Seperate VLAN for IOT network

[rama3124]

Hi,
I'm new to opnsense and have a very simple network with no switches and opnsense running on a mini PC connected to Asus 86u as access point (+asus 68u as added mesh point). I have about 20 IOT clients including smart light bulbs, xiaomi gateway with child clients, conbee zigbee gateway with child clients and also a Kodi media server + home assistant server. I want these components to be blocked from contacting my phones and laptops so wish to setup two VLANs for trusted and non trusted clients.

I don't really understand how to configure the VLANs as some of my non trusted clients connect ethernet to the access point while others connect via Wifi. Do i have to have all the IOT components connected to the same Wifi SSID for this to work? If not, how can i separate the components into the two VLANs? Also, from what i understand Asus AC86u is a pain to setup VLANs so plan to purchase some Unifi access points. Do i have to do this or can i get away keeping my current setup?

Thanks in advance

[Patrick M. Hausen]

You need an access point that supports multiple SSIDs and can map these to individual VLANs. Then you can connect this AP to your OPNsense via a so called "trunk port" that carries all the VLANs and configure the VLAN interfaces and respective policies in OPNsense.

[Demusman]

To add, you'll need a vlan capable switch also.
You did say some devices are wired.

[Patrick M. Hausen]

Given enough free ports on the OPNsense device you can build a port based VLAN with a bridge interface.

[rama3124]

Given enough free ports on the OPNsense device you can build a port based VLAN with a bridge interface.

This idea appeals to me since I have a quad NIC and am currently only using two ports (lan and wan). Does this mean I need separate access points for the IOT and trusted networks though?

Thanks

[rama3124]

Also until I purchase the new access points and switches, is there an option to make a firewall rule blocking all communication from my non trusted devices to my trusted devices? I only have two laptops and two phones so couldn't I just make aliases for the trusted IPs and non trusted IPs and only allow one way communication from trusted to non trusted? What are the disadvantages of this versus VLANs? Thanks again for the help

[meyergru]

The communication on the same VLAN is not regulated by the firewall, because they are in the same network, there is no routing, UNLESS the switch or APs provide client isolation, That is a feature you will usually find only when the insfrastructure also supports VLANs.

The systematic approach is to categorize devices and put them in separate VLANs and regulate communications between the categories, not between individual clients.

[Demusman]

Given enough free ports on the OPNsense device you can build a port based VLAN with a bridge interface.

This idea appeals to me since I have a quad NIC and am currently only using two ports (lan and wan). Does this mean I need separate access points for the IOT and trusted networks though?

Thanks

Keep in mind, a bridge is not a switch.
What you want is switching, so get a switch.

[Patrick M. Hausen]

A bridge is a switch and a switch is a bridge. A device that makes forwarding decisions based on layer 2 information. A layer 3 switch is a router. A device that makes forwarding decisions based on layer 3 information.

An Odroid with 4 interfaces bridged for LAN and 1 interface for WAN is a four port switch and a router/firewall at the same time.

I refer you to Ms. Radia Perlman if you don't believe me. She invented spanning tree.

https://books.google.de/books/about/Interconnections.html?id=AIRitf5C-QQC&redir_esc=y

[Demusman]

A switch is a bridge, but a bridge is definitely not a switch. Especially in FreeBSD.

[Patrick M. Hausen]

He wants a couple of ports in a single broadcast domain without buying another device. Also I definitely fail to see the difference of a FreeBSD system with e.g. 4 bridged gigabit interfaces and an unmanaged 4 port gigabit switch.

[Demusman]

A bridge is designed to connect 2 network segments. When a packet arrives at the bridge, if it's destined for that side of the bridge, no problem. If it isn't destined for that side it sends it on hoping it gets to the destination.
A switch is designed to connect devices to a network. It knows what device is where so it knows where to send a packet.
If a bridge was a switch it would be called a switch. There would be no bridges. Got any hubs in your network???
No, I wounder why?

As for FreeBSD, and I should've specified pf, when you have a bridge every packet through that bridge still gets inspected. So if you have a powerful enough processor, no problem. If not, you're gonna take a huge performance hit.
When you want switching, use a switch. That's why they make them.

[Patrick M. Hausen]

A bridge can have more than 2 ports. A multiport bridge is commonly called a switch. Read up on network basics. You can bridge 4 ports, then you have a 4 port unmanaged switch. You can disable filtering on the bridge members - and should.

The FreeBSD bridge has for a more that five-fold increase in performance, is multi threaded, now, thanks to the work of  Kristof Provost sponsored by the FreeBSD foundation.

[lilsense]

A multiport bridge may be a hub, but not a switch. Switch has a MAC table, hub does not.

[Patrick M. Hausen]

I'm out. I linked to a book that clearly defines those concepts.