Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
24.7 Production Series
»
[Resolved]Wifi vlan 30 can't acces the internet
« previous
next »
Print
Pages: [
1
]
Author
Topic: [Resolved]Wifi vlan 30 can't acces the internet (Read 178 times)
mwolfe60
Newbie
Posts: 3
Karma: 0
[Resolved]Wifi vlan 30 can't acces the internet
«
on:
November 21, 2024, 11:23:20 pm »
I'm attempting to segregate my network into VLANs for lan-wifi, iot, wired-lan. and phones. My setup is a mix of hardware.
AP is a TP-link Omada EAP670
Switch is cisco 2960s 48 port
opnsense firewall on a four-port network appliance.
Firewall LAN - LAGG01 port 2 and 3 connected to a port channel made up of ports 47-48 trunked with a native vlan10 on the switch and a subnet of 10.100.10.0/23
The switch is configured for routing. I know the 2960s is not a full layer3 switch but it can do intervlan routing
it has the following VLANs configured
Lan VLAN10 - 10.100.10.0/23
wireless lan ssid 1 VLAN20 - 10.100.20.0/23
iot ssid 2 - VLAN30 - 10.100.30.0/24
Servers - VLAN50 - 10.100.6.0/25
network - VLAN60 - 10.100.6.128/25
the AP has two SSIDs configured
1 - no vlan and can access the internet 10.100.10.0/23 subnet
2 - vlan30 can't access the internet 10.100.30/24 subnet
I want to have the ssids have vlan 20 and 30 to limit the broadcast domains and to block IOT traffic from the Lan
I have attached the switches show run if that helps
I'm missing something but I need some help fixing it.
«
Last Edit:
Today
at 04:26:52 am by mwolfe60
»
Logged
bartjsmit
Hero Member
Posts: 2017
Karma: 194
Re: Wifi vlan 30 can't acces the internet
«
Reply #1 on:
November 22, 2024, 08:18:50 am »
How do your two routers (Cisco and OPNsense) exchange routing tables?
Logged
dseven
Sr. Member
Posts: 306
Karma: 33
Re: Wifi vlan 30 can't acces the internet
«
Reply #2 on:
November 22, 2024, 09:41:40 am »
If you do inter-VLAN routing on the Cisco switch, OPNsense will not be in the path, and so will not be able to filter that traffic. Is that what you want?
If you're OK with that, OPNsense will need to know how to reach those other subnets, so you'll need static routes (or some routing protocol, but that's probably overkill for this situation). You might be able to get away with a static route for 10.100.0.0/16 pointing to 10.100.10.1.
You'll also need firewall rules to allow internet access for the other subnets, as the "Default allow LAN to any rule" applies only to "LAN net" (10.100.10.0/23)
«
Last Edit: November 22, 2024, 10:49:59 am by dseven
»
Logged
mwolfe60
Newbie
Posts: 3
Karma: 0
Re: Wifi vlan 30 can't acces the internet
«
Reply #3 on:
November 22, 2024, 10:37:28 pm »
so the cisco switch only does static routes. so not routing protocol there. IT may be better to move the routing to the opnsense rather than doing static routes and firewall rules.
would this be a better solution for this based on my hardware?
I very very rusty on networking. I took some network classes in college about 20 years ago.
Logged
mwolfe60
Newbie
Posts: 3
Karma: 0
Re: Wifi vlan 30 can't acces the internet
«
Reply #4 on:
Today
at 04:26:16 am »
I decided to remove the switch from the routing and use my Opnsense firewall to handle it all. I've got it working now.
Thanks for help me out.
Logged
bartjsmit
Hero Member
Posts: 2017
Karma: 194
Re: [Resolved]Wifi vlan 30 can't acces the internet
«
Reply #5 on:
Today
at 09:43:05 am »
Good outcome from a security perspective as well. As dseven mentioned, having your policy enforced on only one device makes for easier management.
Hang around on this forum if you want to hone your networking skills
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
24.7 Production Series
»
[Resolved]Wifi vlan 30 can't acces the internet