OPNSense with Trunk as the main router

Started by ferreira94, January 13, 2025, 06:07:25 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 13, 2025, 06:07:25 PM
Good morning everyone, I would like to thank the community because it was with the content posted on the forum that I was able to advance in my firewall studies and start developing something more meaningful and efficient for my business and work. However, I still have questions that I have not been able to answer and I am asking for help from the community once again.

In this topic, I present my configuration and initial learning scenario (with the intention of replacing it in the future with something more robust and not necessarily professional).
*I'm using Google Translate*

---//---//---//---

I - Scenario:
---->a) I live in a loft house integrated with my offices (private lessons) and my wife's (lawyer);
---->b) the environment is not physically large, but there are many walls and so I plan to use at least three routers (without DHCP).

II - My limitations:
---->a) I am a beginner and therefore I cannot make OPNSense my only/main router (but I will still do so);
---->b) the providers of large internet companies in Brazil do not provide a good service in my region (constant instability), so we signed up for an internet plan from local third parties who provide better quality, however, they do not allow access to the configurations of these devices (not even in the pitiful "business plans" offered, forcing you to call/charge for any changes that may be made), therefore, I cannot configure a specific IP for OPNSense and try to do all the work through a second network of my own router (my own).

III - My settings (Hardware):
---->a) a Gigabyte miniPC with GA-H110MSTX-HD3 motherboard (rev. 1.0)
---->b) G4560 processor, 8GB RAM (2x4GB)
---->c) 256GB M.2 SATA SSD + 2TB (2x1TB) HDD
---->d) NIC on the motherboard + 2.5G NIC on the M.2 Wifi slot (model rtl8125bg - OPNSense LAN) + NIC on USB 3.0 (model RTL8153 - Home Assistant LAN)
---->e) 2 TP-Link routers (one Archer C20 and WR840N), Cat6 cables and an Ethernet Switch (Tenda-SG105M).

IV - Observations:
---->a) so far there have been no hardware recognition problems;
---->b) everything runs in virtualization on Proxmox, I do not want there to be a virtual connection between the OPNSense virtual machines and Ubuntu Server (with Home Assistant) and I do it only physically by connecting the USB NIC to the Switch (I find it more convenient to have fewer interfaces to manage by focusing only on the physical interfaces),
---->c) for now (given my lack of knowledge) all routers (including the one on the internet plan) have their Wi-Fi turned on to avoid problems until I can get a definitive configuration.

V - Physical configuration plan/topology (See image):

R1: this is my personal router (to manage everything)
R2: this is my router for cameras and other smart devices (without internet access)
R3: this is the router I want to dedicate to office clients (to only access the internet, it will be isolated from other networks).

VI - OPNSense configuration (with VLANs)
----> LAN IP (default)-> 10.0.1.1:10443 (access to the OPNSense GUI)
----> My intention is to create 2 VLANs so that Home Assistant and Router R1 connect to the default LAN and can see and see everything that is connected to router R2;
----> I want to prevent router R2 from accessing the internet, only. ----> I want to allow Router R3 to access the internet but not see anything related to other devices (isolate it from the VLANs and the default LAN) so that I can still see it accessing the LAN through R1.

VII - What I've done
----> I managed to configure everything until R1 connected to the internet and kept all routers as "Dumb-AC"
----> I created 2 VLANs with IP ranges completely different from the default (vlan0.20: 192.168.20.1 for R2 and vlan0.30: 192.168.30.1 for R3), with IP suffixes ranging from 100 to 199 and linked to the same NIC of the default LAN, because that's what I understood to be the Trunk method.

VIII - My difficulties/problems and doubts
----> I can't connect any of the routers to the VLAN networks; ----> at some point, by insistence, I managed to test the R1 router in vlan0.30-192.168.30.1, but I was not successful in accessing the internet;
----> I have doubts as to whether these problems are limitations of the routers and/or switches, or whether it is due to the fact that I did not apply the settings correctly in OPNsense.
January 14, 2025, 02:24:57 AM #1
Your Tenda switch is not sufficient. If you want to use VLANs, you need a VLAN capable switch.
January 14, 2025, 10:38:15 AM #2
> NIC on the motherboard + 2.5G NIC on the M.2 Wifi slot (model rtl8125bg - OPNSense LAN) + NIC on USB 3.0 (model RTL8153 - Home Assistant LAN)
Not good at all choices for freeBSD-based networking. Realtek is very poor supporting freeBSD. With USB as well, you can forget about stability and reliability.

Different geographies, different hardware availability, I get that. Just keep that in mind.
And yes, VLANs require a managed switch where they can be set. Unmanged switches put all ports in the same "network" ie. each port can talk to each other. That's the point of them.
January 14, 2025, 05:05:59 PM #3
Thanks for the tips and explanations.
---> About the RTL boards, I just got the cheapest (used) ones advertised here in my city. Overall, I got a total of items that, added together, cost me R$500.00 (~US$82.00) because the planners learned more before investing in hardware with better CPUs and PCIe i226 NICs. Yes, RTL is really scary, I had no problems using it for internet browsing, however, when using it for large transfers on the internal network, it was unsuccessful with files/folders larger than 4GB.
---> About the switch, I found it for a good price on Aliexpress, but I assumed that the VLAN network isolation would occur exclusively in the OPNSense settings so that there would be a way for the networks to communicate through the switch after isolation through the software. So, I'm wrong about VLAN isolation, right?
January 14, 2025, 06:31:24 PM #4
Quote---> About the switch, I found it for a good price on Aliexpress, but I assumed that the VLAN network isolation would occur exclusively in the OPNSense settings so that there would be a way for the networks to communicate through the switch after isolation through the software. So, I'm wrong about VLAN isolation, right?
Unfortunately that is the case, you can NOT use VLANS with router software only.
What you could perhaps do is see if you can install DD-WRT or OpenWRT on one of your other routers (that were designated to be used as APs) and then they _could_ then be your managed switch albeit with much much fewer ports.
January 14, 2025, 11:42:22 PM #5
TP-link easy smart switches are relatively cheap and they support VLANs.
Device association to a VLAN is done at the switch port level for wired devices, or by SSID for wireless devices (requires an AP supporting multi-SSID and VLAN).
If you don't have such APs (seems to be the case), you use a switch to associate the AP to a VLAN (by the port it is connected to). Then all devices connected to the AP are part of the VLAN.

I believe you can achieve similar results with a L3 switch but that might be more expensive anyway...
Print
Go Up Pages1
User actions