1 line into house, separate handling for owner and tenant

[caramba]

Hi

I want to set up OPNSense as first line of defense for our house. As of now the setup is as follows:

fibre in --> media converter --> ZyXEL 2012 router/wifi ap provided by ISP

I am going to replace the ZyXEL with a custom built(teklager.se) unit running OPNSense. To this I will connect a WRT1900ACS, possible running dd-wrt, but not sure if I really need that when I have OPNSense.

My goal:
Separate subnet for me and my family that is not accessibly for anyone else(MAC address filtering perhaps?)
Guest network and/or another separate subnet for tenant living on the first floor.

I know I can setup guest wifi in WRT1900ACS, but it seems better to let OPNSense handle this. I may be wrong.
I see OPNSense have captive portal, that seems really nice:) Never used OPNSense before, but played quite a bit with IPFire and dd-wrt/tomato.

In OPNSense, is it possible to handle traffic from one subnet/range of ip's/other criteria different? Ie if traffic is from tenant, pass it through, otherwise do all the cool shit:)

He will probably appreciate it(less ads, security..), but I feel reverse proxying someones traffic without them agreeing is not ok, so I have to plan for him disagreeing.

Tips welcome!

PS: reading docs, this software seems great, looking forward to play with it.

EDIT: WRT1900ACS does not support VLAN as far as I can tell

[Greelan]

Short answer: yes, create a VLAN with separate subnet for your tenant and that will be separate from your LAN and you can regulate them independently

[caramba]

Thank you. Does this mean I can make VLANs ni OPNSense and wifi ap can use them even though the wifi router itself doesn't support VLAN natively? It seems even DD-WRT wont help because of the chipset:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=319629&sid=46482defb628484c11fcb9eff36062c6

[fgsfdgfds]

Sounds simple enough.
It could be done many ways.
But for this size of setup and for simplicity.

I'd have ISP WAN coming into OPNsense.  1 ethernet port used, wan subnet
Then LAN1 to you (another ethernet port used) subnet 1
LAN2 to the tenant (another port used) subnet 2

so in this you'd need 3 ports and 2 bog standard unmanaged switches. (1 for you and 1 for tenant)
That will mean no messing with VLANs.
But if you don't have enough ports, than a VLAN capable switch will be required

[thowe]

I would also set up two separate network segments for this task, each with its own IP range. Then they are cleanly separated and you can set up separate firewall rules or control QoS per network.

Basically, each segment needs its own interface on the OPNsense. This can be an own physical interface (tenant port) or a VLAN interface on the normal LAN port.

If the tenant only gets cable internet, it is probably easier to provide a physical interface for him and to pull the cable to him. He can then connect a switch or his own access point. However, if he is to be supplied via the same WiFi access point as the main network but with his own SSID, then I would (if necessary additionally) connect his network with a VLAN ID to the main WiFi access point as well. Many professional or semi-professional access points (e.g. Unifi, etc.) then allow a VLAN to be assigned its own SSID.

[caramba]

Thank you for helping out!

I agree on your solution, an own physical subnet would have been ideal. For various reasons I do not want to have a physical unit on the first floor, but I think a wifi router that can handle VLAN will be the solution. I plan to aquire a used RT-N66U and to this basically:
https://netosec.com/setup-wi-fi-vlans-with-tomato-on-rt-n66u/