OPNSense with APs, Wireless Bridge, VLANs

[bpence]

Hello,

I am having a heck of a time understanding how to (and how not to) configure my OPNSense router the way I need to.

I have a 6-port OPNSense router (currently 0-4 bridged to LAN, 5 is WAN).  I had a Google Nest mesh setup that I just removed and installed 2 Zyxel NWA-130BE Wifi7 access points so that I can use multi-SSID/VLAN tagging to isolate my chinese devices, main computers, TVs, printers, cameras, etc... from my server LAN and basically lock down my network how I want it. 

It's my understanding that I can't use a bridge interface on the router if I want VLAN tagging.  I have attached a diagram of what I'm trying to get to, but I can't for the life of me figure out how to get there in OPNSense. 

I guess my question (may be more, but I'm not sure what else to ask) is:
   How do I configure my LAN interface(s) to be able to have the router do DHCP (static and/or dynamic) for all the VLANs (1.0/24, 2.0/24, etc..) while allowing me to use firewall rules on the router to control what traffic can pass between VLANs. 

I need to be able to run Home Assistant from my Proxmox server, but all my IOT devices (light bulbs, switches, etc...) are going to be on the wireless APs on VLAN 2.
 
Any help is greatly appreciated.  I have a good and stable setup right now, but it's not how I need it to be.

Thanks, in advance!

Brian

[Patrick M. Hausen]

Let's start with this:

If you have more than one VLAN aware access point mapping SSIDs to VLANs and you want all the VLANs to be each a single interface from OPNsense's point of view, what you need to do is this:

- create the VLANs on the physical interfaces for each access point - they need different names but of course identical VLAN tags
- create for each VLAN a bridge interface that contains all the VLAN interfaces of all the physical ports with a particular VLAN ID - one bridge per VLAN
- assign the logical interfaces of OPNsense (Interfaces > Assignments), e.g. LAN, IoT, Guest, ... to these bridge interfaces

Then you can use DHCP, firewall rules, whatever ... per VLAN.

Make sure, if you decide to use bridges, to set the two mandatory tunables according to the OPNsense documentation.

Alternatively on OPNsense create a single or LACP trunk port to a managed switch, use the switch to connect all the access points.

Hope that gives you the general picture, the details will require more work.

[bpence]

Patrick,

Thanks for the quick reply. 

I'm testing this out to begin with the IOT VLAN.  I created 3 VLANs.  One, each, with opt2, opt3, and opt5 (respectively) as the parents, with the same VLAN tag of 2.  Is that correct (see attachment)?

I assume I need to remove all physical devices from the current bridge, which is assigned to LAN?  All 5 non-WAN interfaces are currently members of bridge0, which is the LAN bridge.

If that is correct, then I would create a bridge interface that includes those 3 physical interfaces? 

I am still confused a bit on the after-config, but one step at a time here.

Thanks for the help!

[Patrick M. Hausen]

If you create a bridge with a physical interface as member, that physical interface cannot carry VLANs anymore. You need one bridge per VLAN.

E.g.

vlan0001 - tag 1, parent ix0
vlan0101 - tag 1, parent ix1
vlan0201 - tag 1, parent ix2
...
vlan0002 - tag 2, parent ix0
vlan0102 - tag 2, parent ix1
vlan0202 - tag 2, parent ix2
...
bridge1 - members vlan0001, vlan0101, vlan0201
bridge2 - members vlan0002, vlan0102, vlan0202

One bridge per VLAN. Emulating a real switch with PVST - per VLAN spanning tree.

[bpence]

Patrick,

Ok thanks!

My first hiccup is that when I go to create the VLAN bridge interface, it only shows the LAN and WAN interfaces, not the VLANs I created.  Is that because I still have the physical interfaces bridged? 

I'm a bit worried about losing access to the GUI when I un-bridge those interfaces.  Is there a "proper" way to un-bridge them without having to go put a monitor and keyboard on the router?

- Brian

[Patrick M. Hausen]

I'd use a single dedicated physical interface for management while messing with "everything VLANs" etc.

If your device has got a port to spare.

[bpence]

I broke everything hard when I undid the interface bridge. I was setting it up from the command line and got back into the web interface. I created the VLAN bridges and interfaces and assigned them IP addresses. I created a pass rule in the firewall for just any-any. Still can't get into the web interface. Do I need to remove LAN and only have the 3 VLANs and the WAN? Or do I make every VLAN a member of LAN?

[EricPerl]

Patrick's recommendation was to dedicate one physical port for management.
You could assign the existing LAN interface to it (or create a new one. you'll need at least one FW rule to open up HTTPS).

If you've created all the bridges already, assigned interfaces that are properly configured with DHCP and would rather not undo some of that, you now have to access the GUI via a VLAN interface, coming into OPN via tagged traffic.

You could get one of your APs to do that. Plug a machine into its Ethernet port with a compatible IP (given how the AP is configured).
Create an SSID for a VLAN of your choice, connect the AP back to OPN. A machine connected to that SSID should get IP from OPN (within the subnet of the VLAN) and be able to access the GUI at the IP address of the gateway of the VLAN (the static IP specified for the VLAN interface).

This said, I'm not sure how you are going to manage your APs afterwards if they don't allow you to specify a management VLAN...

[bpence]

Patrick,

I cannot get this work. Sorry for being short as I'm doing this on my phone now. I attached what the console says for assignments. I want to keep my LAN addresses as 192.168.1.0/24 otherwise I'll have to reconfigure everything.  The router cannot ping anything and nothing can get to the web interface unless it's on a physical interface, not a VLAN bridge. Any help would be appreciated as my entire network is currently down.

Thanks,
Brian

[bpence]

EricPerl,

I guess my last reply would be for you too. Right now I have the box plugged directly into my Arista switch so I can use the monitor and keyboard. Nothing I seem to do except setting the LAN to igc0 (physical interface) seems to work.