can I use same IP class on two intefaces ?

[Flx]

Hi, I'm new to OPNsense.
I'm looking to use it on a customer site instead of the older router.
Just at this place there is a particular case, the router does not support VLAN but the switch yes.
The LAN was already in place with all mixed, computers, telephony, surveillance and so.
We had to separate part of it for security reasons but could not use VLAN at full because the router could not correctly manage the forwarding rules (and the customer does not have admin rights for part of the devices).
I ended up with static IPs on part of the devices and I've created a VLAN path at the switch level
LAN and VLAN use the same IP class 192.,168.3.x, static addresses for the VLAN and DHCP and static for the LAN.
This way they are separated internally and the router could still manage the forwarding ports for both of them.

QUESTION, can I use OPNsense the same way ?
I mean, can I have a LAN port and a VLAN set with the same IP class ?

Thanks in advance
Flaviano

[viragomann]

QUESTION, can I use OPNsense the same way ?
I mean, can I have a LAN port and a VLAN set with the same IP class ?

OPNsense supports VLAN. So why don't you want to separate the subnets properly?

You can have the same network segment on both interfaces though, presumed you bridge them in OPNsense. Doing this you can only run a single DHCP for both (on the bridge), however. And IPs should be assigned to the bridge.

[Flx]

Hi viragomann,
Thanks, from your answer I assume I can use the same IP class on the two interfaces.
About why, you're perfectly correct, it's a dirty thing to do,
but the problem is that the customer has no admin rights on part of the devices and either we go the dirty way or we will have to reset them but we don't know exactly the whole figure of this side.

Thanks
Flaviano

[dseven]

What do you mean by "same IP class"?  Tranditionally, "class" in the context of IP addresses means the size of the subnet (e.g. "class C" may be used loosely to refer to a /24 size subnet). Do you really mean the same *subnet*? Or the same *IP address*? Or something else?

I think what you're saying is that you have a big mess of hosts/devices all configured on a single subnet, and some of them need to be prevented from talking to others, but moving some of them to a different subnet would be too difficult? So instead you've physically divided them into two sets (connected to different switch segments), and you want to be able to filter access between the two sets? Maybe?

You might be able to do this with a filtering bridge in OPNsense. In this case, the bridge would have one IP address within the subnet, and would act as the gateway. The indivudual interfaces would not have IP addresses. You should still be able to create filtering rules to control what passes over the bridge, I think, but I haven't tried to do this...

[viragomann]

Thanks, from your answer I assume I can use the same IP class on the two interfaces.

A bridge is considered as a single interface, just using multiple (virtual) network ports. And yes, you can bridge a LAN und a VLAN.

In Interfaces: Other Types: VLAN add a VLAN to the desired NIC.
In Interfaces: Assignments assign a new interface to it and enable it.
Interfaces: Other Types: Bridge: create a bridge with LAN and the VLAN as member.
Go back to Interfaces: Assignments, assign a new interface to the bridge and enable it.

Even it will work if you assign an IP to the LAN interface and another one to the VLAN or the bridge, its highly recommended for reliability to assign IPs to the bridge and remove IPs from member interfaces.

[Flx]

Hi,
first of all, I apologize not to be clear.
dseven, Thanks, you described exactly the point.
viragomann, Thanks to clarify.
I will try this way.

Thanks
Flaviano