New LAN Interface with Port Security?

Started by voyto, February 22, 2023, 02:43:54 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 22, 2023, 02:43:54 PM
Hi All,

I manage a LAN ran from a 4-port OPNsense router and a few switches.

Port 0 = WAN (Openreach Modem)
Port 1 = LAN (Layer 2 Switch)
Port 2/3 = Unused

I have a situation where we're going to install an external EV charging point for a couple of the company vehicles. This device requires a network connection.

I'm reluctant to run a cable outside and have it plugged into the layer 2 switch because of the obvious security risks.

My question is - can I use one of the spare ports on the router and include some port-security to shut the interface down if the link is broken, for example? If so, would someone mind pointing me in the right direction on how to implement that?
February 22, 2023, 02:57:00 PM #1 Last Edit: February 22, 2023, 02:59:43 PM by meyergru
If you wanted to have traditional 802.1x port security, you would need more than a layer 2 switch, however then what you usually have is a separate IoT network on a VLAN.

Thus, you might as well define an IoT network on one of your previously unused OpnSense ports and separate that from your LAN via specific rules just like you would do on a VLAN. In your case, only one client would be connected to that network. You can then define rules that allow access from your LAN to your IoT network but not the other way around.

However, bear in mind that only with 802.1x, you could keep strange clients completely from your network. Without it, you can only limit other clients to the same extent as your EV charging point. For example, if that needs internet access, then any other device plugged in to that port could do the same.

You might define rules based on MACs, but if that is being spoofed, you are out of luck.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
February 24, 2023, 12:22:45 PM #2
Having a separate IoT network sounds perfect! Is there an idiots guide on how to create this?  :)
February 24, 2023, 12:52:07 PM #3 Last Edit: February 24, 2023, 12:57:20 PM by meyergru
There are plenty of guides, most are quite specific for the type of devices that you use, e.g. here is one for OpnSense with Unifi switches:

https://www.youtube.com/watch?v=dv13d6rfQPI

That guide uses 3 different subnets for normal users (=staff), guests and IoT devices.

The actual VLAN configuration is different with other switch brands, but as I said, you might get away without a VLAN-capable switch if you directly connect you only IoT device directly to a port of the OpnSense. In that case, you do not even need a real VLAN, just a separate IoT network on that port.

VLANs only come into play when you want to have multiple devices that you distribute over different ports of the same switch, effectively partitioning the physical switch into multiple logical switches.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
February 24, 2023, 04:34:11 PM #4
Adding a IOT VLan using one of the unused network ports is a great solution.  Just be sure to "lock" down the IOT VLan when you are writing the firewall rules.  You'll need to grant access to some firewall services (like DNS), but you will want to block as many as possible.  For example, you certainly don't want someone being able to access the SSH or web GUI of the firewall while using that network connection.
Just a hobbyist trying to figure all this out.
Print
Go Up Pages1
User actions