I would like to define at least two subnets on my OPNsense LAN interface.

Started by le_top, February 07, 2022, 04:43:21 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 07, 2022, 04:43:21 PM Last Edit: February 07, 2022, 04:46:15 PM by le_top
I would like to define at least two subnets on my OPNsense LAN interface.

This is not for security reasons, but because some devices need to be on a predefined subnet.
I want to communicate from one subnet to the other.

I thought that I could configure the firewall to listen on multiple IPs, set it up as the gateway on all IPs and a DHCP server for each one of them.
The DHCP server is not really a requirement.  One would be configured to accept only certain MAC Addresses, and they other one may be set up to deny them.

I can define a Virtual IP on the firewall and ping it.

My switch is not VLAN capable.

Is it possible to add some kind of virtual interface operating on the physical LAN interface?



I've already looked around on the forum:

Closest topic - but I do not have another Laptop to configure for ensure the forwarding:
https://forum.opnsense.org/index.php?topic=18381.0
Suggests the Virtual IP, but that's not the complete solution, and no solution was provided in the end:
https://forum.opnsense.org/index.php?topic=17655.0
Other topic, but more about VMs, and no OPNSense solution:
https://forum.opnsense.org/index.php?topic=5429.0
Regarding access points:
https://forum.opnsense.org/index.php?topic=15168.0
Pretty close: two neighbours that want a subnet:
https://forum.opnsense.org/index.php?topic=14224.0


February 08, 2022, 10:09:43 PM #1
Without vlans you can define two subnets using a virtual IP for the second subnet, but you cannot run two DHCP servers.
Your client devices will broadcast/DHCPDISCOVER across the single vlan and receive replies from both DHCP servers (quickest to reply wins). I see your idea of specifically setting up some reservations on one DHCP, and denying them on the other, but I don't think Opnsense DHCP would be able to deny or place two DHCP on the same interface. You may need to use separate non-Opnsense DHCP servers for that functionality.

If some devices need to be on the predefined subnet, is there a reason that the other devices cannot also use the same predefined subnet?



February 28, 2022, 06:50:36 PM #2
I must be missing something.

I've tried several approaches without succes.

I defined a bridge, and I can ping the brige using the IP I want to use as the gateway IP on the other subnet.
I've add a firewall rule on the bridge to let everything pass.

I'ld be surprised this can't be done in OPNSENSE.
March 02, 2022, 12:22:00 PM #3
Hi, what part is not working?

If you want two subnets on your single LAN interface using the same vlan (no vlans), then you need a virtual IP to act as the second gateway. Set it as an IP address within a network i.e. with a subnet mask other than /32. e.g. 192.168.5.1/24 would mean the VIP was the gateway 192.168.5.1 on network 192.168.5.0/24
Drop the idea of two DHCP on the same vlan.
You will still need firewall rules to pass/route traffic via the VIP, i.e. your second subnet.
Something like
Interface:LAN, Source PrivateNetworks, Destination PrivateNetworks, port any, PASS
That should allow traffic in both directions between your two subnets.
Print
Go Up Pages1
User actions