LAN segmentation

Started by ks, July 27, 2025, 01:30:36 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 27, 2025, 01:30:36 PM Last Edit: July 27, 2025, 01:33:33 PM by ks
Hello guys,

I do have LAN like the one in the attachment, a 10.0.0.0/24 metwork with all devices connected to same network subnet.
Actually all the traffic is routed by a VPN, also the non necessary one, and I'd like to segment a bit to increase the LAN security, e.g.:

the 2 NAS and printer and workstations on same network;
the IP cameras on its own network but able to write only on NAS;
the PS5 and TVs on its own (play network)
the IoT network (door bell, thermostat, etc)

routing the non necessary traffic (games and TV) outside the VPN.

What would be the best approach to do this?
Can I do it with VLANs?
Is is better instead to create separate LAN subnets?

Thank you!

July 27, 2025, 01:57:15 PM #1
You will have to use VLANs to physically separate the subnets if you want security. That being said, pyhsical security is key to have this - imagine someone pluggin in a device to a "privileged" port. If you cannot assure that, you will need 802.1X.

It will be easier to read if you give every VLAN a separate number in your scheme, like: 10.0.X.0/24. That way, you can visually discriminate which subnet/VLAN a device is on. Also, I usually use a 1:1 relation between VLAN number and "X", such that VLAN 7 has CIDR 10.0.7.0/24.

Also, I would not use 10.0.0.0/24 anyway, because that is often used for special purposes, like ONT oder other device's management IPs.

As a reminder: OpnSense/FreeBSD is known to cause trouble mixing tagged and untagged traffic on the same interface.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
July 27, 2025, 05:18:12 PM #2
I see.

So the best is the approach using VLANs separation.

Such as VLAN10 192.168.10.x/16 for e.g the office, VLAN20 192.168.20.x/16 for e.g IP cameras and so on.

Is there any other suggestion you'd like give to me? They'll be appreciated
July 27, 2025, 05:19:42 PM #3
Quote from: meyergru on July 27, 2025, 01:57:15 PMAs a reminder: OpnSense/FreeBSD is known to cause trouble mixing tagged and untagged traffic on the same interface.

Thanks, I'll keep in mind.
For now I'm focusing on the correct network topology
July 27, 2025, 05:41:43 PM #4
If you plan to use 192.168.x.0/24, read this: https://forum.opnsense.org/index.php?topic=47099.0
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Print
Go Up Pages1
User actions