Newbie help with setting up firewall rules and vlan

[Dzoker]

Hi,

Very newbie here... The idea is to set up the following (I don't even know if this is possible):

ISP - OPNsense - LAN + VLAN - managed switch - 2 x AP - my devices

- on the managed switch VLAN10 I want to attach an ASUS router#1 as AP (for my IoT devices)
- on the managed switch LAN/VLAN1 I want to attach an ASUS router#2 as AP and few other devices via Ethernet cable to the switch LAN/VLAN1 ports


This is where I am so far:

HW:
1. OPNsense
2. TP-Link Managed switch
3. Laptop
4. PC

OPNsense setup:

ISP-WAN
LAN (igb1 interface) – 192.168.10.1 /24 (192.168.10.2 – 192.168.10.254) – GW 192.168.10.1
VLAN10 (igb1 parent) – 10.10.10.1 /24 (10.10.10.2 – 10.10.10.60) – GW 10.10.10.1

SWITCH setup:
Switch – 192.168.10.10
VLAN1 (default) – all untagged
VLAN10 – port 1 tagged, port 8 untagged
PVID on port 8 set to 10

LAN (igb1) - connected to port 1
PC - connected to port 2 (192.168.10.3)
Laptop - connected to port 8 (10.10.10.2)


Now, I can ping

- 192.168.10.3 to 192.168.10.1, 10.10.10.1, 192.168.10.10, 8.8.8.8 and google.com
- 10.10.10.2 to 10.10.10.1, 192.168.10.1, 8.8.8.8 and google.com

I can not ping

- 192.168.10.3 to 10.10.10.2
- 10.10.10.2 to 192.168.10.3 or 192.168.10.10

I have the following firewall rules:

LAN
Action – pass
Interface – LAN
Direction – IN
TCP/IP – IPv4
Protocol – ANY
Source – ANY
Destination – ANY


VLAN10
Action – pass
Interface – VLAN
Direction – IN
TCP/IP – IPv4
Protocol – ANY
Source – ANY
Destination - ANY


Thank you

[EricPerl]

You don't specify an OS for laptop and PC.
In case it's Windows, ICMP echo requests are not allowed by default. Also by default, I believe the source is expected to be in the local subnet.
IOW, you'd need to enable and alter the rule in the correct profile (domain, private or public).

For laptop to switch, I don't know. Have you enabled some "switch ACLs" (in TP-link terminology)? These can be tricky...

[pfry]

Gotta address the big red flag: It looks as though you're trying to operate igb1 with both tagged and untagged VLANs. If you look around here, read the OPNsense docs, you'll find that this is verboten. I tried it initially, too - it failed badly. Link

Just tag your "LAN" VLAN in your switch (on the OPNsense-facing port) and move your OPNsense LAN config to an appropriate VLAN interface (you can create the VLAN interface, then just re-associate LAN to it). Once you have that set up, post your results.

[Seimus]

If those rules are IN, quick, on proper FW interface configured and OPNsense is the GW while the managed switch doesn't interact with L3 functionality you should be able to ping InterVLAN. As @EricPerl asked, what are those devices you try to ping from to.

Another story is you are mixing tagged and untagged VLANs, dont do it.... And also avoid in any case scenario to use VLAN1. Read this >
https://docs.opnsense.org/manual/how-tos/vlan_and_lagg.html

Regards,
S.

[Dzoker]

Both are Windows. So am I understanding this correctly that I have to add rules specifically for ICMP?
TP-Link TL-SG108E does not have ACL to my knowledge.

thx

You don't specify an OS for laptop and PC.
In case it's Windows, ICMP echo requests are not allowed by default. Also by default, I believe the source is expected to be in the local subnet.
IOW, you'd need to enable and alter the rule in the correct profile (domain, private or public).

For laptop to switch, I don't know. Have you enabled some "switch ACLs" (in TP-link terminology)? These can be tricky...

[pfry]

I should have mentioned... Don't lock yourself out when changing your LAN config. It's pretty easy to avoid with planning. I always have a few spare interfaces installed and configured just in case, but you may not have such handy. In that case, I'd probably confirm access via the WAN, just to have a backup. You can always change it later. (And you may not need it at all.)

[Dzoker]

HI,

I read through the documentation and I think I understand what you mean with what you said below. Basically both my LAN and VLAN10 should be "tagged" in my switch. So for example:

LAN = VLAN5
IoT = VLAN10

What I'm still not sure is what you mean by "then just re-associate LAN to it"? Isn't the association happen when (with the LAN as parent) is created?

Another question I have is will both VLANs (5 & 10) in OPNsense have LAN as their parent?

Again sorry for the possible "stupid" questions but as said, very new here and trying to read all the documentation (and understand it :)) at the same time is a task.

TYVM

Gotta address the big red flag: It looks as though you're trying to operate igb1 with both tagged and untagged VLANs. If you look around here, read the OPNsense docs, you'll find that this is verboten. I tried it initially, too - it failed badly. Link

Just tag your "LAN" VLAN in your switch (on the OPNsense-facing port) and move your OPNsense LAN config to an appropriate VLAN interface (you can create the VLAN interface, then just re-associate LAN to it). Once you have that set up, post your results.

[pfry]

Technically the interface assignment (I should have used that instead of "association" to match OPNsense) doesn't matter - the network "device" just needs to be assigned to an OPNsense interface (under Interfaces: Assignments). "lan" is basically just an identifier; using "lan" for your LAN is just convenient, as that's where the default LAN firewall rules are defined, and likely where you'll want them.

As you've likely noted, the interface Description field identifies the interface under Firewall: Rules. (Example: For the "lan" interface, you likely have an entry under Interfaces labeled "LAN". Click on that, you'll be in Interfaces: [LAN], where you'll see that the Description is "LAN", and configurable. If you modify that, it changes the interface label under Interfaces and under Firewall: Rules.)

As far as the parent interface of a VLAN interface, you set the former under Interfaces: Other Types: VLAN when you create/edit the latter. The parent is a device, so it'll be selectable as (e.g.) igb1. So select appropriately.

The caveat (as I said earlier) is that if you're accessing the OPNsense management interface through "LAN", for instance, if you alter its config it can/will kill your access. You could set up alternate access through WAN or VLAN10, potentially; if you're careful, you can create VLAN5, then under Interfaces: Assignments you can assign it in place of where you have igb1 currently assigned (likely "LAN"/"lan"), apply it, and then set up the VLAN tagging in your switch to restore access. I'm a bit too paranoid to rely on that, personally - I always use a back door to reconfigure my main management interface.

[EricPerl]

FWIW, I have not had issues with mixing tagged and untagged. It's possible it's gotten worse recently (a few reports of issues).
I no longer mix because best practices are to avoid it, but it worked before that.

The final state you want to be in leaves the physical device used on the LAN side unassigned.
The VLANs are parented to the physical device and are assigned to interfaces.

Ah, you said managed switch in your OP... An easy smart switch may indeed not have that ACL feature.
BEFORE you re-assign LAN to a VLAN, you need to enable a management VLAN for the switch (the VLAN on which it will get its own IP that you use for management).
If you don't do this, the switch will try to communicate on the default (untagged) network and it will go nowhere.
If you have a port that is still on the default network, you can use it to enable the feature (set a static IP in the same subnet as the switch static or fallback IP).

And given your Windows usage you will indeed need to update the ICMP Echo Request rule.
The name starts with Core Networking Diagnostics. The remote address is set to "Local subnet" by default. That's not sufficient to allow the inter-VLAN case.

[Dzoker]

Ok, I think I'm getting a little more confused. Is it safe to say that my OPNsense configuration should look like this?

LAN Devices = VLAN5 (igb1 parent) – 192.168.10.1 /24 (192.168.10.2 – 192.168.10.254) – GW 192.168.10.1
IoT Devices =    VLAN10 (igb1 parent) – 10.10.10.1 /24 (10.10.10.2 – 10.10.10.60) – GW 10.10.10.1
MGMT =            VLAN20 (igb1 parent) - 10.10.20.1 / 24 (10.10.20.2 - 10.10.20.3) - GW 10.10.20.1

If yes, is the switch setup supposed to look like this (assuming that port 1 is the trunk one, port 2 is VLAN5, port 8 is VLAN10 and port 3 is MGMT?

Switch – 192.168.10.10

VLAN    VLAN Name      Member Ports    Tagged Ports     Untagged Ports
5           LAN_VLAN                1-2                      1-2                           none
10          IoT_VLAN                  1,8                       1,8                           none
20          MGMT                       1,3                       1,3                           none

Thank you @pfry & @EricPerl so much for your patience

[EricPerl]

Hmm, I remembered wrong. Easy smart switches don't support setting a management VLAN. The GUI is available on all ports apparently (quick search on forums).
That's one less thing to worry about.

The OPN side looks fine.

On the switch side, you're using 802.1Q VLAN mode, right?
The trunk port should have all VLANs tagged (leave 1 untagged and PVID).
To configure an access port for VLAN X (that is, the device is part of that VLAN), set VLAN X untagged and PVID = VLAN X.
The configuration example for these switches is reasonable...

[Patrick M. Hausen]

VLAN    VLAN Name      Member Ports    Tagged Ports     Untagged Ports
5           LAN_VLAN                1-2                      1-2                           none
10          IoT_VLAN                  1,8                       1,8                           none
20          MGMT                       1,3                       1,3                           none

Not quite.

VLAN 5: tagged port 1, untagged port 2
VLAN 10: tagged port 1, untagged port 8
VLAN 20: tagged port 1, untagged port 3

Port 1 goes to your OPNsense, ports 2, 8 and 3 to your devices.