Preventing VLAN parent usage

[CJ]

Is there a best practice for preventing VLAN parents from being used?  Currently I have it assigned to an interface but left the interface disabled, but I can still add it to groups, etc.

I'm looking to prevent someone from accidentally using the parent directly instead of just the VLANs.  Right now there doesn't seem to be a clear way to indicate such a state.

[Monviech]

I always leave the parent interface unassigned and all vlans work just fine.

[Patrick M. Hausen]

Assigning the VLAN parent interface has not been necessary since 22.7.4.

[CJ]

I know the parent doesn't need to be assigned, but then it's just sitting there in the little drop down where it could be assigned by accident.  That's why I assigned it a disabled interface.

[Patrick M. Hausen]

I really really like setups that abstract away as much as possible - like "router on a stick".

So I use two physical ports to build a lagg to my switch. Then I put all VLANs on top of that.

@work in the data centre I have a single lagg to two different switches which can do multichassis LCAP. Two different firewalls in a HA configuration and CARP for every VLAN.

Since the physical infrastructure will never change there will be no temptation to ever do anything to a physical port. Only VLANs coming and going ...

[johnmcallister]

I know the parent doesn't need to be assigned, but then it's just sitting there in the little drop down where it could be assigned by accident.  That's why I assigned it a disabled interface.

I noticed this. When set up my VLANs I assigned a primary interface for each because I thought it was required.


Now I see there's no way to unassign them through the GUI. Is this an oversight in GUI design that could/should be fixed?

[lilsense]

Then how's this set up? I thought that VLAN's need to be assigned in order to be used.

[CJ]

I really really like setups that abstract away as much as possible - like "router on a stick".

So I use two physical ports to build a lagg to my switch. Then I put all VLANs on top of that.

@work in the data centre I have a single lagg to two different switches which can do multichassis LCAP. Two different firewalls in a HA configuration and CARP for every VLAN.

Since the physical infrastructure will never change there will be no temptation to ever do anything to a physical port. Only VLANs coming and going ...

But you still have to assign interfaces to the VLANs, no?  Which uses the same dropdown.

[CJ]

I know the parent doesn't need to be assigned, but then it's just sitting there in the little drop down where it could be assigned by accident.  That's why I assigned it a disabled interface.

I noticed this. When set up my VLANs I assigned a primary interface for each because I thought it was required.


Now I see there's no way to unassign them through the GUI. Is this an oversight in GUI design that could/should be fixed?

What I meant was that the parent doesn't need to be assigned to an interface.  You still have to select a parent for a VLAN.  We're referring to two different stages of the process.  I'm talking about the Interface Assignment screen, not the VLAN creation screen.

[CJ]

Then how's this set up? I thought that VLAN's need to be assigned in order to be used.

I'm not sure who you're asking, but yes, you need to assign VLANs in order to use them.  However, you do not need to assign the parent of the VLAN.  But if you don't, it continues to show up as an option in the assignment dialog on the page.

[Patrick M. Hausen]

But you still have to assign interfaces to the VLANs, no?  Which uses the same dropdown.

Sure. All the VLANs are assigned to these "logical" interfaces of OPNsense that we all have come to love or hate. Sidewinder named them "burbs" (from suburbs) and later when someone in management considered that objectionable "zones".

See screen shot for my current setup at home.

So we have two wireguard instances, WAN which is PPPoE and a single interface assigned to "DSL" which gives me a management connection to my DSL modem (which I could not have over WAN, because PPPoE).

The rest is all VLANs.

So what is your "attack scenario"? Someone lacking the knowledge messing around in the assignments screen? Don't give that person admin access 

Some fellow admin who is not quite as much current on how everything works but is generally knowledgable and fills in for you during your vacation?

I for one documented that the layer 2 topology is simply not to be touched, new VLANs can be created on top of lagg0 and subsequently assigned and that is that.

I am really puzzled how you worry about some other person messing up while at the same time giving that person the power to mess up.

Kind regards,
Patrick

[CJ]

So what is your "attack scenario"? Someone lacking the knowledge messing around in the assignments screen? Don't give that person admin access 

Some fellow admin who is not quite as much current on how everything works but is generally knowledgable and fills in for you during your vacation?

I for one documented that the layer 2 topology is simply not to be touched, new VLANs can be created on top of lagg0 and subsequently assigned and that is that.

I am really puzzled how you worry about some other person messing up while at the same time giving that person the power to mess up.

My attack scenario is me not paying enough attention and attempting to do something with the parent interface and thereby allowing an insecure VLAN setup.  It's unlikely but everyone makes mistakes occasionally.