VLan configuration question

Started by Benderisgreat, March 08, 2025, 05:45:18 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 08, 2025, 05:45:18 PM Last Edit: March 08, 2025, 05:48:02 PM by Benderisgreat
Hey, new setup of opnsense and want to segregate my web facing servers from my internals.

I want to put all of the internet facing servers in a VLan using opnsense allowing segregation from my internal servers.

I have Proxmox on HP proliant server configuration as below:

Internet -- Eth 0 (opensense WAN)
Eth 1 -- Managed switch (opensense LAN)
Eth 2 -- Managed switch (segregated servers)
Eth 3 -- Managed switch (internal servers)

My question is do I add Eth 2 as an interface and then create a VLan and use Eth 2 as the parent?

Or do add new VLan and add Eth 1 as the parent ?

Will this then segregate Eth 3 and Eth 2 traffic or do I need to add rules ?

Also can I have Eth 2 on a different subnet Vs Eth 3 e.g. 10.0.10.x and 192.168.1.x ??  This just helps me remember where I am when I am logged in to each server.

Side note - I have managed to use rules to block traffic from Eth 2 to Eth 3 but I his doesn't seem efficient or safe / right to do.

Thanks for help
BiG
March 08, 2025, 09:26:57 PM #1
Assuming Eth_X are physical NICs, you have physical isolation and don't really need VLANs.
VLANs are used to get logical isolation over a physical network.
March 08, 2025, 11:09:42 PM #2
Yeah they are physical nic in the server.
Does VLan offer anything over NIC??

And also I suppose I just create rules in opnsense to isolate the interfaces??
March 08, 2025, 11:16:20 PM #3
Quote from: Benderisgreat on March 08, 2025, 11:09:42 PMDoes VLan offer anything over NIC??

As long as you have enough NICs - no. But you can run 20 VLANs over a single NIC. Or a redundant pair of NICs. That is kind of the point.

Interfaces on routers and firewalls are few and expensive. Interfaces on switches are plenty and cheap. So you connect your firewall with 2x 10G to your switch, define 20 VLANs, and now have 20 switch ports each of which is its own "firewall interface". Or five ports in VLAN 1, two ports in VLAN 2, whatever ...

Quote from: Benderisgreat on March 08, 2025, 11:09:42 PMAnd also I suppose I just create rules in opnsense to isolate the interfaces??

Yes. VLANs or not - this is always the same.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 08, 2025, 11:45:28 PM #4
Great thank you. Currently only need the four interfaces on the server, so it's all cool. For now :-)
Print
Go Up Pages1
User actions