How do we use a second interface for a second network?

[shaam]

Hi Community,
This is my first post, and OPNsense is new to me. I installed the OPNsense firewall on a Dell mini desktop computer. I added a dual port ethernet card. The WAN cable is connected to a built-in (re0) port, and the LAN (ig0 ) is connected to a TPC-Link managed switch where I have to connect all the devices, including the WIFI access point. Everything is working fine. Now, I am trying to create a separate network for the WIFI access point and connect it to a third available port. I went to the assignment tab, added the available interface, and named it LAN2. Then I went to the LAN2 setting, enabled it, and chose static IPv4 from the configuration type and IP address field. I added IP 10.18.0.1 (though LAN1 IP is 192.168.1.1, I am not sure that makes any difference) and saved it. Then, I enabled DHCP and set range. I also added a firewall rule to allow all traffic. Then, I connected the access point cable to the second port and restarted the access point. All devices connected to the access point won't have an internet connection. Wi-Fi is connected, and DHCP is assigned an IP, but there is no internet. I don't know what else needs to be done to make it work. Attaching screenshots. Can someone help me with this? I appreciate your help.

[Saarbremer]

Hi,

from your report it sounds ok. The IP addresses are not an issue as long as they don't overlap. However, for easier maintenance it is a good choice to stick with one IP range to work with.

As DHCP seems to work, your LAN2 is working fine itself. After enabling IPv4 traffic you should be able to access internet. You could also check to ping a LAN host from LAN2 and check if it works. That'd confirm that your setup itself is fine.

However, you may want to check the IPv4 upstream gateway setting on the interface tab for LAN2. Set it to automatic. If already set, check that Outbound NAT in firewall lists LAN2 net as one of the matching source ip ranges to be NAT'ed. Last but not least, reset the states of the firewall after making these changes.

[meyergru]

The first thing you have to decide is if you really want the second port to be on a separate network. That is not clear by itself just because you want to attach your WiFi access point to it.

That is a question of network design. Know your options:

1. Go on like you started and have two separate networks for your LAN and your WiFi. In this case, both networks can have WAN access but are otherwise completely separated (e.g. your WiFi clients cannot access machines on LAN) until you create rules to allow for certain services.

2. Use the second ethernet port as a bridge (like a lite-weight switch) to just connect your WiFi AP to your LAN. In that case, you have to create a LAN bridge and set some tuneables (consult the docucomentation on how to do this).

3. Do the perfect job and create multiple VLANs to be able to create respective WiFi SSIDs for different classes of WiFi clients (i.e. some IoT clients could be in a separated network whilst your smartphones are in/on another network/SSID bridged to the LAN). This will only be possible if your WiFi APs can handle that, like e.g. Unifi equipment does.

[shaam]

It turned out to be a DNS issue. I added DNS to LAN2, and it worked. I didn't manually add a DNS to the LAN1, so I followed the initial wizard. I compared its setting with LAN1. I was under the impression it would automatically use 10.18.0.1 as DNS since the LAN1 did. However, after adding DNS to the  DHCP4 LAN2, it started working. Thanks

The first thing you have to decide is if you really want the second port to be on a separate network. That is not clear by itself just because you want to attach your WiFi access point to it.

That is a question of network design. Know your options:

1. Go on like you started and have two separate networks for your LAN and your WiFi. In this case, both networks can have WAN access but are otherwise completely separated (e.g. your WiFi clients cannot access machines on LAN) until you create rules to allow for certain services.

2. Use the second ethernet port as a bridge (like a lite-weight switch) to just connect your WiFi AP to your LAN. In that case, you have to create a LAN bridge and set some tuneables (consult the docucomentation on how to do this).

3. Do the perfect job and create multiple VLANs to be able to create respective WiFi SSIDs for different classes of WiFi clients (i.e. some IoT clients could be in a separated network whilst your smartphones are in/on another network/SSID bridged to the LAN). This will only be possible if your WiFi APs can handle that, like e.g. Unifi equipment does.

[shaam]

Firewalls and Networking are new to me; I am still learning. Bridge and VLAN are the next level. I am starting with a simple method by separating both networks from two of the ports that the PC has. Once I am more familiar with it, then I can start working on bridge and VLAN stuff. Thank you for your suggestion.

The first thing you have to decide is if you really want the second port to be on a separate network. That is not clear by itself just because you want to attach your WiFi access point to it.

That is a question of network design. Know your options:

1. Go on like you started and have two separate networks for your LAN and your WiFi. In this case, both networks can have WAN access but are otherwise completely separated (e.g. your WiFi clients cannot access machines on LAN) until you create rules to allow for certain services.

2. Use the second ethernet port as a bridge (like a lite-weight switch) to just connect your WiFi AP to your LAN. In that case, you have to create a LAN bridge and set some tuneables (consult the docucomentation on how to do this).

3. Do the perfect job and create multiple VLANs to be able to create respective WiFi SSIDs for different classes of WiFi clients (i.e. some IoT clients could be in a separated network whilst your smartphones are in/on another network/SSID bridged to the LAN). This will only be possible if your WiFi APs can handle that, like e.g. Unifi equipment does.

[Saarbremer]

. I added DNS to LAN2, and it worked. I didn't manually add a DNS to the LAN

I will never ever help someone with "Internet doesn't work" while a proper error message would have solved that mystery in seconds. Sorry shaam for receiving all my anger regarding these questions not precicesly stating what's going on - seen too much of them here lately.