Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Home network setup help needed
« previous
next »
Print
Pages: [
1
]
Author
Topic: Home network setup help needed (Read 1661 times)
itsme4you
Newbie
Posts: 1
Karma: 0
Home network setup help needed
«
on:
July 30, 2021, 05:43:25 pm »
Hello,
I recently bought NAS and want to add to the exsting network , currently my home newtowk is setup as follow
modem-->opnsense--> vlan10(for laptop mobile etc) , vlan20 ( IoT application like TV , google home ,firetv etc) , vlan30 (Guest )
i am using pcengine as opnsesne hardware , it has additional unused interface , i added NAS to this interface ( NAS_Interface) , and i setup firewall rules so vlan10 and vlan20 can access NAS_interface.
I am not sure if this is the correct setup.
As i am not able to access plex and other applications from vlan10.
Also the speed for transfer files is very low.
Can you suggest correct way of setup.
Regards
Logged
Vilhonator
Full Member
Posts: 245
Karma: 13
Re: Home network setup help needed
«
Reply #1 on:
August 10, 2021, 06:38:42 pm »
From what I understand, all your devices are connected to your OpnSense box.
First you need to check your Opnsenses network interface models and check if they support IEE 802.1q or VLAN tagging. Also it is best to install same models if you aren't using 1 nic with multiple ports.
Secondly, you need a managed switch (for example Cisco Catalyst or SG300 series) with serious switching transfer speeds (and it is best NOT to skimp on this, switching speed needs to be about 50% higher than total speed all your devices can have in total due to headroom required for internet connection).
For network of 10 devices with 1Gb/s connection, Ideal switch with 20 Gbps switching transfer speed, 40 if your internet speed is 1Gb/s could be ideal, pretty much any switch with more than 24 ports might be fast enough, you are going to need a switch which has few more ports than are required to connect everything.
Also your switch must be able to handle moderately larger transfer speeds than you network is capable off, or it's going to be loud / hot and you might get some throttleing.
Thirdly need to explain VLANs.
VLANs use TAGs to sign networks within networks, with 1 port you can assign up to 4098 VLANs, but the transfer speed depends on the network card speed, cable which is connected to the port and switching transfer speed of the switch or router.
Now to VLAN setup:
Configure VLANs you want to use on opnsense, each port needs to be assigned for all VLANs or you can buy 100Gb/s NIC and use just one. For extra security (mainly to make sure that VLAN clients won't gain access to your firewall) you can add extra NIC or exclude port for LAN from VLANs and use it ONLY TO ACCESS THE FIREWALL WEB GUI AND SSH.
Next go to Firewall ---> groups and create new group. Add all interfaces except WAN and loopback (and LAN if you choose to restrict VLAN from gaining access to your firewall web gui and ssh) and save them.
After that, go to Firewall ---> Rules and select the group you created.
Add new rule and select as follows:
Action = Pass
Interface = the group you created earlier
Direction = In
TCP/IP Version = IvP4
Protocol = Any
Source = Any
Destination = Any
And lastly if you want, enable logs and give it a description.
After that, click save and choose apply changes
Now if you chose to Restrict VLANs gaining firewall access, also create rule:
Action = Block
Interface = Group which you created earlier
Direction = In
TCP/IP Version = IvP4
Protocol = TCP
Source = Any
Destination = This firewall
Destination port range = HTTP
Enable logs if you want and give it a description.
Click save and this time, tick the block rule and click arrow next to Allow rule (block rule should be ABOVE your allow rules to take effect), next click "clone" option and change destination port to HTTPS and description (if you have logs enabled), save and clone last one again and switch destination port to SSH and description, save and select apply changes.
After that, your VLANs need IPs and dhcp
After that, go to interface ---> and each Setup Static IP on each VLAN. setup ip of 192.168.10.1/24 for vlan 10, 192.168.20.1/24 for VLAN 20 and 192.168.30.1/24 for VLAN 30 and 192.168.1.1/24 for LAN.
And now the tricky part
After that is done, go to system ---> Gateways ---> Single and add new gateway. Set LAN as your getway with IP 192.168.1.1/24, make sure it isn't set down and Far Gateway option is unticked, then save.
Next go to system ---> routes add new route. Destination is 192.168.0.0/16 and gateway is LAN 192.168.1.1
After that it is time to setup VLANs on your Switch:
Go to switch and select VLANs, give VLANs tags 10, 20 and 30 and assign as many ports as there are on your opnsense (except LAN if you separated your management interface from VLANs) and set them to accept ONLY TAGGED or as TRUNK ports and select which ports have access to which VLAN (for example ports 1-3 are trunk tagged ports on each vlan, port 3-5 are access UNTAGGED ports to VLAN 10, 6-8 access UNTAGGED to VLAN 20 and 9-11 access UNTAGGED to VLAN 30.
On that scenario, if 1 of the trunk ports get disconnected for some reason, you won't loose internet connection for longer than few seconds, and you can also tweak STP to minimize the connection loss period before switch reconnects to opnsense. <---- this is how you minimize point of single failures.
after all that it is time to test your network.
Connect 1 device to each untagged VLAN port on the switch (1 PC to vlan 10, 1 to VLAN 20 and 1 to vlan 30), check if they get correct IPs and open terminal / command prompt.
Type Ping 192.168.10.1 on each PC and see if it goes thru, if it does work, that means routing is correct and you can try pinging google.com or computers /devices on different VLANs.
Logged
Vilhonator
Full Member
Posts: 245
Karma: 13
Re: Home network setup help needed
«
Reply #2 on:
August 10, 2021, 06:48:39 pm »
For transfer speed side of things, you need to use QoS of the switch and Traffic shaper with ques on opnsense.
Also if Ethernet seems too sluggish, then you could see, if 1Gb SFP or 10Gb SFP+ would improve anything (there are sfp to ethernet and sfp+ to ethernet modules as well, so it doesn't matter if your switch has no 1Gb sfp or 10Gb sfp+)
Another and MUCH easier solution is to get 1 BEEFY switch, ditch VLANs and just connect them all to same network.
Overall, your issue might be that because you have everything connected on OpnSense and opnsense is doing all the routing, switching and filtering etc., your network speed gets slowed down due to firewall filtering stuff and trying to transfer more data thru the cables than they can handle in and out different VLANs
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Home network setup help needed