[Noob] WAN & LAN work fine. Best way to add SPF (OPT1) & switch into the mix

Started by HeneryH, November 01, 2024, 05:52:12 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 01, 2024, 05:52:12 PM Last Edit: November 01, 2024, 05:58:57 PM by HeneryH
Total noob, Basic install went well.  I see my interfaces WAN, LAN and my extra OPTx for my extra nics.  WAN and LAN are working fine on the default 192.168.1.x range.

Groovy.

Now I want to connect a basic SPF switch to expand my capacity and partion off my IoT devices into a secure vlan.

Forgetting the secure vlan stuff for a moment...  How do I get my devices plugged into the SPF switch to have internet access.

This is what I did so far.

  • My LAN is fine and is using static 192.168.1.1 and has the default DHCP service and rules configured.
  • Eidted the Optx interface to give it a static IP of 192.168.10.1 and replicated the DHCP and rules for OPTx.  The DHCP range for SPF just used the 192.168.10.x range.
  • A computer connected to the switch and is getting an IP assigned of 192.168.10.10.
  • But...  that computer cannot get to the internet.

Am I missing something silly?
November 01, 2024, 06:03:42 PM #1
Yes, a firewall rule allowing access on OPT1.

Clone the rule on LAN, change interface and source accordingly.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
November 01, 2024, 06:15:57 PM #2
Hmm, thought I did that and the machine on the new switch got a proper IP address but could not get to the internet.

Thank you.

I'll double check to look for mistakes.  I was wondering if I missed a step.
November 01, 2024, 06:16:34 PM #3
DHCP is permitted by automatic rules. Internet access isn't.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
November 01, 2024, 07:15:36 PM #4
I think I had a simple wrong setting in my rules.  Copied a little too much verbatim from LAN to Opt1.  I'll test once my wife isn't at the computer so she doesn't yell at me for dropping the network again :-)

Thank you.
November 02, 2024, 09:12:13 PM #5
Note that simply copying the default LAN rule over will also allow devices on the OPT1 side to access devices on the LAN side (and vice versa, but that's likely fine here).
If you strictly want Internet access:
* Create an alias for your IP ranges that IoT devices should not access (or use LAN network in the following step)
* Create an OPT1 FW in rule to allow OPT1 network to access !<alias>
* Create an OPT1 FW in rule to allow OPT1 network to access port 53 (DNS) on OPT1 address.

FWIW, nothing you do on the OPT1 side should mess with your existing LAN connectivity.
Print
Go Up Pages1
User actions