Mac based VLAN with OPNsense on a multi-NIC system (e.g. Protectli Vault)

massaquah · December 13, 2022, 01:19:59 PM

Hi everybody,

right now I am running a "firewall on a stick" setup with a cable modem connected to the WAN port of my OPNsense machine (Intel NUC) and a managed 8 port switch connected to the LAN port (Netgear GS308T).

I have VLAN for my general wifi devices (VLAN20) that are all connected to a wifi AP (which is connected to a certain port on the switch).

Additionally I have a separate VLAN for IOT devices (VLAN30). Since many of them are also wifi devices I am using the feature "Mac based VLAN" in the Netgear switch to assign the VLAN30 tag to devices that would otherwise get the VLAN20 tag from the corresponding switch port.

The idea that I am developing currently is to replace the NUC and the switch with a 2-in-1 device like this Protectli Vault with 6 nics.
https://eu.protectli.com/product/vp4630/

How would I implement the "mac based vlan" feature in that case? Since I wouldn't have a dedicated switch anymore I would assume that I can control this via OPNsense but I don't find the corresponding options in the OPNsense gui.

It should be possible to use 802.1x features in conjunction with Freeradius but in that case all of the client devices would have to support 802.1x which is not the same thing as the simple mac based vlan from my current Netgear switch (this comes without any need for Radius authentication).

Any insights on that challenge?

EDIT:
I found a similar post here:
https://forum.opnsense.org/index.php?topic=13931.0

But my goal is to reduce the number of network devices to a minimum.
So bottom line, I want to separate wifi devices into two VLANs by only using a "dumb" access point (Netgear Orbi) attached to the mentioned Protectli Vault.

bartjsmit · December 13, 2022, 03:40:59 PM

BSD doesn't firewall on MAC addresses. What about a slightly smarter AP that understands VLAN tags and does multi-SSID?

massaquah · December 13, 2022, 04:00:01 PM

I was thinking in the same direction.
I would have to replace my Netgear Orbi with Orbi Pro which is capable of creating up to 4 different SSIDs and VLAN tagging.

massaquah · December 14, 2022, 09:46:18 AM

Assuming I have a VLAN capable wifi (e.g. Netgear Orbi Pro) and I plug this device into one of the ethernet ports of my future OPNsense box, how would I configure OPNsense VLAN-wise?

With a managed switch I could configure each port to process packets from more than one VLAN with tags.

In the OPNsense configuration I do not see any equivalent for that. I can only assign ONE tag to ONE interface.

How can OPNsense distinguish between VLAN20 and VLAN30 both coming into OPNsense on the same port?

EDIT:
Seems to be a similar problem to this one:
https://forum.opnsense.org/index.php?topic=7359.0

But instead of spanning the same VLAN across multiple NICs I want to have multiple VLANs on the same NIC....

Vilhonator · December 14, 2022, 10:23:21 AM

As far as I know, on OpnSense VLAN requires 802.1q (IEE 802.1q also called VLAN tags) which all modern managed switches and most firewalls support.

You don't need AP with VLAN support as long as your switch and firewall supports VLANs, whole idea of VLAN tagging is to be able to just connect your computer and other devices to right port on the switch, to be connected to desired VLAN automatically without them having VLAN support

VLAN stuff is mostly for servers (NAS for example) and network devices (except APs and cheap routers, and mostly manufacturers just don't add it to their own firmware, hardware of those things most likely do support it)

Patrick M. Hausen · December 14, 2022, 10:46:10 AM

Quote from: massaquah on December 14, 2022, 09:46:18 AM
In the OPNsense configuration I do not see any equivalent for that. I can only assign ONE tag to ONE interface.

Wrong.

Quote from: massaquah on December 14, 2022, 09:46:18 AM
How can OPNsense distinguish between VLAN20 and VLAN30 both coming into OPNsense on the same port?

You create an interface of type VLAN with tag e.g. 20 and another one with tag e.g. 50 and assign both the same physical parent interface. As many VLANs as you like.

Perfectly possible and documented since VLANs were introduced to FreeBSD. For OPNsense refer to:
https://docs.opnsense.org/manual/other-interfaces.html#vlan

You cannot have a port based VLAN in OPNsense, i.e. a VLAN spanning multiple untagged ports, because OPNsense is not a switch but a router. So you get a dedicated (sub-)interface for each tagged VLAN on some port. Just like in e.g. traditional Cisco IOS routers.

If you really need port based instead of using an external switch it can be "faked" by using a bridge interface.

HTH,
Patrick

massaquah · December 14, 2022, 10:55:08 AM

Thank you!

Mac based VLAN with OPNsense on a multi-NIC system (e.g. Protectli Vault)

massaquah

December 13, 2022, 01:19:59 PM Last Edit: December 13, 2022, 02:13:50 PM by massaquah

bartjsmit

December 13, 2022, 03:40:59 PM #1

massaquah

December 13, 2022, 04:00:01 PM #2

massaquah

December 14, 2022, 09:46:18 AM #3 Last Edit: December 14, 2022, 09:59:42 AM by massaquah

Vilhonator

December 14, 2022, 10:23:21 AM #4 Last Edit: December 14, 2022, 10:28:40 AM by Vilhonator

Patrick M. Hausen

December 14, 2022, 10:46:10 AM #5

massaquah

December 14, 2022, 10:55:08 AM #6