Guest Network on VLAN or OPT1?

[jeremiah]

Hello,

I want to set up a guest AP using a separate piece of hardware than my LAN AP. My switch and AP are VLAN capable but I want to use one of the two open ports on my NIC since I figure I use them instead of leaving them to gather dust.

Is it possible to set up a new interface on OPT1, one where the traffic is sequestered to that network with zero interaction with the LAN? I want to block access to the webGUI, and to the other functions available on my LAN. With that set up, would I still be able to use unbound to resolve DNS queries on that network?

I did try to find what I was looking for in the documentation but wasn't able to find anything, and I saw these two threads: https://forum.opnsense.org/index.php?topic=1769.msg6736#msg6736, https://forum.opnsense.org/index.php?topic=450.msg1587#msg1587. They are both very old so I figured I'd ask on here to see if there have been any changes to the way that OPNsense functions now vs. back then.

Thanks!!

[gpb]

Generally speaking, VLAN is the better choice for a small network.  What's the advantage to building a second physical network when you have equivalent isolation on a VLAN?  Remember, each VLAN gets its own DHCP server, etc.  Firewall rules can allow interaction...as needed.  Use both APs for both VLANs and achieve better utilization...assuming the APs support VLAN.  Unless you have some peculiar special requirements...assuming this is a home network.

[Maurice]

From a layer 3+ perspective, it doesn't matter whether you use two physical ports or one with VLANs. If you have spare ports and the OPNsense box is close to your switch, using two cables isn't a bad idea. Higher throughput, no VLAN configuration in OPNsense required. If you have limited experience with VLANs this would also make testing and troubleshooting easier.

Whether you use separate APs or not isn't relevant for the OPNsense configuration. And no matter what, you will always have to configure VLANs on the switch.

Cheers

Maurice