Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
21.7 Legacy Series
»
Dynamic VLAN Setup on OPNsense 21.1.9-1-amd64
« previous
next »
Print
Pages: [
1
]
Author
Topic: Dynamic VLAN Setup on OPNsense 21.1.9-1-amd64 (Read 2527 times)
hjint
Newbie
Posts: 33
Karma: 3
Dynamic VLAN Setup on OPNsense 21.1.9-1-amd64
«
on:
August 18, 2021, 11:19:07 pm »
I'm trying to setup a dynamic VLAN on OPNsense
Network layout:
=>2x Routers with Failover (1xFibre as primary, 1xLTE as Failover) wired to OPNsense
=>OPNsense wired to an unmanaged (dumb) switch (Say Switch 1)
=>Switch 1 fork to 3 unmanaged switches (Say switches 2,3 &4)
=> Switches 2,3 & 4 have each a WiFi Access Point connected and some IOT devices, some wired and some are WiFi
My target is to isolate the IOT devices from the rest of my network.
I have added a VLAN interface link to the LAN interface called VLAN20
NAT Outbound rules created on each WAN interface for VLAN20
NAT Port Forward rule created on the VLAN interface to redirect to proxy (port 3128)
Firewall rules created on VLAN interface:
1. Pass All TCP/UDP to destination VLAN20 Address port 53
2. Block TCP/UDP on VLAN20 net to All Destination port 53
3. Pass TCP traffic on VLAN20 net to 127.0.0.1 port 3128
(I will later add more rules to isolate the VLAN, etc)
Services | DHCPv4 | VLAN20 | DHCP Enabled
LAN IP 192.168.10.0/24, VLAN20 IP 192.168.20.0/24
Questions and Issues:
1. To test, I have added two static IP addresses to VLAN20 and connected 2 devices. Both are setup to obtain IP address, but do not get their IP address from VLAN20, and after a while both revert to the alternate private IP address. Do I miss a setting or a rule?
2. Will OPNsense Dynamic VLAN work on a network with unmanaged switches?
I don't want to go the hardwired VLAN route, the IOT devices that I want to isolate from the the rest of the network are scattered through out my property, which means more cabling, switches and AP's.
Logged
bartjsmit
Hero Member
Posts: 2018
Karma: 194
Re: Dynamic VLAN Setup on OPNsense 21.1.9-1-amd64
«
Reply #1 on:
August 19, 2021, 11:03:09 am »
Quote from: hjint on August 18, 2021, 11:19:07 pm
2. Will OPNsense Dynamic VLAN work on a network with unmanaged switches?
No, VLAN's outside OPNsense requires VLAN capable (i.e. managed) switches. The VLAN tags in the packets are ignored by dumb switches.
What is your definition of a 'dynamic' VLAN?
Bart...
Logged
hjint
Newbie
Posts: 33
Karma: 3
Re: Dynamic VLAN Setup on OPNsense 21.1.9-1-amd64
«
Reply #2 on:
August 19, 2021, 11:17:09 am »
Thanks Bart
With 'dynamic', I'm referring to MAC based VLAN, but also software VLAN configuration, and not static port VLAN configuration.
«
Last Edit: August 19, 2021, 11:26:06 am by hjint
»
Logged
hjint
Newbie
Posts: 33
Karma: 3
Re: Dynamic VLAN Setup on OPNsense 21.1.9-1-amd64
«
Reply #3 on:
August 19, 2021, 11:35:07 am »
Bart, will the Netgear GS308T smart switch with Mac VLAN work with OPNsense? See
https://www.netgear.com/business/wired/switches/smart/gs308t/
for the specs of the switch.
Logged
bartjsmit
Hero Member
Posts: 2018
Karma: 194
Re: Dynamic VLAN Setup on OPNsense 21.1.9-1-amd64
«
Reply #4 on:
August 19, 2021, 05:39:30 pm »
There is an issue with MAC based VLAN's in that they rely on cooperation from the networked devices. If a device changes its MAC, it can join another VLAN. 802.1Q based VLAN's ensure that the switch is in control of the network segmentation.
That Netgear will let you use VLAN's but keep in mind that TP-Link tends to be a bit cheaper, while Unifi devices are easier to configure, especially if you also use their access points. These support multiple SSID tied to VLAN's. (other network makes are available)
Given the right kit, you need less instead of extra physical infrastructure (switches, cables, AP's). You just segment at a logical level.
The way I would set this up is a core switch with enough ports for your wired devices, between one and three AP's depending on the layout of your house*, roaming for your WiFi clients and SSID's for Full, Guest and IoT access. I would only use access switches if there was a room with multiple wired clients, e.g. TV and media players, smart speakers, etc.
More and more devices are going wireless, so a solid WiFi layout is a good base to build on. Check out PoE for reduced cabling.
Bart...
*if you want to plan based on your room sizes and wall thickness, check out
https://design.ui.com/
Logged
hjint
Newbie
Posts: 33
Karma: 3
Re: Dynamic VLAN Setup on OPNsense 21.1.9-1-amd64
«
Reply #5 on:
August 19, 2021, 07:42:43 pm »
Thanks Bart
My house is built in a square, total 400m
2
floor space with 320m
2
under roof with an open court yard in the middle of the house. The switches are positioned near each of the 4 corners of the house with an AP attached to it. I've used a WiFi Mapper to position the AP's to get maximum coverage and signal strength.
I've installed the AP's and switches at the beginning of last year and don't plan to replace all of the switches and AP's now with Unify. I've done the costing then and the cost of going the Unify route was to high.
I've had too much hassles with TP-link devices, after sale service and support in the past and prefer D-Link & Netgear devices above TP-Link. It is a personal preference based on bad experiences in the past, both on personal and on corporate levels.
With reference to MAC based VLAN issues, I'm using MAC filtering on OPNsense to allow devices on to my network and decline unknown MAC addresses. (I'm working from home since the beginning of last and store sensitive client information on my server). My office is running (wired only) via one of the switches which I'm planning to isolate with a port VLAN. However an AP is also connected to this switch, therefor my thought of using MAC VLAN, but I'll test and play around with the various VLAN type options to get the best setup for my network and security requirements.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
21.7 Legacy Series
»
Dynamic VLAN Setup on OPNsense 21.1.9-1-amd64