Author Topic: DHCP for several interfaces (Read 1335 times)

roar · « **on:** October 20, 2023, 06:40:39 pm »

I have two interfaces each with its own subnet and own purpose:

IF A: 10.10.10.0/24 - trusted clients
IF B: 10.10.20.0/24 - untrusted clients

My idea was to activate DHCPv4 on interface B so that new clients automatically belong to the subnet for untrusted clients.
If now I trust one client, that only can be configured by DHCP it will always be untrusted.
I tried to add static ARP entries for those trusted clients in DHCP settings of interface A but the trusted client always gets an ip address in the DHCP range of interface B.

Is it possible to have the idea of an untrusted client pool via DHCP on one interface and cherry pick the trusted DHCP clients to sort them in another subnet?

Maurice · « **Reply #1 on:** October 20, 2023, 07:36:11 pm »

Different interfaces means different layer 2 networks. How is OPNsense supposed to move hosts from one interface to another? Or are these both connected to the same (unmanaged) switch?

roar · « **Reply #2 on:** October 20, 2023, 07:44:05 pm »

Yes all devices are connected to the same (managed) switch. Perhaps I need some kind of VLAN setup to achieve this?

Patrick M. Hausen · « **Reply #3 on:** October 20, 2023, 07:56:10 pm »

roar · « **Reply #4 on:** October 20, 2023, 07:59:24 pm »

No other possibilities to achieve this because I also wanted to use this for my wifi devices but my AP doesn't support VLANs... :-(

abulafia · « **Reply #5 on:** October 20, 2023, 08:25:53 pm »

Wouldn't this be a classic case for (free)RADIUS?

- unknown / unauthenticated clients are assigned to the untrusted VLAN
- authenticated clients are assigned to the trusted VLAN

(note: I've always wanted to set this up on my home network to cleanly separate work and private devices, but have never gotten round to it)

Maurice · « **Reply #6 on:** October 20, 2023, 09:07:36 pm »

Yes, you'll need separate VLANs for trusted and untrusted devices. These can be assigned to the VLANs by connecting them to different access ports or dynamically based on the MAC address, SSID or 802.1x authentication.

VLANs should be supported by pretty much any AP other than basic consumer stuff. And even these can often be made VLAN capable by installing OpenWrt.

Cheers
Maurice

roar · « **Reply #7 on:** October 21, 2023, 07:49:05 am »

Thank you for the answers!

I always asked what RADIUS is for - now i might have a use case (and yes my motivation is also better setting up my home network in times of IoT devices regarding security).

For now I'll give VLANs a try - seems to be a big task to separate an existing network

Patrick M. Hausen · « **Reply #8 on:** October 21, 2023, 08:53:57 am »

The switch and the AP must support RADIUS and either VMPS or 802.1x. Segregating clients into different networks is a layer 2 topology task, nothing OPNsense can do for you.

Author Topic: DHCP for several interfaces (Read 1335 times)

roar

DHCP for several interfaces

Maurice

Re: DHCP for several interfaces

roar

Re: DHCP for several interfaces

Patrick M. Hausen

Re: DHCP for several interfaces

roar

Re: DHCP for several interfaces

abulafia

Re: DHCP for several interfaces

Maurice

Re: DHCP for several interfaces

roar

Re: DHCP for several interfaces

Patrick M. Hausen

Re: DHCP for several interfaces