Trying to eliminate devices and consolidate

[fbeye]

Hi

Currently I have OPNSense [VM] as my firewall with 6 static routes to find where my 6 Networks are located which is on my SG350XG. I am having too hard of a time finding out where my bandwidth is being used and issues with slow network and it's simply too difficult trying to do so with having to look at 2 arps etc.. ANYWAY..

I want to move my 6 Networks/ vlans back to the OPNSense and 6 DHCP Servers as well. I want to run a TRUNK from OPNSense vlans 2-7 and then on SG350XG make a TRUNK for vlan 2-7 and then assign which interfaces I want each vlan. This way I can have 1 ARP and through OPNS I can see all the visual data!?

[fbeye]

From what I am reading, I can only have 1 DHCP Server. So I guess I'll keep it as is.

[newsense]

Either KEA or ISC DHCP servers will be work just fine for the task. You can manage all your VLANs in either one.

[fbeye]

Alright ty, I will look into KEA and see if I can get this to work as I want with the 6 network/dhcp servers.

[EricPerl]

1 DHCP server per network is wise. ISC (default DHCP service) allows you to enable DHCP per interface.
IOW, as soon as you create/assign an interface, you get a new page under Services > ISC DHCPv4.

[fbeye]

So what it appears I will need is this.

On KEA;

Create the 6 Networks:
Enable on LAN Interface
Create 1-6 Networks;
  Subnet. 192.168.1.0/24
  Pool.  192.168.1.2 - 192.168.1.128
  Name.  1.0 Network
  Gateway.192.168.1.1
  DNS.    172.16.2.1
And I do this for all 6 obviously each their own network


On Interface:Other:vlan;
  Device. vlan0.2
  Parent. vent0 (my LAN Interface)
  Tag.    2
Under Interface:Assignments;
  Add vlan0.2
Under Interface:OPT1;
  Enable
  IPv4: Static: 192.168.1.1 (as this is the gateway and vlan main ip?)

I do this for all 6.... But I guess I am still lost on how do I make the vnet1 a TRUNK for all 6 networks and then of course I'll need to do my ACL's etc.

Does this seem legit thus far?

[fbeye]

1 DHCP server per network is wise. ISC (default DHCP service) allows you to enable DHCP per interface.
IOW, as soon as you create/assign an interface, you get a new page under Services > ISC DHCPv4.

I only have the 1 LAN Interface, vnet1, but want to create 6 networks/6dhcp and TRUNK them to my Cisco SG350XG

[EricPerl]

Assuming your LAN maps to vtnet1 (you have vtnet0 in the previous post) with 192.168.1.1/24.

You start with creating VLANs vlan0.X parented to vtnet1.
You assign/enable an interface IFACEX to vlan.X and choose a different subnet than LAN (one typical convention is to use the VLAN ID: 192.168.X.1/24).
You go to ISC (or KEA) to configure DHCP for IFACEX.

LAN will be untagged (you could assign LAN to a vlan0.Y to avoid mixing tagged & untagged), all VLANs will be tagged over the link mapped to vtnet1 (per parenting relationship).

It's not that different from managing networks per physical interfaces. It's just done logically over one physical interface.

[fbeye]

Whew. I am sorry, it's just not clicking. I don't wanna waste your time back and forth to the point of me being resented so for now I think I'll take a breather. Not sure why it's not clicking.
Currently my LAN interface servers 1 purpose, the link to my SG350XG which has the 6 Networks.. vnet1 currently has 172.16.2.1 and connect to SG 172.16.2.2 but that will change as I wanna make it a TRUNK link for [new] vlan 2-7, 192.168.1.0 - 192.168.6.0. I of course currently have 6 x static routes where to find these Networks and of course NAT.

I will see if it clicks eventually. Thank you.

[EricPerl]

OK, so LAN maps to vtnet1 with 172.16.2.1 IP.
I don't know how the switch is getting IP. DHCP or static?
You might need to keep untagged traffic just to access the switch (unless you set up a management VLAN for it). You need access to configure VLANs per port.

Per VLAN X:
* Interfaces > Other Types > VLAN: Add (+) then vlan0.X / vtnet1 / X / Best / somename (eg VLANX), then Save and Apply.
* Interfaces > Assignments: VLANX shows unassigned. Pick a description (eg VLANX), then Add.
* Interfaces > [VLANX]: Enable checkbox, IPv4 configuration type = Static, IPv4 address = 192.168.X.1 / 24, Save then Apply changes

Then you can configure ISC for VLANX under Services > ISC DHCPv4 > [VLANX].
Minimal config is to enable, enter a range and save.

Edit: with that setup, you no longer need static routes in OPN.

I haven't used KEA enough to understand the mapping between subnets and VLAN/interfaces (static IP of interface within subnet?)...

The vtnet1 link carries LAN untagged and all VLANs tagged (it's a trunk). No NAT between LAN/VLANs.
Note that new interfaces get a very minimal set of automatic rules. You need to configure what you allow per interface (Firewall > Rules > VLANX).
DHCP works but that's pretty much it. Not even DNS by default. You can clone from LAN.

[fbeye]

Thank you for your patience and help, when I get home I'll focus and see if we can make this happen. For now to better clarify, right or wrong (it works) and here is my config.


OPNSense
vnet0 - PPPoE
Virtual IP;
x.x.x.177
x.x.x.178
x.x.x.179
x.x.x.180
x.x.x.181
(I have a Block of 8 IP's, 6 usable, 1 is the OPNSENSE WAN and 5 spares are virtual IP's.
vnet1 - Static IP 172.16.2.1
No ACL, No NAT (for vnet1 / 172.16.2.0/24) as it is simply the 'link' between OPN and SG350
I have OUTBOUND NAT associating LAN 192.168.1.0/24 to WAN x.x.x.177/32 (I have this for all 6 Networks on the SG350 and their respective WAN IP)
I have ACL's (rules) for incoming to various LAN IP's etc, works fine)
I then have 6 STATIC Routes;
  192.168.1.0/24  172.16.2.2
  192.168.2.0/24  172.16.2.2
     (And so on for all my Networks)

SG350XG
GE 1/1 - 172.16.2.2
6 vlans (2-7)
6 DHCP Servers;
   192.168.1.0
   192.168.2.0
   192.168.3.0
   192.168.4.0
   192.168.5.0
   192.168.6.0
I have a default route, 0.0.0.0 0.0.0.0 172.16.2.1