How to restrict device to connect only to a specific vlan

[cookie_lu]

What is the best way to only allow specific device to connect certain Vlan? Assume people using the devices knew all the Vlans passwords.

I have, say 5 Vlans: A, B, C, D and E. Each has it's own configuration/purpose. Using Opnsense 24.7.

Bare in mind, on same the device, Wifi2 and Wifi5 may have separate MAC addresses. Now with Wifi6, the same device may have 3 separate MACs.

How to make sure device 1 can only connect to Vlan A, and device 2 can only connect to Vlan B and C, and device 3 can connect to C,D and E only.

Do I restrict by MAC using Firewall rules and Aliases? In that case they will be alot rules and aliases to do -- possibly affecting the performance?

[bartjsmit]

people using the devices knew all the Vlans passwords.

Whoa! I think you're mixing things up here. A VLAN is a layer 2 construct while a password usually sits in layer 7 - above layer 4 for sure.

WiFi authentication may involve static secrets (i.e. passwords) but that has nothing to do with any VLAN associated with the relevant SSID.

Change passwords that you think are compromised. Use something like RADIUS if you want more robust authentication for wireless clients. https://wi-fiplanet.com/how-to-use-freeradius-for-wi-fi-authentication-part-1/

If you don't want to go that far, then adapt your overall security policy. You could use 2FA on the services delivered over WiFi, for instance.

OPNsense doesn't do policy based on MAC addresses (which are fairly easy to spoof).

Bart...

[meyergru]

Correct. VLANs are used on wired networks, such that you can restrict your devices by assigning their port to a VLAN. If that is not feasible (e.g. because the ports are freely accessable), you have to use something like 802.1x and RADIUS).

That is only really secure with certificates, because MACs can be spoofed.

With WLANs, you basically regulate VLAN access via passwords, which is easier than 802.1x. If anyone knows any password, then this mechanism does not work and you do not need different WLANs / VLANs in the first place. Putting another layer like MAC-based ACL on top of it will not really help, because the MACs can be spoofed as well.

So: change the passwords and keep them safe.

[cookie_lu]

My apology, got mixed up the Vlan and Wlan (Ssid) above.

Each of the ssid were associated with certain Vlan, which in turn each Vlan is configure differently, eg. how they route/dns...etc.

Assuming I can't change the wifi passwords (for now), but rather is there a way i can easily restrict each devices to  to a particular Vlan regardless which wlan connected to.

Do I have to create alias to each devices and register all the MACs (Wifi2, Wifi5, Wifi6) associated to the device and use the firewall to prevent it entering certain Vlans? Don't think Arp table will help in this case.

[meyergru]

Assuming I can't change the wifi passwords (for now), but rather is there a way i can easily restrict each devices to  to a particular Vlan regardless which wlan connected to.

Usually, no, since the AP maps each WLAN to a VLAN. So by choosing the WLAN, a client indirectly decides which VLAN he will be associated to. That is, unless you have a means to map WLAN client to VLANs by AP-specific means (like probably, via RADIUS). In that case, you would have a setup that has no static mapping of WLANs to VLANs, but a dynamic mapping for each client and all could use the same WLAN (or several, but logically, they do not differ).