Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Question about the statement "don't use Native LAN (VLAN1)"
« previous
next »
Print
Pages: [
1
]
Author
Topic: Question about the statement "don't use Native LAN (VLAN1)" (Read 2225 times)
warheat1990
Newbie
Posts: 14
Karma: 0
Question about the statement "don't use Native LAN (VLAN1)"
«
on:
December 31, 2021, 05:14:02 pm »
Hello, I'm not an expert.
But I kept hearing about the statement Native LAN (VLAN1) should not be used.
But I'm confused about the implementation. Assuming I have 2 ports in my firewall.
eth0: WAN
eth1: LAN - 192.168.1.x
Then I created 3 VLAN
vlan10: Management (eth1) - 192.168.10.x
vlan20: Home (eth1) - 192.168.20.x
vlan30: IoT (eth1) - 192.168.30.x
And I configure the firewall rules so that
1. vlan10 can access vlan20 and vlan30 but not the other way around.
2. vlan20 can access vlan30 but not the other way around.
3. vlan30 can't access other network.
And let's say I have 6 port switch.
sw0: uplink (connected to eth1)
sw1: vlan10
sw2: vlan20
sw3: vlan30
sw4: vlan10 for native, vlan20 and vlan30 tagged (connected to AP so it can broadcast SSIDs for vlan20 and vlan30)
sw5: untagged (this is where I configure everything)
Now that everything is done, what are we going to do with the sw5 or should I say the 192.168.1.x? By "don't use it", does that mean just leave it and make sure nothing is plugged/accessible by end user or do I have to disable it? Because if I disable it, I'm going to lose access to 192.168.1.x.
Can someone explain this concept to me.
Also, how do I get the switch to get 192.168.10.x IP address instead of 192.168.1.x without another port on the firewall? Or is it impossible?
Logged
Patrick M. Hausen
Hero Member
Posts: 6799
Karma: 571
Re: Question about the statement "don't use Native LAN (VLAN1)"
«
Reply #1 on:
December 31, 2021, 07:21:52 pm »
The recommendation is not "don't use VLAN 1". The recommendation is "don't run any VLAN untagged on a trunk port".
Access ports are access ports and trunk ports are trunk ports. The former are assigned to a single fixed VLAN and carry untagged frames. OPNsense does not do that - your switch does. To connect OPNsense or other BSD and Linux based hosts (or ESXi) to your switches and routers you use trunk ports. These should carry only tagged traffic.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Question about the statement "don't use Native LAN (VLAN1)"