Archive > 21.7 Legacy Series

VLAN/Multiple OPNsense LAN Ports Question

(1/4) > >>

nVIceman:
I wanted some clarity on this as research hasn't made it 100% clear based on what I am looking to do. I've done VLANs before, but my situation and usage is a bit different.

My firewall has 4 LAN ports. 1 is the WAN, 1 is the LAN, 2 extras unused. 1 Managed Switch. I wanted to implement a VLAN or 2, just wanted to see if it was worth using either of the 2 extra firewall LAN ports to allow better performance or security. It's not a huge deal, but would prefer going the best route from the get go.

I know I can just use the 1 LAN port and have inter VLAN traffic be hairpinned through the firewall as needed. Really, not much inter VLAN traffic, especially not anything taking advantage of high transfer speeds, but would prefer the clarity for future use cases.

Whether the LAN ports are bridged, or simply assigned them for VLAN usage, is there any reason or benefit to use the extra LAN ports when I have just 1 switch, whether it's security or performance?

Greelan:
As as result of this comment, I now have my VLANs on a separate NIC to the NIC that LAN is on

guest30640:
Welcome\Hi,

WOW...just read those comments!

I've just recently gone to opnsense from an Edgerouter (both router on a stick configs for home use) but must say documentation is not up to speed in some specific areas and if the above is gospel then that should have been documented about VLANs not being configured on the same NIC as the LAN (native vlan1?)

In my setup I have

igb0 - WAN PPPOE
igb1 - LAN ip:192.168.*.*
igb2 - ip: 10.*.*.* subnets with multiple VLANs (PVID=1, VLANs = T)
igb3 - not used (did try LAGG to switch but threw a wobbly with sensei\laggs\vlans together - which aint good)

So based upon the declaration above about the LAN, do I need to do anything on that igb1 NIC to block anything, currently it has the default FW rule? Since it is not part of the internal VLAN network but I 'assume' that since no VLAN1 has been created (on any interface) that it is still using VLAN1 as the native? Hence why I didn't explicitly setup a VLAN1. EDIT: Just realised I have probably just moved the problem onto igb2 since I use VLAN1 on that interface

nVIceman:

--- Quote from: Greelan on October 13, 2021, 04:31:34 am ---As as result of this comment, I now have my VLANs on a separate NIC to the NIC that LAN is on

--- End quote ---
Thanks, but I don't quite understand what that is saying. Don't use VLAN's on main LAN port?

Superduke:
+1 to this....I was wondering the same.....I have a number of VLANs tagged to my LAN interface and it's been working fine....with firewall rules restricting cross-talk between them and LAN itself....or so I thought....

Is what is being said that general rules allow full access between VLANs on the LAN interface?

And if so, do you need to physically connect an alternate NIC port to create VLANs on them?  I have two spares just sitting dormant but never thought I needed them.....I use Ubiquiti switches and APs.....

Navigation

[0] Message Index

[#] Next page