New uncertain OPNsense user - insanity check

Started by markusmnm, December 22, 2024, 02:27:43 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 22, 2024, 02:27:43 AM Last Edit: December 24, 2024, 05:29:28 AM by markusmnm
Hi!

Like many first time posters here, I decided to set up a segregated networks for all my robot vacuums and such.
This is as much a project to learn as it is scratching that paranoia itch.
I usually try to make things more difficult for myself by not following guides and trying to do things differently. This creates an elevated opportunity to learn why others do it the normal way.
I learned quite a bit. After failed attempts, the set-up is mostly complete and seems to be working fine.

This forum helped me resolve all of my setup problems without me having to ask a single question, yet.
I learned a lot from posts of people like Patrick.
Thank you!

The setup is possibly stupid, but this forum is not to blame.
After using this experience to learn about VLANs, I failed to understand why I should set them up at the opnsense/fw/router level.
I found strongly voiced opinions for either option.

I am not sure if the below description is good or bad, but always assume that I don't understand anything.
For context, I went the Linux route 25 years ago and have rarely interacted with BSD flavors. I have basic networking knowledge.
I have problems keeping posts short.

I bought a Deciso dec677 and a TP-Link ES205G (managed switch) and later found that my old Netgear GS105Ev2 switch is semi-managed and 802.1Q compatible.
I also have an 8 yr old Netgear Orbi RBR50 which was handling pppoe before the dec677 and it is now running in AP mode.
It is not 802.1Q/VLAN capable.



The dec677 WAN (pppoe, on igc0) interface is connected to a modem/FTTP NTDd/connection box.
There seems to be a some pppoe single threading issue that I don't care about for today.
Additionally I set up LAN (igc3) and amber241 (igc2).
No VLANs setup on the dec677.

I typically call LAN (10.0.1.0/24) "green": it is the networkof my NAS and desktop.
And amber241 (10.0.241.0/24) just "amber": this is where all the potentially dodgy devices go.

ES205G
Code Select
port 1 <=> GS105E port 1 (trunk)
port 3 <=> dec677 amber241  interface
port 4 <=> Orbi (doesn't seem to matter which port, it is on the Orbi wan port)
port 5 <=> dec677 LAN interface
  VLAN1: port  1(U)                    , 5 (U)
VLAN241: port  1(T), 2 (U), 3 (U), 4 (U)
(T) tagged,  (U) untagged

Anything connected to Orbi RBR50, wired and wireless is amber and all the vacuums and toasters are connect to it.

Netgear GS105E
Code Select
port 1 <=> ES205G port 1 (trunk)
port 2,3,4  <=>  amber : speaker, Chromecast, work laptop
port5  <=> green: SX105
  VLAN1: port 1(U)                    , 5 (U)
VLAN241: port 1(T), 2 (U), 3 (U), 4 (U)


DEC, modem, Orbi, ES205G are downstairs
GS105E is upstairs, with wired Chromecast and speaker (amber) and
a unmanaged switch (TP-Link TL-SX105) for speed for NAS desktop (green)

dec677 FW rules are simple:
No amber initiate connections from amber to green, apart from a rarely running scanner/printer to upload to the NAS.
Anything on green can start connections to green and amber network devices.

All amber devices can connect to any other amber device. Currently my toaster is still able to hack my vacuum robots.

More might happen in the future. Ie "red" network for toasters

So far all my tests like connecting to different points and checking tcp access as well as dhcp work fine.
I haven't yet started listening to traffic from different spots to see what passes by.

Are there gaps in how I describe the network?
(This will be relevant when I start whinging about FW state in a future post.)

Is this particular setup a bad idea? Apart from the firewall rules, that will not see most traffic, can I only use the two switches to segregate green/amber traffic?


Thank you,
Markus
December 23, 2024, 11:54:53 PM #1
FWIW, you probably have an ES205G switch (05 indicates the number of ports). There is no 6-port version of the switch.

Anyway, that looks like a network with VLAN 1 native untagged and 1 extra VLAN (241).
That's essentially how I ran mine until Patrick nudged me to not mix tagged and untagged traffic...

IMO, what's unconventional is the way the router and main switch are connected.
I'm not going to make a good/bad judgement, but it won't scale. You can't even add one more VLAN...
You'd make better you of your hardware by making the link from OPN port 4 to ES205G port 5 a trunk port as well.

IOW:
* Create a VLAN 241 on OPN, parent it to the physical interface on port 4.
* Assign the interface for that 241 network to the vlan0.241 device (instead of the physical device).
* Change the config of port 5 of the switch to be 1 native untagged and allow 241 tagged.
* Remove the now useless cable from OPN port 3 to switch port 3.

You can add 2 more segregated networks on the main switch.

It's not clear where the toaster and vacuums belong...
December 24, 2024, 05:41:25 AM #2
I fixed the ES2065 naming that I C&P-ed all over the place and added toasters and fixed some sentences in my post.

I previously had something like a vlan241 and vlan111 set up on the router and that worked, too. Then I trialed many different setups and was unsure about the "why".
Scaling is a good consideration too add.

I think I need to reread tagging and about mixing tagged and untagged traffic and I'll look for the post where Patrick nudged.

This gives me a few things to follow up, which was what I was hoping for. Thank you, for your response!




December 24, 2024, 08:54:59 PM #3
With more hardware, you could run a physical network per purpose.
One of the benefits of VLANs is getting the same network isolation logically so you get more cost-efficient use of your hardware.

Moving your LAN interface to a vlanX.V device should be pretty trivial, but the benefits would be pretty small.
It would make all traffic tagged between the router and first switch, and also between the VLAN aware switches.
BUT I'm not entirely sure it's possible with your hardware.
Both of your VLAN aware switches have their own IP that you use when you manage them. Unless they support the concept of "management VLAN", they will communicate using untagged traffic... If either don't support such feature, you might as well not bother with not mixing tagged & untagged...

In case you move forward, Patrick's reco is to declare a tag for the default/native network (e.g. 999) but not use it.
FWIW, I used 1 as VLAN ID for my "infrastructure" and 2 as management VLAN for my switches, completely isolated. Somehow, my TP-link Omada switches were still randomly getting IP in the infrastructure VLAN... VLAN ID 1 is getting special treatment. Switching to 7 addressed this issue.

I see the toaster and vacuums now. Given they are wireless, you need to have them join separate SSIDs... either physical or logical (see the trend?).
A VLAN aware AP allows you to expose multiple SSIDs and associate each to a VLAN (i.e. tagging traffic on the uplink).
The other way is to use an AP per VLAN...
Print
Go Up Pages1
User actions