DHCP for several interfaces

Started by roar, October 20, 2023, 06:40:39 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 20, 2023, 06:40:39 PM
I have two interfaces each with its own subnet and own purpose:

IF A: 10.10.10.0/24 - trusted clients
IF B: 10.10.20.0/24 - untrusted clients

My idea was to activate DHCPv4 on interface B so that new clients automatically belong to the subnet for untrusted clients.
If now I trust one client, that only can be configured by DHCP it will always be untrusted.
I tried to add static ARP entries for those trusted clients in DHCP settings of interface A but the trusted client always gets an ip address in the DHCP range of interface B.

Is it possible to have the idea of an untrusted client pool via DHCP on one interface and cherry pick the trusted DHCP clients to sort them in another subnet?
October 20, 2023, 07:36:11 PM #1
Different interfaces means different layer 2 networks. How is OPNsense supposed to move hosts from one interface to another? Or are these both connected to the same (unmanaged) switch?
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
October 20, 2023, 07:44:05 PM #2
Yes all devices are connected to the same (managed) switch. Perhaps I need some kind of VLAN setup to achieve this?
October 20, 2023, 07:56:10 PM #3
Yes.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 20, 2023, 07:59:24 PM #4
No other possibilities to achieve this because I also wanted to use this for my wifi devices but my AP doesn't support VLANs... :-(
October 20, 2023, 08:25:53 PM #5
Wouldn't this be a classic case for (free)RADIUS?

- unknown / unauthenticated clients are assigned to the untrusted VLAN
- authenticated clients are assigned to the trusted VLAN

(note: I've always wanted to set this up on my home network to cleanly separate work and private devices, but have never gotten round to it)
October 20, 2023, 09:07:36 PM #6
Yes, you'll need separate VLANs for trusted and untrusted devices. These can be assigned to the VLANs by connecting them to different access ports or dynamically based on the MAC address, SSID or 802.1x authentication.

VLANs should be supported by pretty much any AP other than basic consumer stuff. And even these can often be made VLAN capable by installing OpenWrt.

Cheers
Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
October 21, 2023, 07:49:05 AM #7
Thank you for the answers!

I always asked what RADIUS is for - now i might have a use case (and yes my motivation is also better setting up my home network in times of IoT devices regarding security).

For now I'll give VLANs a try - seems to be a big task to separate an existing network  ;)
October 21, 2023, 08:53:57 AM #8
The switch and the AP must support RADIUS and either VMPS or 802.1x. Segregating clients into different networks is a layer 2 topology task, nothing OPNsense can do for you.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions