Seperate VLAN for IOT network

[rama3124]

The communication on the same VLAN is not regulated by the firewall, because they are in the same network, there is no routing, UNLESS the switch or APs provide client isolation, That is a feature you will usually find only when the insfrastructure also supports VLANs.

The systematic approach is to categorize devices and put them in separate VLANs and regulate communications between the categories, not between individual clients.

This makes perfect sense. If I end up getting some unifi access points, I assume I need to make a few different SSIDs (for trusted and non trusted) and assign different vlan tags go these different SSIDs using the unifi software and then the same tags on opnsense. Is this correct?

[Patrick M. Hausen]

This makes perfect sense. If I end up getting some unifi access points, I assume I need to make a few different SSIDs (for trusted and non trusted) and assign different vlan tags go these different SSIDs using the unifi software and then the same tags on opnsense. Is this correct?

Correct.

[lilsense]

I'm out. I linked to a book that clearly defines those concepts.

Books have mistakes in them too.

Using your book, Patrick. Looking at page 10:

"... The broadcast storm with IP can incapacitate a LAN. When two LAN are connected with a bridge, the bridge merges the LANs, and the broadcast storm on either LAN will incapacitate both LAN..."

This statement above is true of a Hub. A switch, even the dumbest of all knows MAC/port knowledge which eliminates storms.

just to clarify, that's all.

[lilsense]

The communication on the same VLAN is not regulated by the firewall, because they are in the same network, there is no routing, UNLESS the switch or APs provide client isolation, That is a feature you will usually find only when the insfrastructure also supports VLANs.

This needs to be clarified here. Firewall mentioned above is referred to as Layer 3 firewall. Layer 2 based Firewalls have ability to set MAC based ACL's that block particular MAC from communicating on the ethernet frames. Many smart switches have this ability to do so. You can specify which MAC can connect to which port.

[Patrick M. Hausen]

This statement above is true of a Hub. A switch, even the dumbest of all knows MAC/port knowledge which eliminates storms.

A hub is a simple electrical repeater broadcasting every packet out every port, even the unicast ones and without store and forward including collisions. Thus preserving the CSMA/CD property of Ethernet.

Both a bridge and a switch are in contrast store and forward. (Yes I have heard of cut-through switching - nonetheless switches in 2023 are all full-duplex and collision free. Bridges too.)

A switch does not in any way prevent broadcast storms. Broadcast packets to the FF:FF:FF:FF:FF:FF MAC address are also forwarded out every port. The same is true for multicast packets unless the switch is capable of IGMP snooping.


The reason why I am insisting on these properties is simple - not to prove my experience in networking but because some of the advice given to the IP was plain wrong. He does not need a switch given his OPNsense device has got enough ports.

If he has got e.g. 6 ports on some Odroid or similar, he can use

1 port for WAN
1 port as a trunk to the single access point with multiple SSIDs and VLANs
4 ports bridged with 1 of the VLANs or with different ones for wired devices

This is known to work. Why should he need to buy a switch just to use VLANs between OPNsense and the AP?

[Demusman]

"Why should he need to buy a switch just to use VLANs between OPNsense and the AP?"

Because he want switching. Use a switch.
Yes the bridge will work but at a huge performance cost.
Again, do you have any hubs in your network?? No, because switches replaced them.
If a bridge was a switch, switches would have replaced them too.
There's a place for bridges, but it's not switching.

[meyergru]

The communication on the same VLAN is not regulated by the firewall, because they are in the same network, there is no routing, UNLESS the switch or APs provide client isolation, That is a feature you will usually find only when the insfrastructure also supports VLANs.

This needs to be clarified here. Firewall mentioned above is referred to as Layer 3 firewall. Layer 2 based Firewalls have ability to set MAC based ACL's that block particular MAC from communicating on the ethernet frames. Many smart switches have this ability to do so. You can specify which MAC can connect to which port.

I think I already made that distinction clear, as "firewall" implicitely meant OpnSense - which is on level 3 - and my comment was directed at this:

Also until I purchase the new access points and switches, is there an option to make a firewall rule blocking all communication from my non trusted devices to my trusted devices? I only have two laptops and two phones so couldn't I just make aliases for the trusted IPs and non trusted IPs and only allow one way communication from trusted to non trusted? What are the disadvantages of this versus VLANs? Thanks again for the help

My point was that "just making client-specific rules on OpnSense" at level 3 would not work without a switch (level 2) prohibiting ARP and direct communication. This on the other hand usually can be handled by the same kind of switch that has VLANs anyway and thus there is a better (i.e. more general) option to the approach @rama3124 presented and asked about.

While smart switches exist that can not only isolate clients on level 2, but also provide some kind of level 3 routing, I would not consider that when I can centrally manage that in OpnSense. I would consider that even less on a client-specific level, because it is way too easy to forget that the whole network configuration is that much decentralised in case something changes. Been there - done that.