eg Orbi) itself. Either way, you will likely have little, if any, way of trying to influence or control how it is handling those.
This would pretty much make any firewall controls very difficult, if not impossible IMO....
unless
the Orbi does actually allow you to VLAN or tag traffic and create a trunk connection over the single ethernet link. There may some subnetting tricks that might give you a degree of traffic shaping control, but I think it will really take trial-and-error, or some response from someone who has experience or has done this. Otherwise you are going to be limited with the controls Orbi provides.
Logged
spetrillo
Hero Member
Posts: 721
Karma: 8
Re: 2 Subnets on One Interface?
«
Reply #5 on:
May 03, 2020, 06:17:42 pm »
Agreed...the mesh network prevents me from doing what I want to do. I am considering a business capable AP solution, that gives me the freedom to craft multiple SSIDs and set VLANs based on SSID.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
19.7 Legacy Series
»
2 Subnets on One Interface?