Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Advice accepted for new configuration
« previous
next »
Print
Pages: [
1
]
Author
Topic: Advice accepted for new configuration (Read 630 times)
cantguardtom
Newbie
Posts: 1
Karma: 0
“If you quit once, it becomes a habit. Never quit”
Advice accepted for new configuration
«
on:
April 04, 2024, 03:03:57 pm »
Hey everybody, I'm Tom - hope everything is going well for you
Almost three months ago I finally went from a FWA connection to a FTTH and it’s great.
After this passage I felt the time was right to start monitoring and securing my home network properly.
Here’s the setup:
ISP modem/router (i.e.
ZTE H388XF
) in bridge mode
Mini-PC (Intel® N100, 8 GB RAM, 4 × Intel® I226-V 2.5 Gbps RJ45) with
OPNsense 24.1.4
installed
The mini-PC interfaces are structured as follows:
igc0 – WAN (configured via PPPoE to ISP modem/router)
igc1 – OPT1 (this interface terminates directly into a network wall port, ideally this would be a DMZ port for mixed use)
igc2 – OPT2 (this interface also terminates directly into a network wall port, where the primary entertainment/gaming PC is connected)
igc3 – LAN (this cable is connected to a 8-port gigabit switch in the living room, a NETGEAR GS308E)
The NETGEAR switch presents this configuration:
Port 1 – attached to the firewall
Port 2 – smart TV
Port 3 – promiscuous
Port 4 –
free
, but this would be the port dedicated to the wireless AP
Port 5 – gaming console
Port 6 –
free
Port 7 – IoT bridge for smart lights
Port 8 – secondary entertainment/gaming PC
The idea would be to properly segregate the network so that the wired connected devices do not have access the local network except communications to a small printer connected via wireless, and to also separate the wireless devices connected to the access point because they will only need to browse externally and will not need to have access to the local network.
How do you recommend that I proceed?
Should I aggregate the three LAN interfaces into one or is it better to keep them separate?
Does it make sense to create VLANs or is it enough for me to work well with firewall rules?
I hope I have given you all the information you need, and thank you very much in advance for all the help you can give me.
Logged
netnut
Sr. Member
Posts: 272
Karma: 33
Re: Advice accepted for new configuration
«
Reply #1 on:
April 04, 2024, 03:16:31 pm »
Looks clean and simple, exactly what you want.
I would reshuffle your interfaces a bit:
- LAN directly connected to your primary PC (ssh, webgui), so you can troubleshoot OPNsense without any dependencies (VLAN, etc)
- OPT1 a VLAN trunk to your switch so you can segment your switch ports (don't use VLAN1, see this forum for further explanation)
- OPT2 DMZ
If your switch supports LACP, you could make a redundant VLAN trunk over LACP for extra redundancy (Home Networking is mission critical
) and terminate your DMZ as a VLAN on your switch. You loose an extra port, so this might be less prefered because you don't have that much ports free...
«
Last Edit: April 04, 2024, 03:20:56 pm by netnut
»
Logged
Seimus
Hero Member
Posts: 608
Karma: 59
Re: Advice accepted for new configuration
«
Reply #2 on:
April 04, 2024, 03:33:39 pm »
Overall okay what you described, also I agree what netnut advised.
However, I would use 2 (or even all 3, you can do as well a DMZ VLAN) of those ports from OPN as LAGG with LACP towards switch. You will gain redundancy and in a certain way more BW.
On top of the LAGG Vlans, and do the micro-segregation based on Vlans.
Additionally create as well management VLAN on which your network devices will remain and you will set restricted access from certain devices to it by your needs.
This is how I do it. I have as well FW groups created, where all the Vlans (expect management) are binded and share a common pool of common rules such as DNS, HTTPs etc. MGMT VLAN has its own independed set of rules.
I have as well another FW group called MGMT_Access which bind only specific VLANs and in it Alias for specific hosts to access the management
P.S. personally I think sooner or later you will hit the need of VLANs (or will say to yourself damm now I would need to do VLANs based rules). So as you are in the process of designing why not to do it right away.
Regards,
S.
«
Last Edit: April 04, 2024, 03:37:24 pm by Seimus
»
Logged
Networking is love. You may hate it, but in the end, you always come back to it.
OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G -
VM HA(SOON)
N100 - i226-V | Crucial 16G 4800 DDR5 | S 980 500G -
PROD
TheAutomationGuy
Newbie
Posts: 23
Karma: 0
Re: Advice accepted for new configuration
«
Reply #3 on:
April 04, 2024, 06:42:17 pm »
Tom,
You seem to be just beginning your network journey. As such, I would like to know why you think you need a DMZ? While DMZs are not unheard of, they are kind of out of the ordinary for a typical home network. I just want to get some clarity on your use case because it might be something you think you need, but really don't.
Logged
Just a hobbyist trying to figure all this out.
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Advice accepted for new configuration