How to isolate IoT devices by AP?

Started by fakebizprez, May 09, 2025, 02:58:51 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 09, 2025, 02:58:51 AM Last Edit: May 09, 2025, 11:12:15 AM by fakebizprez
I'm planning to set up an IoT VLAN using OPNsense. I have two access points:

A UniFi WiFi 6 AP (for trusted devices)
A TP-Link Omada AP (which I want to dedicate to IoT devices)
Both APs are connected to a Cisco Catalyst 3850 switch, which is then connected to my OPNsense box.

What are the steps involved in OPNsense to create a VLAN such that only devices connecting to the TP-Link Omada AP are on this VLAN? I understand I'll also need to configure the Catalyst Switch and the Omada AP to handle VLAN tagging correctly.

Looking for advice on the OPNsense part (VLAN creation, interface assignment, DHCP, firewall rules) and any tips for the switch/AP configuration to make this work seamlessly.

Thank you in advance for any help given.
Founder & President of linehaul.ai - a logistics and technology services provider.
May 09, 2025, 04:55:21 AM #1
At least the Omada AP should be VLAN aware (essentially one SSID per VLAN) so you don't have to dedicate them.
In a VLAN aware configuration, you connect the AP to the switch over a trunk port accepting all VLAN IDs and associate VLAN IDs to SSIDs.
If you dedicate them, you could just use the APs as dumb APs and connect them to an access port of the switch (untagging VLAN_IOT, PVID = VLAN_IOT).

In either case, the switch needs an upstream trunk port to OPN (all tagged VLANs accepted).

In OPN, the recommendation is to parent the vlan devices to a physical device (NIC) that's not assigned.
Then you assign interfaces to the vlan devices (like they were physical), configure DHCP per interface's subnet.
Then at least a FW rule (either pass all like LAN got originally) or something like this (which gives internet access, as in any but private):
You cannot view this attachment.
RFC1918_networks is an alias containing the private network ranges per that RFC. You need to include at least the ones you use.

A quick search on 'opnsense vlan' shows the opnsense doc and some guides...
May 09, 2025, 05:14:31 AM #2
If you go with the VLAN aware configuration, you might need to assign an interface to the physical device.
That's because the APs still need to be configured and by default they will use an untagged interface.
But you should be able to change that at some point. It's called management VLAN in Omada.
Print
Go Up Pages1
User actions