noob of noobs need help in configuring and placing

[wbravin]

Hello all; I am a noob of noob. I have been watching on youtube various videos relating to choosing, installing and configuring opnsense.

I live in a very old house in Italy. The house is built in stone and concrete and it has 3 floors. Although i remodelled some of the house infrastructure I have no way of running cables.

At the moment I have 2 servers running freenas and one of the servers is based on a consumer pc architecture. Currently the whole house is connected via gigabit powerline and they are connected to simple switches and it all works well. Currently I have an asus rt ac87u as a router that is sitting in the living room. It currently provides me with my wifi needs.

So because i have too much time on my hands I decided to have a more robust and flexible router. (I have IOT, remote users such as my daughter who lives in the UK and friends in Canada and home automation).

So I buy a dell r710 because it has 4 lan ports. Yes it is an overkill but I will replace it next spring with an R610. I receive my internet service from EOLO (which transmit via radio waves and I receive the signal via a dish in turn connects to a eolo box (which is a small brick that has the satellite feed in and the out goes to the wan port of my current router in the living room.

My next step Is to install all IT equipment in a rack and move it to the loft.
I will move the internet feed from the living room to the loft.

So now opnsense will be in the loft which will be connected to a managed switch which will have direct connection to the server environment. Then I plan going from the switch to a powerline connection which will connect all my pcs in my house fine.

Finally my question:
I want to use current router as an AP (I read that this is possible)

Can I leave the current router in the living room and have it fed by a powerline and still act as an AP?

I fear that moving the asus to the loft i will not have sufficient band strength to feed my guests and I when we are on the ground floor or outside in the yard.

Thank you for taking the time to read this and responding

[Mitheor]

Hello all; I am a noob of noob. I have been watching on youtube various videos relating to choosing, installing and configuring opnsense.

I live in a very old house in Italy. The house is built in stone and concrete and it has 3 floors. Although i remodelled some of the house infrastructure I have no way of running cables.

At the moment I have 2 servers running freenas and one of the servers is based on a consumer pc architecture. Currently the whole house is connected via gigabit powerline and they are connected to simple switches and it all works well. Currently I have an asus rt ac87u as a router that is sitting in the living room. It currently provides me with my wifi needs.

So because i have too much time on my hands I decided to have a more robust and flexible router. (I have IOT, remote users such as my daughter who lives in the UK and friends in Canada and home automation).

So I buy a dell r710 because it has 4 lan ports. Yes it is an overkill but I will replace it next spring with an R610. I receive my internet service from EOLO (which transmit via radio waves and I receive the signal via a dish in turn connects to a eolo box (which is a small brick that has the satellite feed in and the out goes to the wan port of my current router in the living room.

My next step Is to install all IT equipment in a rack and move it to the loft.
I will move the internet feed from the living room to the loft.

So now opnsense will be in the loft which will be connected to a managed switch which will have direct connection to the server environment. Then I plan going from the switch to a powerline connection which will connect all my pcs in my house fine.

Finally my question:
I want to use current router as an AP (I read that this is possible)

Can I leave the current router in the living room and have it fed by a powerline and still act as an AP?

I fear that moving the asus to the loft i will not have sufficient band strength to feed my guests and I when we are on the ground floor or outside in the yard.

Thank you for taking the time to read this and responding

So, do you mean:

OPNSense -- Switch -- PLC -- AP (ac87u)

Is that so? Yes, that´s totally fine. However there would be different topologies you could configure.

If not, maybe if you explain your final l3 topology would be easier to understand.

[wbravin]

Thank you very much for your prompt reply.

Yes. Just to clarify

OPNsense server > managed switch> powerline adaptor  (you called it plc) > ac87u.

What other topologies can i configure?

So Far i designed the 4 ports on the r710 I would have 1 for wan, 1 for lan, 1 for wifi, and the last one for IOT. I still need to install opnsense. 

This is a vast learning curve for me

Once again thank you

[Mitheor]

Thank you very much for your prompt reply.

Yes. Just to clarify

OPNsense server > managed switch> powerline adaptor  (you called it plc) > ac87u.

What other topologies can i configure?

So Far i designed the 4 ports on the r710 I would have 1 for wan, 1 for lan, 1 for wifi, and the last one for IOT. I still need to install opnsense. 

This is a vast learning curve for me

Once again thank you

Ok, so basically there are 2 paths:

Routed:

OPNSense connected to the WAN of the AC87U (same network) and then the WiFi (lan) in a different one

Switched:

OPNSense connected to one of the LAN ports of the AC87U so it´s in the same network as the LAN in the AC87U. WiFi devices should be configured to use the OPNSense IP in that LAN as gateway and that´s it.


Second option is probably the best unless you need/prefer to route it for some reason.

[wbravin]

Thank you

for my understanding

Option 1

Connect the eolo box to the wan of  opnsense then the connection from the powerline to the wan of the router

option 2 connect the eolo box to the wan of the ac87u then connect the acu87u lan to a powerline  then the power line to the opnsense. In this case will the ac87u control the the dns and dhcp? 

[marjohn56]

I would suggest you use managed switches and VLANs.


Do it like this:


Loft eulo box ->Opnsense -> Managed Switch -> Powerline


Then wherever you have a powerline adaptor you can then go into another managed switch and have separate LANs, WAPs etc etc, becomes very simple.


Yes you can still use your AP87, just disable its own dhcp and only connect the LANs, it will work fine. As you move forward you can also use WAPs such as the TP-Link EAP235 that support VLANs and have multiple SSIDs, thus allowing guest networks and totally isolating them from the rest of your network.

[wbravin]

Great thank you this is what i needed to know.
Asus ac87u does support 2 ssid one for private and one for guests. so i can leave the wifi function to the asus. I will connect the switch to the powerline which in turn be connected to a lan port on the asus.

However you just made me realise that i need to understand the routing of all this.

As i motioned i will have 1 managed switch. One port of this switch will be connected to the powerline (in the server room) which through the electrical wiring of the house will be connected to a a local powerline. The servers and other components in the loft will be connected directly to the switch. This powerline will be connected to a local simple switch then i will connect the ac87u to a port of that switch.
If this works then i have the wifi i need.
i would be able to connect my HTPC and my TV (which i will set to the IOT lan) in that room to the other ports on the switch.
If this works, great. I will replicate it to my home theatre room with its own power line unit and simple switch.

The rest of the laptops will work off their dedicated poweline which in turn (again through the hose electrical wires) to the main poweline in the server room.

I am spending this morning learning about switches. and from the sound of it, i do not need a managed switch in the rack. I should live with a simple switch.

This would mean (in my feeble mind) that I should have only 1 lan cable from the r710 connected to my switch in the rack.

This would mean that i have one port on the dell r710 connected to the WAN (the eolo box)
1 port connected to the switch this would represent my lan network. (1`92.168.1.1)

Then have a Vlan for the IOT (192.168.2.1 and a Vlan 175.168.1 1 for wifi.

Is this reasoning correct or am i just barking up walls and mirrors or am i biting off more than what i should chew?

Thank for your patience in reading this and for answering and clarifying these issues I have

[marjohn56]

Why are you connecting the R710 to the WAN?


I assume that the WAN you are referring to is in fact the LAN output of the ISPs router?

[wbravin]

Hello Thank for your reply

yes my ISP router (the eolo box) is the receiver for the from the provide's dish. then from that box w i wold connect it to one the dell r710's NIC *that in my opinion will act as a WAN connection.

However after spending all day yesterday learning about managed switches, Vlans, firewall rules and connectivity issues. I hace come to the decision that i am biting off more than i can chew and if i do manage to chew it i will definitely  get indigestion.

Therefore I will install opnsense as a plain vanilla solution with 1 LAN (192.168.1.1) which i will connect this to a 24 port managed switch (that i still need to buy) to which.

To the switch I will connect my 4 serves directly and the home automation server  and connect one port to the powerline in the loft.  All these components i will set with a static IP address.

then the powerline in the loft will connect to the powerline in each room which in turn will connect either to a computer directly or to a simple switch to which

In the case of the living room i will connect the asus as an AP, my HTPC and my TV in the living room to a small switch. If it would help I can connect the asus AP to it's own powerine. would this be better? then the on the asus i will segregate the home wifi and the guest wifi.

In the case of the home theatre room I will connect the projector and the HTPC  to the a simple switch that will be connected to the powerline in that room .

once this is all done and working i will start to develop the firewall rules to further secure my environment. and then learn of to design develop and implement vlan to segregate the IOT from the rest of my environment

Once again thank you for your contribution and I apologise for being so long winded.

[marjohn56]

That will work, the only thing you will not be doing in that scenario is creating totally isolated LAN segments; so although your WAP has a guest access SSID it will be on the same LAN as the rest of your equipment.


The other warning is double NAT. Does your ISP box expose a global address or a private address? Double NAT is really only an issue if you are trying to access your own servers from the Internet when it can be a bit tricky to set up, if you are not going to do  that you should be OK.

[wbravin]

thank you for replying so quickly

I will not be accessing my servers remotely.

The asus will take care of the guest with a separate ssid. Yes it will be on the same lan however will  i not be able to create a rule to prevent this.

I would guess that if the AP is on a static ip and with that information i would be able to identify the user ssid name  I should be able to prevented from accessing the rest of the lan.

would you consider this to complex for me to develop?
once again thank you   

[marjohn56]

That might not work, it really depends on the WAP access point and how it manages the guest SSID. If the WAP gives the guest user an address on the same LAN network as your servers etc, then the guest would be able to connect to them. Traffic on the LAN between devices goes point to point, not via Opnsense. You will need to test that to see if the WAP itself prevents access to other devices on the same LAN.

[wbravin]

Hi

Many thanks for your patience dedication and availability an not the least for responding.

I am currently on the tp link forum to clarify what is transmitted over the powerline and how could i use that information.

One on the main question is how the powerline read and uses the information it carries and how would identify a pc connected to the powerline and belong to a vlan. I may be fishing here. will see

as i said this for me is a massive learning which i am happy for see to fruition.  I will now use baby steps and implement further development once i will feel comfortable that all that is done so far works.

agan thank yuo it is greatly appreciated

[marjohn56]

Powerline devices usually carry VLAN tags, at least mine do. Two thirds of my house network is over Devolo devices and my VLANs work perfectly.

[wbravin]

hi

Thank you for this information.

does this mean I can connect a nic port from my dell r710 to the managed switch and then a from a dedicated port on the managed switch, i could develop vlans in opnsene the build the same vlan on the manage switch.

where i am stuck in trend of thought this trend of thought is

If my dell r710 has 4 nic ports I understand that one port connect to my eolo box for the wan

assuming that my main lan ip address is 192.168.1.1

Then i connect a second port to the managed switch. so fa so good. I understand that I can connect my 4 servers to any of the switch port . these servers will be on 192.168.1.1 lan with static ip.

I understand that i should connect a  different port on the switch and dedicate it to the powerline adaptor.

so far so good (i still need to learn how to do this in the managed switch). This is where i lose the plot

I need that traffic from all my pc connected to the powerline be on lan 192.168.1.1 Fine so far.  now i develop a vlan called IOT for the IOT in opnsense and on the managed switch. This vlan address would look like 192.168.53 .1

The i develop a vlan called wifi for the AP i would give an ip address like 192.168.20.10

so i should have the  following interfaces once i added them all on interface network 

WAN XXX.XXX.XXX.x
lan 192.168.1.1
iot 192.168.53.1
wifi 192.168.20.10

great now i have configured my network environment Now i connect the lan port to the managed switch.  fine.
Now i would have to dedicate a ports on the switch. fine

I connect this port to the powerline fine . now i'm lost.

Do you mean that in your case the powerline will provide the necessary information that would enable opnsese to identify the vlan and the lan IP coming from the powerline that would allow me to build rules in opnsense  to allow , block or restrict access.

if sow wow this would make my day and entice me to move forward

Many thanks fo your message