Newbie: Multiple LANs on multiport NIC (or multiple NICs)

[klaberte]

[My goal here is to explain my thinking, welcoming critique and commentary.  I have not made these configurations yet.]

I have a NIC with four Ethernet ports (based on i340), but I think this discussion is equally valid if you have your (more than 2) ports spread across multiple NICs.

I have assigned one of those four ports as LAN, a second as WAN, and everything is working properly.  However, what to do about those other free ports?

Let's start with utilizing one additional port, which I will call OPT2.

Choice 1: SAME or SEPERATE subnets?

For most newbies setting up a home or SOHO, the choice here will likely be SAME, meaning we want everything on the LAN side of the firewall to be able to talk with each other.  (And each can reach the Internet via a common NAT/firewall.) The easiest way to do this is to have a single subnet, e.g. 192.168.34.X.  The standard way to do this is to have a single switch, or a combination of connected switches, which makes a single Ethernet connection to the LAN port of our opnsense router.  But if you really want to use that OPT2 port, and have just one SAME subnet, you can create a LAN bridge, following this guide: https://docs.opnsense.org/manual/how-tos/lan_bridge.html

The other option is SEPERATE.  You choose this if you can, or should, segregate your LAN devices into different subnets.  While it is possible to allow devices from one subnet to talk to devices of the other subnet, for the newbie, it is easier to simply place devices that need to interact (e.g. a computer and printer, or a computer and large display screen) on the same subnet.  Devices on the second, seperate subnet can talk to others on its subnet.  Alternatively, a second subnet can serve devices that each need access to the Internet, but not each other.  For example, a VOIP device simply needing a connection to a VOIP service provider, or guest computers, or wireless APs for guests.  If this is the situation, you can configure OPT2 to be a gateway for the second subnet.  It can be configured with an IP address in distinct subnet, e.g. 192.168.50.1, and provides IPs to its distinct subnet, e.g. 192.168.50.X.  If you have only one device on the second subnet, you can directly connect it to OPT2.  If you have multiple devices, you can connect a switch between each of these devices and OPT2.  If you want to stricly prevent devices on the second subnet from interacting, this requires additional configuration.  [Any suggested documentation for this to add here?]

Also, make sure to enable rules in the firewall for this new interface and subnet.

Choice 2: EQUAL or NONEQUAL treatment of the subnets

Assuming you have chosen SEPERATE subnets, the next question is whether traffic from the seperate subnets are treated equally or nonequally.  A case for NONEQUAL treatement might be a VOIP device on the second subnet, if you wish the VOIP traffic to be given higher priority than any traffic going to/from the first subnet.  If instead you want both subnets to get EQUAL treatment, then you need to make no additional configurations.  In this EQUAL case, traffic from e.g. device 192.168.34.119 and device 192.168.50.88 both are equally treated by the NAT/firewall.
In such a case, traffic from 192.168.34.119 gets roughly the same treatment if the competition is with device 192.168.50.88 or with a device on its own subnet, e.g. 192.168.34.67.  (However, 192.168.34.119 can communicate with 192.168.34.67, but not with 192.168.50.88, unless specifically set up, see above.)

If instead, you want NONEQUAL treatment of the subnets, you now need to configure those priorities.  The documentation on "Traffic Shaping" is a good place to start: https://docs.opnsense.org/manual/shaping.html

Now, having configured OPT2, perhaps you still have open another NIC interface, e.g. OPT3.  Choices for OPT3 are the same as they were for OPT2.  You can either bridge OPT3 with another interface(s), or use it to create a third distinct subnet.  Other interfaces, e.g. OPT4, OPT5, etc., are treated in a similar way.

[klaberte]

Anyone willing to critique?

[yourfriendarmando]

I have lived a better life avoiding port bonding (ag) along with vlans. Priorities can be assigned in firewall and shaper rules.

In the case of a 4 port, one wan, one, lan, one management port, and one guest port. The guest port can also subsequently have more vlans attached to that so your lan port is free of use