Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
VLANs and separate interfaces for segregating traffic
« previous
next »
Print
Pages: [
1
]
Author
Topic: VLANs and separate interfaces for segregating traffic (Read 2754 times)
dwasifar
Jr. Member
Posts: 72
Karma: 3
VLANs and separate interfaces for segregating traffic
«
on:
January 03, 2021, 07:23:25 am »
Currently everything on my network is on the same 192.168.1.x subnet. I want to segregate traffic from IoT devices to their own subnet. All the IoT devices are wi-fi, so here is what I'm hoping to do:
1) Set up another physical interface on my OPNsense box as OPT1 with a different subnet, maybe 176.16.0.x, and physically connect it to the wi-fi access point (a UniFi AP).
2) Set up VLAN on OPT1 with another subnet, say 10.0.0.x.
3) Set up DHCP for both.
4) Configure the UniFi controller with two new wi-fi networks: one regular network pointing to 176.16 subnet (let's call it SSID1), and one network tagged as a VLAN, with its VLAN ID matching what was set up in step 2 (let's call it SSID2).
5) Set up an alias containing those three subnets.
6) Set up default pass-all firewall rules for OPT1.
7) Set up default pass-all firewall rules for VLAN with an inverse match on the alias set up in step 5.
If I have thought this out right, this should allow the 192.168 and 176.16 subnets to see the internet and the other subnets, but the 10.0 subnet to only see the internet, so wi-fi clients connected to SSID2 are prevented from contacting the rest of the network.
Did I miss anything?
Logged
bartjsmit
Hero Member
Posts: 2014
Karma: 194
Re: VLANs and separate interfaces for segregating traffic
«
Reply #1 on:
January 03, 2021, 09:46:32 am »
You may want to point your IoT devices to an internal DNS server, or even a (transparent) web proxy, so that you can monitor or even restrict their outbound data transfers.
A pi-hole would be a first step to block access to the worst telemetry and other privacy eroding sites.
Bart...
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
VLANs and separate interfaces for segregating traffic