Dynamic VLANs without Radius possible?

[meyergru]

I do not recommend that as a "solution" to you, as I said I am still not grasping what you want to accomplish.

If it is indeed full security, Radius with certificates is what is being used as the most secure standard in the industry.

However, ask yourself these questions:

1. Can you limit physical access to ports that have to be trunked?
2. Are all of your devices capable of employing certificates?
3. Is that too much hassle fpr a home installation (think of the CA you must create and the deployment process)?

[saveNAT]

However, ask yourself these questions:

1. Can you limit physical access to ports that have to be trunked?
2. Are all of your devices capable of employing certificates?
3. Is that too much hassle fpr a home installation (think of the CA you must create and the deployment process)?

1. No, I can't prevent access to the trunk ports, because the access points are connected to the network sockets. But this case doesn't worry me in the home network either and even my children won't unplug the AP.
2. Yes, cameras, PCs, etc. would capable of employing certificates. Only IoT or something like that, might have to use Radius with MAC.
3. So I think authentication by certificate would only be necessary for the cameras on the outside. The rest could be authenticated with Radius per MAC. Is creating such a certificate very complicated?

And how do you do that in your home networks?
Do you also have several VLANs and are they dynamic or static and do you have something for guests?

[meyergru]

I have VLANs for LAN, Management, IoT, Guests and DMZ. I use Radius only MAC-based because my answers are:

1. No.
2. No.
3. Yes.

As for certificate-based Radius: I think it is less complicated to create a CA than to assign each device a certificate and provision them.

My goal was not to reach 100% security, rather to make VLAN assignments more centrally manageable, so that I can use any LAN terminal for any device. That being said, if I had externally accessible ports for IP cams, I would rather assign those static VLANs than to try to provision them with certificates.

[saveNAT]

My goal was not to reach 100% security, rather to make VLAN assignments more centrally manageable, so that I can use any LAN terminal for any device. That being said, if I had externally accessible ports for IP cams, I would rather assign those static VLANs than to try to provision them with certificates.

I really like your solution. I could well imagine that.
Except for the external connections, here a static VLAN only for the cameras including firewall rule and if necessary radius per certificate would be the best solution.

I have VLANs for LAN, Management, IoT, Guests and DMZ.

Do you then have a trunk port from the OPNsense to the switch or is each VLAN a physical port on the OPNsense that goes to the switch?
Unknown MACs then automatically go into the guest VLAN in your home network?
And how did you solve it with the WLAN? Only one SSID and also by radius or one SSID for each VLAN?

[meyergru]

Yes, it is one trunk port for OpnSense, but that is via an SFP+ via DAC because traffic may pass it twice when traversing VLANs. You also need trunk ports for switches, VM hosts and APs. The latter distribute a subset of the VLANs as separate SSIDs (obviously not Management and DMZ).

The guest VLAN is the default fallback VLAN for unknown clients.