Create completely isolated networks

[AG_2023]

Hello,

First time posting here.

I have recently started using OPNSense. Installed it on a small box with 4 NICs. I am trying to create two completely isolated networks, one is my main LAN and the second one is IOT for IoT devices like Google/Alexa etc.

I have followed the directions here: https://docs.opnsense.org/manual/how-tos/guestnet.html

There are no VLANs, just a very basic setup to get started. LAN 192.168.250.0/24, IOT 192.168.1.0/24.

I did not create the Captive Portal as it is not needed. After setting things up, everything seems to be working fine except when I look in the DHCP lease table, I see that devices from LAN network acquiring DHCP address from IOT network and vice-versa. Since DHCP access is controlled by built-in firewall rules, how do I stop devices going from one network to other for DHCP?

I am not a networking expert but have basic knowledge. Used to run a different firewall but OPNSense is lot different so I am feeling bit lost. Any help will be appreciated.

Thanks

[Demusman]

You'll have to show your setup.
Assuming you have 2 physical interfaces for the LAN side, one for LAN the other IoT?
What firewall rules do you have on each? Show pics.

DHCP wouldn't traverse networks so are you sure you have them isolated at layer 2?
Are they both connected to a switch or separate switches?

[TheAutomationGuy]

Without using VLANs, you are going to need to create two physically isolated networks.  This means you'll need two sets of equipment (switches, APs, etc).  Both switches will be plugged into unique ports on the OPNsense box.  Assign the port to the appropriate interface (one of the LAN and one for IOT).  If you are using a single switch without using VLANs, then the traffic is not going to be isolated.

(I'm also a hobbyist and not a network professional so this may be an oversimplification of the situation, but using creating the two physically separate networks will work just fine).

[AG_2023]

Thanks you so much for answering so quickly. Here is the setup and picture (as attachment, I cannot figure out how to paste image in this box) :

First port is the WAN interface in firewall. It is connected to internet cable from Verizon box.

Second port is LAN interface in firewall. It is physically connected to a Dlink 28 port switch. All the wired devices are connected to the switch. The Netgear Orbi 960 mesh is also connected to switch. The Orbi 960 is configured as AP. This is 192.168.250.0/24 subnet.

Third port is IOT interface in firewall. It is physically connected to another Netgear WiFi router R8500. This router is also operating in AP mode. All the IoT devices connect to this router via WiFi. There are couple of wired devices connected to the R8500 ethernet port. This is 192.168.1.0/24 subnet.

[Demusman]

So then there's no way devices on one switch are getting IP's from the other interface.
Are you sure you're not just seeing "old" IP's they might've had before you separated them?

[AG_2023]

Thanks for confirming that FW rules and configuration is not causing it. I am pretty sure that DHCP assigned IP addresses are crossing over from LAN to IOT and vice-versa. However, let me monitor for one more day, in case these are some old leases. If I still continue to see them, then I will update this thread with more screen captures of what I am seeing in the WiFi routers attached devices section and leases in OPNSense.

Thank you so much for looking at my setup and replying back so quickly.

[AG_2023]

Hi,
I can definitely say that the IP addresses are getting assigned from the wrong DHCP server. The IOT devices are getting IP addresses from LAN and vice-versa. Not sure how to fix this. Any ideas?

Thanks...!!

[Demusman]

Are they all wireless devices?
How are the AP's configured?
Maybe they're connecting to the wrong AP.

[AG_2023]

They are connecting to the right AP, but the more I think about it, the more I am inclined to say that it might be how the DHCP protocol works.

The DHCPDISCOVER from client is sent to all DHCP servers. Whoever responds first with DHCPOFFER, wins.

Now, it can be argued that LAN interface and IOT interface will never see each other's traffic, which  is true for wired networks, but not true if both interfaces have a dedicated WiFi access point. The client sends DHCPDISCOVER over WiFi and both access points respond with DHCPOFFER and the first one wins. Wired devices will never have this problem.

One way would be to create static DHCP mappings for IOT and LAN devices in their respective DHCP servers and then check the Deny Unknown Clients box. But this makes adding new devices a painful process. I will have to do more Google searches to see if there is a better/easier way.

Please let me know your thoughts or if there is any error in my access point logic.

Thanks...!!

[AG_2023]

Embarrassed beyond limit. As I decided to tidy up the network cables, I noticed a cable connected wrongly from LAN switch to IOT access point. This was from before I started using the dedicated box for OPNsense. I thought I had removed it, but I did not. Once that cable was removed, all the IoT devices jumped back to IOT network and no more cross bleed of IP addresses. One cable caused so much headache...

So sorry to have wasted everyone's time. I need to pay more attention to setup.

[Patrick M. Hausen]

"It's a cabling issue."

"No way it's a cabling issue!"

It was a cabling issue.