[My iptv decoder steels leases from LAN net dhcp but not from vlan dhcp

[Siarap]

Ive decided to separate clients in my network by making vlans because i have decoder maded by Shenzhen SDMC Technology CO.,Ltd.   

i got vlan named "television" put static lease in dhcp setup by mac address. Ive set to on this options:
-If this is checked, only the clients defined below will get DHCP leases from this server.
-By default, the same MAC can get multiple leases if the requests are sent using different UIDs. To avoid this behavior, check this box and client UIDs will be ignored.

Ive set rules in firewall for television vlan to separate networks: IPv4 *    *    *    ! LAN net , mama net    *    *    *
So decoder is jailed.
But this decoder breaking into my LAN net leasing address from LAN net dhcp even with same options set for lan net. Iptv decoder mac address is not on the LAN net list.

I dont know what to do with this. This is weird behavior. Same thing happened with my wi-fi access point . It "leaks" into my LAN net where my main pc is connected.

Leases for iptv decoder are doubled:

LAN 192.168.1.107 xx:xx:xx:xx:xx:xx Shenzhen SDMC Technology CO.,Ltd.2025/04/29 04:45:54 2025/04/29 06:45:54 active dynamic
telewizja 192.168.2.2 xx:xx:xx:xx:xx:xx Shenzhen SDMC Technology CO.,Ltd. telewizja active static

Im using OPNsense 25.4-amd64

Sorry, my bad, bad googling. I found solution. Go to ISC DHCPv4>>[LAN]>>MAC Address Control>>Use this option: Enter a list of partial MAC addresses to deny access, comma-separated, no spaces, such as 00:00:00,01:E5:FF . Ive set blacklist of mac for lan and any vlan that i have. This should be easier than copying each mac from any unwanted device for any subnet/lan/vlan. This should be clickable solution. Selecition from leases : "select this device to acces only vlan1". To many devices to many macs and setting this in any vlan.

[meyergru]

Are you sure you really understood the concept of VLANs? What you seem to describe is different subnets on the same interface and forcing a specific device to obtain an IP from a predefined subnet range.

VLANs are a different beast: They separate out logical networks on the same physical interface by adding VLAN tags. Usually, you would strip those tags and specify only one VLAN to use on a switch port, such that a device connected to that port will only see that specific VLAN/subnet, thereby assuring that it cannot "break out" of it. Only devices connected to "trunk" ports can actually see all the VLAN tags and decide for themselves which ones to use. That would typically be used for OpnSense, APs carrying multiple SSIDs or VM hosts having VM on different VLANs.

[Siarap]

I got different subnets on different VLANS . I got static leases set on iscdhcp servers assigned to vlan devices (set by mac) . And my clients leaking from my vlans to the lan. I got vlan tags set. But devices uses not that dhcp server what i want. They taking ips from LAN net even when they have static leases set on VLAN. I dont know how to assign clients to VLANS in another way. Probably im doing something wrong.

[Patrick M. Hausen]

You need a managed switch for that. The switch has a tagged connection to OPNsense with, say, VLAN 10 and VLAN 20. Then you assign switch ports to the VLANs untagged and static. E.g. Ports 1-5 VLAN 10, ports 6-10 VLAN 20. Now you plug the clients into the ports matching the VLANs they belong to according to your policy.

You cannot run VLANs without a managed VLAN capable switch. If you have physical wired clients that you need to separate.

[Siarap]

Blocked Access to LAN net by blacklisting macs. So i have few subnets, different on each vlan. I created firewall rules. And devices not seeing each other. They are not reached even by ping. Currently i have no managed switch. But i will buy it. No videos on youtube said that i need manageable switch. EVERYONE just say haw to create vlans so i created them :D

[meyergru]

You may think they are not seeing one another. They do. Just assign one of them an IP from the other "VLAN" and you will see it. If by "blacklisting MACs" you mean in DHCP, your are out of luck. If you really block them via specific firewall rules, you are still out of luck once you fake another MAC on your client.

[Siarap]

Ok so they are separated now by firewall rules and subnets but not by vlans. Ok i understand now, Theh can swtich betwteen vlans only when device spoofs mac. Im buying managed swtich now.

Im network newbie :D .

[Patrick M. Hausen]

Theh can swtich betwteen vlans only when device spoofs mac.

No, they can switch your non-VLANs when they configure their IP address statically instead of relying on DHCP.

Im network newbie :D .

VLANs are advanced enterprise technology. Probably the YT video authors assumed a managed switch a given.

Don't go cheap on that switch you intend to buy. I'd recommend a Mikrotik product with Switch OS.

[Siarap]

Thanks a lot for explanation.

[EricPerl]

From an isolation perspective, you have 2 main options:
* Physical. Interface assigned to a physical device (network port and all wiring and networking equipment attached to it).
* Logical. Interface assigned to a VLAN device (created on OPN, plus the logical wiring and logical networking equipment attached to it).
You essentially overlay logical networks within the physical network. Traffic on logical networks is tagged.
The configuration of the logical network is done by declaring which tags are allowed on every switch port within the physical network.

If you don't define VLAN devices in OPN, you're not using VLANs.

Edit: you obviously need managed switches for the wired hosts.
You also need VLAN aware APs for Wi-Fi hosts (Or a physical AP per VLAN with Wi-Fi hosts).

[meyergru]

Two more things to complete this:

1. If you assign the ports statically, someone with physical access to the switch could use a privileged port (i.e. a trunk port or one with a higher confidence VLAN). Using a standard called 802.1x, you can choose the VLAN on the port dynamically by using an LDAP directory which maps MACs to VLANs. That has the advantage that you could plug in your device into any port of a 802.1x-capable switch and it will automatically be assigned its predefined VLAN. Only some manageable switches can use 802.1x.

2. Because you can also fake MACs, that MAC-based 802.1x port security can also be circumvented. The only safe way to identify a specific device is by using certificate-based 802.1x, which is mostly used in enterprise environments. It can only work securely on devices which can do certificate-based 802.1x and if you can also control those devices not to leak their certificates, thus needing a tightly controlled client infrastructure. Any non-802.1x-capable devices are then confined to VLANs with less credibility, like IoT, printer or guest VLANs.

[EricPerl]

Ah, that's how it is supposed to work. Thanks!
I had looked a bit at 802.1x support in my gear (Omada) and was underwhelmed/confused.
Fortunately, since physical access is not a concern for me, I didn't dig further.

[Siarap]

I get managed switch. Ive set properly tagged 802.1q vlans assigned to ports on switch. Tagged ports. Im still geting dual leases fron LAN net + VLAN net dhcp for each vlaned device. What im doing wrong?

[meyergru]

Did you follow this guide?

Did you heed all advices given therein, including the one not to mix tagged and untagged VLANs?

[Siarap]

Ok now ive set it properly. Vlan devices have proper leases. BUT now no internet on vlans. Ive created rule for allow all at vlan side. Its not dns fault i cannot even ping 1.1.1.1. Any advice?

Read some info somewhere on the internet that opnsense allows only vlans with tag number 10 to access internet by default. I dont know what to do. I got vlan tags: 10,20,30,40 on different vlans. Same configuration everywhere excluding vlan interfaces names. Only vlan tagged with 10 has no problem with internet access. Other tags have no access to the internet.