Single Network Interface Card (NIC) Correct VLAN Setup

[bangersandmash]

Hi I'm new to OPNSenese and after a lot of reading I have a single NIC setup that allows a pc to connect to the net. However I am not confident that I have done this correctly / securely and I'd love to confirm my understanding with those more knowledgeable than me.

I have attached an SVG to illustrate the setup I have. 

I've created a new VLAN (VLAN100) in my switch. The only members of VLAN 100 are the Untagged WAN port (port 5) and the Tagged OPNSense Firewall port (port 4). In this way I believe LAN devices connected through ports 1 - 3 can only talk to the WAN through the firewall because it's on the only port which is both a member of VLAN100 and the default VLAN1

I'm fuzzy on why the Firewall port within VLAN 100 is Tagged but I believe it means it can distribute traffic on both the VLANS?

I have assigned PVID=100 to port 5 and PVID=1 to ports 1-4. I believe this stipulates which VLAN should be used for packets received on a given port.

• Have I understood correctly?
• Are there any pitfalls in the way I have done this?
• With a default firewall config. Will devices on the Lan ports 1-3 be 'protected' by the firewall.

I'm new to this and keen to learn so any feedback is welcome. Thank you.

[johnmcallister]

Nice first post & welcome to the forum.

Not an expert here, but your setup looks correct to me & should achieve complete isolation between the WAN/modem side, and your local LAN network.

I believe the devices on ports 1 to 3 will be protected by the firewall, as there will be no way for traffic to be relayed between them & the WAN (modem) device, except through the Opnsense firewall.

[CJ]

Is there a reason that you're doing a router on a stick?  While it can be made to work, I prefer to avoid the complexity and like to know for sure that my WAN is physically separated from everything else.

[bangersandmash]

Is there a reason that you're doing a router on a stick?  While it can be made to work, I prefer to avoid the complexity and like to know for sure that my WAN is physically separated from everything else.

I am repurposing a mini PC for the task which has just one NIC. I did purchase a USB 3.0 NIC ( UGREEN model ‎FBA_20256)  but it was totally unreliable and caused everything to hang.

This single NIC solution is working with test speeds comparable with what I had with my ISP's router so it seems viable provided it is secure.  Do you feel that my setup is not secure?

[CJ]

I am repurposing a mini PC for the task which has just one NIC. I did purchase a USB 3.0 NIC ( UGREEN model ‎FBA_20256)  but it was totally unreliable and caused everything to hang.

This single NIC solution is working with test speeds comparable with what I had with my ISP's router so it seems viable provided it is secure.  Do you feel that my setup is not secure?

NICs are cheap enough that I just prefer the reduced complexity of not having to worry if I have the VLANs configured correctly, etc.  One less thing to think about.