Network/VLAN/Firewall Questions and Setup

[panseit]

Greetings everyone,

I want to apologize for the lengthy (first) post but I am trying two weeks now to configure this network with no success. I am new to homelab and networking (only know the basics about how networks work). Read many guides and watched many videos but still nothing :/

The topology I want to implement is this:
https://i.ibb.co/Jt1Hqh0/Topology.png
Hardware
1. ProtectlI VP2420 as my router
2. Grandstream HT801 as my ATA device (VoIP)
3. Omada SG2008 (main switch - PoE)
4. TL-SGP05PE (dedicated PoE switch for my SOON^TM Hyper-Converged Ceph Proxmox Cluster
5. Ubiquiti U6-Pro Access Point
6. Omada OC200 Controller (I will replace my U6-Pro for a WiFi 7 TP-link one down the line)

My ISP provides data and VoIP through 835 VLAN and doesn't provide me with the prefix delegation size for IPv6 (I spoke to 4 people and none knew to answer)

I have these WAN settings:
https://i.ibb.co/ygMkXJ3/WAN.png

Issues
Tbh nothing works. My desktop doesn't have access to the Internet, I cannot access the other VLAN devices through their Static IPs and many more  :(

Guides tried:
* https://homenetworkguy.com/how-to/set-up-a-fully-functioning-home-network-using-opnsense
* https://forum.opnsense.org/index.php?topic=21207
* https://homenetworkguy.com/how-to/firewall-rules-cheat-sheet/

Questions

• I followed this guide https://forum.opnsense.org/index.php?topic=21207 and I don't understand why the WAN interface gets disabled and why the interface assignments are the way they are. Can someone elaborate? Should I follow it? Currently my assignments are:
  https://i.ibb.co/fHF7cVY/Assignments.png


• I saw in some guides that I should make rules to allow the port 53 for all the VLANs from VLAN's net to VLAN address. I added values to the Unbound DNS over TLS settings. Should I open the port 853 too?


• Should I put any firewall rules to the WAN interface?


• I tried to setup Aliases in order to make my life easier for the firewall rules for my desktop. I know it's not ideal but I want the desktop to be on the user vlan but only that device and that specific ip to be able to access all the other VLANs. Is that possible?


• Should my Proxmox Cluster have the traffic routed through a VLAN and should every node have a dedicated port on the switch? Is the wire setup correct?


• I find it really confusing to setup my switch.
  For example if I want to accept only traffic for the VLAN 30 (VOIP) on port 3 are the below settings correct? I find it hard tbh with tagged and untagged traffic between LAGG, LAN and system VLAN.
  
  System VLAN
  https://i.ibb.co/4VyqMsN/SV-1.png
  https://i.ibb.co/mNKTzqn/SV-2.png
  
  VOIP VLAN
  https://i.ibb.co/WP3nTn7/SV-3.png
  https://i.ibb.co/kQMNpSG/V30-1.png
  https://i.ibb.co/q7WnNFk/V30-2.png


• I saw in some guides that I should make rules to allow the port 53 for all the VLANs from VLAN's net to VLAN address. I added values to the Unbound DNS over TLS settings. Should I open the port 853 too?


• In the switch settings I saw these options:
  https://i.ibb.co/TwjSNk2/VOICE-1.png
  https://i.ibb.co/dcbWTMj/VOICE-2.png
  Should I enable them? Should LAGG be enabled for that too?

I really cannot thank you enough even for reading thus far. Tbh the most important part to sort out I think are the firewall rules. Except my knowledge on networks :D

[CJ]

I'm not familiar with pppoe so I can't speak to that part, but what I always recommend to people starting out is to keep it simple.  Just get default OPNsense working with WAN and LAN only.  Don't worry about all of the extra functionality or network options.

Once you have a basic setup working to replace your consumer router, then you can slowly expand and experiment with things one piece at a time.  If something breaks, you can easily restore the old config, even if you need to completely reinstall.

[panseit]

I'm not familiar with pppoe so I can't speak to that part, but what I always recommend to people starting out is to keep it simple.  Just get default OPNsense working with WAN and LAN only.  Don't worry about all of the extra functionality or network options.

Once you have a basic setup working to replace your consumer router, then you can slowly expand and experiment with things one piece at a time.  If something breaks, you can easily restore the old config, even if you need to completely reinstall.

I tried and got it working (only lan and wan) when I was tagging the router ports and not using a switch. Also my firewall rules where allow all :P When I tried to bring the switch into the game and incorporate some VLANs hell broke loose.

[CJ]

I tried and got it working (only lan and wan) when I was tagging the router ports and not using a switch. Also my firewall rules where allow all :P When I tried to bring the switch into the game and incorporate some VLANs hell broke loose.

If your firewall rules are allow all, I would say you didn't have it working.  It sounds like you're still trying to do too much at once.

Also, you should be able to use the switch without VLANs to start and then add them slowly as you verify things are working.

[panseit]

I tried and got it working (only lan and wan) when I was tagging the router ports and not using a switch. Also my firewall rules where allow all :P When I tried to bring the switch into the game and incorporate some VLANs hell broke loose.

If your firewall rules are allow all, I would say you didn't have it working.  It sounds like you're still trying to do too much at once.

Also, you should be able to use the switch without VLANs to start and then add them slowly as you verify things are working.

3

Yeah that's my approach atm. Do you know regarding my DNS question?

[cookiemonster]

what's your DNS question?

[panseit]

what's your DNS question?

2. I saw in some guides that I should make rules to allow the port 53 for all the VLANs from VLAN's net to VLAN address. I added values to the Unbound DNS over TLS settings. Should I open the port 853 too?

[cookiemonster]

answer is: it depends.
Like CJ wrote, your initial post is super convoluted. It's now unclear to me what is being setup and therefore what rules might be needed. I thought you were going to be without VLANs to begin with.
If going with VLANs, then the default allow rule will allow the queries from clients to get to Unbound listening on all interfaces. Have you tested it? You don't need to add firewall rules if you enable DoT on Unbound.

[CJ]

I like HNG, but I feel like his guide to setting up OPNsense causes people more problems than it solves.  I suspect he realized this as well since he created a simpler one.  https://homenetworkguy.com/how-to/beginners-guide-to-set-up-home-network-using-opnsense/

This is why I recommend people to do things in stages, via small discrete steps.  This allows them to get familiar with things before moving on to the next piece to learn.

[panseit]

I like HNG, but I feel like his guide to setting up OPNsense causes people more problems than it solves.  I suspect he realized this as well since he created a simpler one.  https://homenetworkguy.com/how-to/beginners-guide-to-set-up-home-network-using-opnsense/

This is why I recommend people to do things in stages, via small discrete steps.  This allows them to get familiar with things before moving on to the next piece to learn.

Now that I read my post again it's super confusing. I spray questions unrelated left and right. I should have posted only my topology image and not go into other not so related things. Tbh the whole post could be boiled down to two questions:
1. Seeing this guide (https://forum.opnsense.org/index.php?topic=21207) I see that he has assigned WAN completely different than mine (assigned it to physical and vlan). Is my assignment correct or wrong?
2. Firewall rule to allow one PC that belongs to VLAN 20 and has static IP (192.168.20.20) to be able to manage LAN devices (switches, router) and the Grandstream that belongs to VLAN 30.

Thank you and sorry for anyone that attempted to read my spaghetti.

[panseit]

answer is: it depends.
Like CJ wrote, your initial post is super convoluted. It's now unclear to me what is being setup and therefore what rules might be needed. I thought you were going to be without VLANs to begin with.
If going with VLANs, then the default allow rule will allow the queries from clients to get to Unbound listening on all interfaces. Have you tested it? You don't need to add firewall rules if you enable DoT on Unbound.

I wanted to quote you but I quoted "cookiemonster"

[cookiemonster]

1. Seeing this guide (https://forum.opnsense.org/index.php?topic=21207) I see that he has assigned WAN completely different than mine (assigned it to physical and vlan). Is my assignment correct or wrong?
2. Firewall rule to allow one PC that belongs to VLAN 20 and has static IP (192.168.20.20) to be able to manage LAN devices (switches, router) and the Grandstream that belongs to VLAN 30.

1. That link is for an ISP that provides different services on different VLAN tags. If yours requires only one tag for all, your good if you get services the way you have set it up.
2. You need a firewall rule on interface VLAN20, direction IN, destination Any.

[panseit]

1. Seeing this guide (https://forum.opnsense.org/index.php?topic=21207) I see that he has assigned WAN completely different than mine (assigned it to physical and vlan). Is my assignment correct or wrong?
2. Firewall rule to allow one PC that belongs to VLAN 20 and has static IP (192.168.20.20) to be able to manage LAN devices (switches, router) and the Grandstream that belongs to VLAN 30.

1. That link is for an ISP that provides different services on different VLAN tags. If yours requires only one tag for all, your good if you get services the way you have set it up.
2. You need a firewall rule on interface VLAN20, direction IN, destination Any.

Will try that rule, thank you! I will reset OPNsense and start over bit by bit. Since now I cannot access the Internet still even after following the guide you posted and removing any vlan etc. Just connected to a port on the switch.