Home network with OPNsense & no managed switches

Started by dellarte, August 06, 2024, 11:52:11 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 06, 2024, 11:52:11 AM
Hello,

I am new to the Opensense domain. I am exploring it and quite like it so far.
Currently, I have a router provided by my ISP, which I want to replace to enhance the security of my home network.
Attached, you will find the network diagram I have envisioned.
I aim to achieve the best energy efficiency, which is why I prefer not to add more network devices (e.g., no managed switches).

I have attempted to configure Opnsense to implement this infrastructure, but I have realized that Opnsense is not well-suited for managing VLANs, as it is not a switch.

I am posting on this forum to see if anyone has a similar infrastructure setup that I want to create and to find out if it is possible or not.

Thank you very much.
August 06, 2024, 12:13:38 PM #1 Last Edit: August 06, 2024, 12:15:25 PM by Patrick M. Hausen
- create VLAN interface with tag 10 on first trunk port
- create VLAN interface with tag 10 on second trunk port
- create a bridge interface with the two VLAN interfaces as members - do not bridge the trunk ports!

- same for VLAN 20, create on both trunks, create another bridge with the two VLAN interfaces as members

- for "VLAN 30" don't create a VLAN at all - simply create another bridge interface with the three physical ports as members

Use the three bridge interfaces for IP address assignment, firewall rules, etc.

Don't forget the two mandatory tunables from step 6 of the documentation: https://docs.opnsense.org/manual/how-tos/lan_bridge.html#step-six


Done.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
August 07, 2024, 11:55:24 AM #2 Last Edit: August 07, 2024, 12:04:16 PM by dellarte
Hi M. Hausen

Thanks a lot for your answer. I can't wait to try this.
Now I need to configure the trunk port on the Openwrt access point side.  :)
However, I have one last little question if that's ok with you.

In this diagram (updated), is it possible to have a management IP on the openwrt access points in the same range as the LAN so i can manage them from the LAN ? example 192.168.30.1 & 2.

If yes, how ?

- I thought about creating a bridge between the "LAN bridge" and the "VLAN bridges"... but I'm not too sure of the result and afraid of multiplying the broadcast domains

- Or create 2 /30 networks on trunk's parent interfaces (this would be an untagged trafic)

- Or simply add  trunk's parent interfaces to the "LAN Bridge" ?
August 07, 2024, 01:06:50 PM #3
Add two VLAN tag 30 interfaces to the trunk ports. Add the two VLAN 30 interfaces to the bridge that already contains the three untagged ports.

Never add the parent port of tagged VLANs to a bridge.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
August 13, 2024, 10:24:03 AM #4
Thank you very much Patrick.
It worked very well.

Coming from Cisco environment, I'm not familiar with software managed vlans

This thread can be archived  :D
August 13, 2024, 10:55:11 AM #5
Cisco IOS *routers* [1] without a switching fabric work very similar:

Code Select

interface gi0.30
  encapsulation dot1q 30
  no shutdown
  no ip address
  bridge-group 30

interface gi1.30
  encapsulation dot1q 30
  no shutdown
  no ip address
  bridge-group 30

bridge 30 protocol ieee


Kind regards,
Patrick

[1] 2500, 4000, 3600, 7200 series ... really old school  ;)
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions