Basic Vnet questions

[Gerthru]

I have been running opnsense for a few years in my home network, working great. Recently, I segmented my local network using vnet's, mostly for increased security. It is my first time dealing with vnet's and I have some questions, mostly out of ignorance about vnet's.

I understand the basic concept of vnet's, just a tag added to the frames to simulate in software, as if each device is in a different physical network, while still using the same cables, switch's,... I would appreciate a link to a good read, even if long, explaining the details of vnet's, ideally with a practical bent (that's how I tend to learn better).

Now, the doubts I have in particular. I have set up vnet's successfully in my local network. I have set up vnet 2 for home users (IP range 192.168.2.X) and vnet 3 for guests users (IP range 192.168.3.X). I have an AP with two wifi networks, homeusers and homeguest, which places users in vnet 2 and 3 respectively. This all works well.

My first doubt: when I created the vnet in opnsense, I set up the interface of the vnet with a static IP address (192.168.2.1 for vnet 2 and 192.168.3.1 for vnet 3). What would be the result of setting the interface with no address? It seems to me the interface address would be necessary for the DHCP server to bind in that vnet, but I'm not sure. Can anyone enlighten me on why would you want to have an address and also no address on the vnet interface?

Second doubt: I tried to block users of vnet3 from reaching each other so they only can access the internet, addresses outside my local network. When I block every local address for vnet3, the DHCP server stops "working" (no reachable my guess). If I block everything in the local network except 192.168.3.1 (the ip of vnet3 interface) DHCP is back working in vnet3, but no internet access. How can I get internet access in vnet3 while still not allowing devices in vnet3 to reach each other?

[Patrick M. Hausen]

First, it's VLANs, not vnets 😉

Second, here's a nice introduction: https://www.thomas-krenn.com/en/wiki/VLAN_Basics

Third build an alias named e.g. "local networks" or "RFC1918" containing all your local networks.

Then for each VLAN create rules like this:

Source: VLAN X net
Destination: This Firewall
Action: allow

Source: VLAN X net
Destination: the local networks alias
Destination invert: check
Action: allow

The first rule allow DNS and other services to still work. The second one allows access to the Internet but not to other VLANs.

[Gerthru]

Thanks for the quick reply.

First, it's VLANs, not vnets 😉

Noted.

Source: VLAN X net
Destination: This Firewall
Action: allow

I believe this is the rule I was missing. I will try later in my system. Thanks.

Last unanswered doubt is the difference between having the vlan interface with an IP address or unassigned.

[Patrick M. Hausen]

You need an IP address on the VLAN interfaces for the clients to be able to reach anything at all. That IP address is in most configurations the default gateway and the DNS server for your clients. Configure DHCP accordingly.

If you are not talking about the VLAN interfaces but the VLAN parent interface - do not configure that at all. No assignment (Interfaces > Assignments), no IP address, nothing. This is considered best practice for OPNsense and FreeBSD.

[Gerthru]

You need an IP address on the VLAN interfaces for the clients to be able to reach anything at all. That IP address is in most configurations the default gateway and the DNS server for your clients. Configure DHCP accordingly.

If you are not talking about the VLAN interfaces but the VLAN parent interface - do not configure that at all. No assignment (Interfaces > Assignments), no IP address, nothing. This is considered best practice for OPNsense and FreeBSD.

That's exactly how I have it right now already. Thanks for the explanation.