New LAN Interface with Port Security?

[voyto]

Hi All,

I manage a LAN ran from a 4-port OPNsense router and a few switches.

Port 0 = WAN (Openreach Modem)
Port 1 = LAN (Layer 2 Switch)
Port 2/3 = Unused

I have a situation where we're going to install an external EV charging point for a couple of the company vehicles. This device requires a network connection.

I'm reluctant to run a cable outside and have it plugged into the layer 2 switch because of the obvious security risks.

My question is - can I use one of the spare ports on the router and include some port-security to shut the interface down if the link is broken, for example? If so, would someone mind pointing me in the right direction on how to implement that?

[meyergru]

If you wanted to have traditional 802.1x port security, you would need more than a layer 2 switch, however then what you usually have is a separate IoT network on a VLAN.

Thus, you might as well define an IoT network on one of your previously unused OpnSense ports and separate that from your LAN via specific rules just like you would do on a VLAN. In your case, only one client would be connected to that network. You can then define rules that allow access from your LAN to your IoT network but not the other way around.

However, bear in mind that only with 802.1x, you could keep strange clients completely from your network. Without it, you can only limit other clients to the same extent as your EV charging point. For example, if that needs internet access, then any other device plugged in to that port could do the same.

You might define rules based on MACs, but if that is being spoofed, you are out of luck.

[voyto]

Having a separate IoT network sounds perfect! Is there an idiots guide on how to create this? 

[meyergru]

There are plenty of guides, most are quite specific for the type of devices that you use, e.g. here is one for OpnSense with Unifi switches:

https://www.youtube.com/watch?v=dv13d6rfQPI

That guide uses 3 different subnets for normal users (=staff), guests and IoT devices.

The actual VLAN configuration is different with other switch brands, but as I said, you might get away without a VLAN-capable switch if you directly connect you only IoT device directly to a port of the OpnSense. In that case, you do not even need a real VLAN, just a separate IoT network on that port.

VLANs only come into play when you want to have multiple devices that you distribute over different ports of the same switch, effectively partitioning the physical switch into multiple logical switches.

[TheAutomationGuy]

Adding a IOT VLan using one of the unused network ports is a great solution.  Just be sure to "lock" down the IOT VLan when you are writing the firewall rules.  You'll need to grant access to some firewall services (like DNS), but you will want to block as many as possible.  For example, you certainly don't want someone being able to access the SSH or web GUI of the firewall while using that network connection.