Migrating to vlan

[9axqe]

Hello everyone,

I am planning on introducing a guest wifi and I'd like it to be separated with its own vlan.

Currently my network is flat, everything in 192.168.1.0/24 (except remote wireguard users, which are in 192.168.3.0/24)

As a first step, I'd like to move everything to a single VLAN, before introducing the guest wifi.

I have an opnsense router, a switch and some access points. The switch is running openwrt and can deal with vlans – in theory at least.

Now my question: what is least risky way of introducing vlan? (one that avoid me having to run around with laptop and LAN cable to connect to every device manually to restore connectivity...)

I have configured a lan bridge on opnsense: I know it's no ideal from a CPU point of view, but I have tested with iPerf I can get 1Gbps through this bridge (iPerf server running on device connected to LAN2, iPerf client running on device connected to LAN1), hence I decided I don't need yet another device in my setup.

LAN2 is only my NAS, LAN1 is everything else (switch, access points).

If I configure vlan 1 (for example) with parent interface LAN1, I will basically kill my connection to opnsense I assume, as it will expected tagged traffic and receive untagged traffic from switch. If I configure VLAN on the switch first, it's the same, I will kill my connection as well, as it will send tagged to opnsense which is still expecting untagged.

Is there a way to this without cabling work or do I have to configure a separate untagged port on every device first, so I can connect to it with a laptop and configure vlan after the connection drops?

[bartjsmit]

Do you have a managed switch and an AP capable of multiple SSID?

There is no need to change the devices on your LAN, or any physical cabling.

Bart...

[9axqe]

Yes, I have APs capable of multiple SSIDs. The switch is managed (openwrt).

>no need to change the devices on your LAN

how to you send tagged as well as untagged traffic to the same LAN interface on opnsense? I thought that was not possible.

[cookiemonster]

No need to change devices on your LAN and you are correct, you want to send only tagged traffic to OPN.
The way normally is to use port-based tagging. Your devices plug into a managed switch that takes the untagged traffic in from the clients, and sends it out to OPN over a port that carries all traffic tagged.

[9axqe]

Yes I understand that.

But if I configure opnsense to expect tagged traffic, I loose my connection to it (I'm plugged into the switch) and the whole local network goes down.
If I configure the managed switch first, it will send tagged traffic to opnsense which will not be expecting it and I will loose connectivity to opnsense as well, network goes down again.

Is there a right order to do things to minimise disruption and effort?

[cookiemonster]

Indeed is a timing exercise.
There are different ways depending on what you have, and the order will be also dependent.
For instance if you could have one port in OPN that can be left as management port, that is one way.
If that is not available, I did first my ports plan on the switch (I drew it for myself). Once ready I did OPN.
First time I locked myself out and had to reset the switch to defaults.
I'll see if I can dig out my post about it. I went from mixed traffic to the "correct way". Maybe you could approach it that way.

[cookiemonster]

https://forum.opnsense.org/index.php?topic=36530.msg178402#msg178402
That was my query and got me to understand how it should be.
From that I recall now that I did OPN first then the switch and I was connected via the switch.
And yes, I lost connectivity temporarily to OPN until I did switch. Browser, two tabs, switch between them quickly. Disconnection was a few seconds.

[9axqe]

Thanks!

ok, so currently I have LAN1/2/3 bridges together on opnsense but nothing physically connected to LAN3, I can remove it from the bridge and make it untagged. Step 1.

Step 2, I open the openwrt switch interface (while still physically plugged into the LAN3 of opnsense and configure the opnsense-facing intf to tag everything.
Step 3, I loose connection to the switch.
Step 4, I configure vlan tagging on opnsense.
Step 5, I hopefully regain connectivity to the managed switch.

Makes sense?

Couple of questions about this:

• 
  I guess I need a new subnet for LAN3 on opnsense right?
  
• 
  If I have a bridge with LAN1 and LAN2 on opnsense, which of the two should be the parent interface for the VLAN10 (it does not seems to let me select a bridge intf)?
  

[cookiemonster]

step 1 sounds better as it will be like an administrative port. Yes it needs setting up but make sure system | settings | administration, has the listen interfaces set to all (recommended).
If you can, something I meant to add, was to set a port in the switch that allows you to still reach it i.e. manage it once you have access ports tagged. I use mikrotik so this page is the reference for me: https://help.mikrotik.com/docs/pages/viewpage.action?pageId=76415036#CRS3xxandCSS32624G2S+seriesManual-Managementaccess
Regarding question 2 I don't actually know as I don't have bridges in OPN. I would have thought you create the VLANs on top of the bridge and once created it should appear as a device. Maybe show your assignments.

[netnut]

If I have a bridge with LAN1 and LAN2 on opnsense, which of the two should be the parent interface for the VLAN10 (it does not seems to let me select a bridge intf)?

It's a bit unclear what your final topology would look like, but you have two options:

The ideal:

Move your NAS (LAN2) to your switch (which is a bridge by nature) and use both LAN1 & LAN2 as a LACP Trunk (LAGG) uplink to your switch. If your switch doesn't speak LACP your second best option would be "Failover". You now have a redundant connection to OPNsense for _all_ devices.

Other Option:

Use only one uplink (LAN1) to your switch and keep LAN2 (NAS) directly connected to your physical OPNsense box. Configure LAN1 (as main VLAN parent) with all the VLAN's you have on your switch and configure these new VLAN interfaces like "normal" OPNsense interfaces, except for VLAN10. Create a bridge and add only VLAN10 (with LAN1 as parent) and LAN2 as members for this bridge. Read the offical OPNsense Bridge docs and set the required bridge tunables (important!).

Keep in mind this new Bridge interface (with VLAN10 and LAN2) will be the VLAN10 OPNsense gateway now with the corresponding IP configuration, leave both VLAN10 and LAN2 unnumbered (these are Bridge members now).

[9axqe]

Many thanks, this is helpful.

Physically, opnsense and NAS are in the same rack in a basement, whereas the switch and the entire rest of my home network are behind a 20m cable. Pulling a second 20m cable would be extremely difficult and I am not considering it.

Hence NAS is on LAN2 and the rest of the network on LAN1, it's the constraint here.

The options I have are hence:
1. Move NAS to different subnet (and optionally have it tag its traffic, but since it's the only device on LAN2, there's no point in my view)
2. Keep NAS current IP, take LAN1 out of the current bridge, create VLAN10 interface with LAN1 as parent, add VLAN10 intf to the bridge.
3. Buy a new managed switch and plug NAS and the LAN1 cable into it, then connect switch to LAN1 of opnsense.

Seeing I don't have any performance issue with the opnsense bridge at the moment (iPerf can send 960Mbps through), I don't see the necessity for 3/.

Because I'm a lazy admin, I prefer 2/ =)

Steps:

1. Take LAN3 out of the opensense bridge and make it an admin port with own subnet.
2. Make the switch LAN3 port also an admin port (maybe I'll even turn on DHCP server on this port, it makes life easier)
3. Plug laptop into opnsense LAN3
4. Navigate to openwrt switch admin gui, enable VLAN10 tagging on LAN1 (port facing opnsense)
5. I loose connection to switch
6. Take opnsense LAN1 out of the bridge.
7. create VLAN10, parent intf LAN1
8. add VLAN10 intf to bridge
9. hopefully switch is reachable again, otherwise backup plan, plug laptop into LAN3 on swtich and troubleshoot.


Sorry if I'm repeating myself – anything missing in your view? (I'll enable the guest VLAN later on, I want to get it to work with one VLAN as a start.)

I'll pick a day where the family is not home I think =)