Help with networking basics : Subnets and gateways

[toxic]

I'm trying to understand the consequences of getting rid of my current VLANs on my home network.
I'm not really in need of real network isolation like the VLAN offers and it's too maintenance heavy for me to manage VLAN IDs port by port, and device by device for those who support it, so I'm trying to simplify and see what I'll loose.

Let say I put this in place :

• OpnSense router with LAN NIC set to 10.0.0.1/16
• Router is only connected to a L2 switch, all other devices are connected to the switch
• Server has static IP 10.0.1.2/24
• Client has static IP 10.0.2.3/24

My current understanding is that when the client contacts the server, 10.0.1.1 beeing outside  it's subnet it will route the packet to it's gateway, the opnSense router will recieve the packets, apply all FW rules, and if it's allowed will send the trafic along to the server.
I think that the switch will not be able to forward to the server directly without the router having seen the trafic since the client itself will have attached the mac adress of it's gateway to the packet... Am I correct here ?

I'm also still looking into a way to actually put my clients into a smaller subnet by DHCP as most of my clients use DHCP, even some servers do but I could switch them to static IP.I'm stil unclear how to, on the same NIC on the router,  have several subnets coexisting even if only one of them has DHCP enabled. Best of the best would be to be able to specify the subnet of each device in the static DHCP entry...

Any advise on how to deal with several subnets on a single NIC is welcome ;)

Thank you in advance.

[lfirewall1243]

Use VLans. What you are trying to do is more pain than Vlans.

- you'll have problems with some network protocols
- its not secure / you could put all devices in the same Network
- And i don't think the traffic will go over the OPNsense. A switch is working MAC based not IP based, so it will look in its ARP Table and will send the traffic directly to the next device (which is not your OPNsense)

[toxic]

Thanks for your reply, I was indeed not sure but I get that VLAN is the proper way to do this.

Nevertheless, in fact it really is not a big problem that the switch is handling it without the router seeing my internal traffic.
I'm mostly interested in doing policy routing so my servers use a VPN when using internet while clients use another one...

So I'm still quite interested in finding out how to have several subnets on the same OpnSense NIC without doing VLAN...

Thanks in advance for any help you can provide, and sorry to disappoint, I'm knowingly going back from segregated netwos to home grade networking with little security, a tradeoff I need to make for simpler administration ;)

[Patrick M. Hausen]

- And i don't think the traffic will go over the OPNsense. A switch is working MAC based not IP based, so it will look in its ARP Table and will send the traffic directly to the next device (which is not your OPNsense)

This is not quite correct. With two separate layer 3 networks the client will never send a packet with a destination address of the server in the layer 2 header, because it will not perform ARP, because the network is not directly attached. Instead it will do an ARP lookup of the router and send all packets there.

Now the router could send an ICMP redirect, but those are again layer 3, not layer 2, and the networks are separate, so in the end it doesn't.

But why would you even want to run two layer 3 networks on the same broadcast domain (layer 2 network aka switch)? If there is a reason for this addressing scheme, VLANs are indeed the answer, provided your switch supports them.

[Maurice]

I'm mostly interested in doing policy routing so my servers use a VPN when using internet while clients use another one...

No need for separate subnets. You can create policy based routing rules for specific source addresses / address ranges within the same subnet.

If you really want multiple subnets on one interface, just add virtual IPs.

[toxic]

Thanks for your answers !
I'm kinda out of my depths with the Virtual IP thing as I don't get why there's a password in there for example... I guess I just have to try it out and see how it looks in the GUI one I added a virtual IP.

But as it seems you can't easily understand what I'm trying to do I realize that maybe I myself am not clear what I want and I'm trying to use features for things they are not designed for...

I'll have to take a step back and think again.

Seems VLAn is the way to go but with most devices not supporting it natively I need to have the switch do these things, plus separate wireless SSIDs, and very fast the number of networks grow and the maintenance work grows with it...

In short, it all centers in applying different fw policies by "class" of devices, for me they are my networking stuff, servers, PCs, media/gaming, smart home devices and finally CCTV.  That's already 6 VLANs and at least 3 of them have devices both wired and others wireless, so 3 SSIDs... That's getting quite complex for me, especially since I don't mind them contacting each other most of the time...

That's why I was thinking of only one network, all configuration being common, and only a few rules that would apply to a big address range for wich my DHCP would assign devices a static lease in the proper range based on their MAC. So wide open network but devices get an IP in a specific range/subnet by their class...

But maybe that's not the solution... And maybe I need to use VLAN and floating rules for the rules in common, NAT rules can I think also apply to several interfaces... Will still have to find a way in openWRT to assign a VLAN number for each SSID...

That still looks like a lot of work and something when I feel lazy I tend to want to revert to everything directly off of my ISP router and throw my FW away... After all it's just home networking. And the next day when I'm less lazy I think about keeping these unsafe smart home things protected... I think you've given me what I need to know, now I need to find what I want to do and am willing to maintain over time ;)

[Patrick M. Hausen]

Seems VLAn is the way to go but with most devices not supporting it natively I need to have the switch do these things, plus separate wireless SSIDs, and very fast the number of networks grow and the maintenance work grows with it...

VLANs and separate wireless SSIDs on access points that support VLANs are the way to create multiple separate networks at the infrastructure level to separate untrusted devices that do not support VLANs, of course.
With two VLANs you create two "virtual switches" on your single real switch. Then assign ports to the different VLANs (untagged) to separate e.g. your IoT devices from your computers.

In short, it all centers in applying different fw policies by "class" of devices, for me they are my networking stuff, servers, PCs, media/gaming, smart home devices and finally CCTV.  That's already 6 VLANs and at least 3 of them have devices both wired and others wireless, so 3 SSIDs... That's getting quite complex for me, especially since I don't mind them contacting each other most of the time...

Don't think in terms of function but in terms of trust. Put all devices you trust equally well (or not ;)) into the same VLAN. Essentially only your infrastructure needs to support VLANs. The switch, the access points, and OPNsense. These are connected by ports that carry tagged frames, so called "trunk" ports.
All other devices are connected to an access port that carries only one VLAN untagged. Or a particular SSID that is mapped to a particular VLAN.

Think of VLANs as separate switches, separate access points, separate networks. You could build the same with 6 times the number of APs, 6 switches, and 6 ports on your OPNsense, right? VLANs are just a way to save ports and switches.

HTH,
Patrick