MAC filtering for VLAN using DNSMASQ DNS/DHCP

[ausgoat]

I am incredibly sorry, i feel this is a basic question but i have spent hours on it and can't figure it out.  I have tried to google and youtube so many videos however all the videos still (even a 2025 created one) default to ICS DHCP. I am setting up a new network with IOT, cameras, etc... and i would like to segment it all properly.

I have VLANs setup and working on OPNSense and my managed switch, i can create access ports and attach a device to a VLAN by switching its physical port. I can manually assign an IP address within a VLAN to a device, e.g. if my laptop is on Trusted VLAN i can change its IP to a specific one within the range.  I cannot assign a MAC address so that when a specific device is plugged into a port it is tagged on Trusted or add my switches MAC address to get it onto the Management VLAN.

So how do i create a list of Mac addresses with their appropriate VLAN tag and IP addresses?

[meyergru]

Maybe, it does not work the way you think it does:

VLANs are a separation on the layer 2 of the OSI model. In a way, you can think of them as being completely separate networks. Some devices, like managed switches and OpnSense, can have ports/interfaces carry multiple VLANs at once by separating them via VLAN tags. Ports that carry multiple VLANs are called "trunk" ports. You would essentially connect such a trunk port to one physical network interface of OpnSense and have multiple logical VLAN interfaces with different tags set up on top of that.

These VLANs are logically just like different physical interfaces connected to different "dumb" switches, each of which has only one VLAN.

If you connect a "smart" (aka "managed") switch, you can achieve the same effect with just one physical port.

On the smart switch, you can have "access" ports that are assigned excatly one of the available VLANs only, such that any device connected to that specific access port will be connected to the logical VLAN interface inside OpnSense.

From that VLAN interface, it will get its DHCP assignments. In order to do that, you will have to define which subnet corresponds to that VLAN interface. You can do that in ISC DHCP or in DnsMasq. In the latter, you can define a DHCP range per VLAN interface, each with a different, non-overlapping IP range.

If you want static IP reservations, you can totally do that, too, via DHCP. And you can have multiple reservations for the same MAC in different subnets, so that the device will get different IPs in different VLANs. However, the actual correspondence between a MAC and the VLAN is not controlled via DHCP, it is entirely up to where the device is connected (i.e. to which port, and thus, VLAN).

The only means to have some kind of "automatic" VLAN assignment is with switches that support 802.1x. This allows to request the correct VLAN for a port according to the connected MAC and asking a RADIUS server it. That mechamism can be implemented via FreeRADIUS on OpnSense, but first, your switch needs to support it (not all managed switches are able to). Such switches then have a third category of port besides "trunk" and "access", namely "802.1x", which will then auto-select the VLAN based on the attached client's MAC.

In FreeRADIUS, you can create a database of MAC -> VLAN associations with such a kind of setup. In enterprise contexts, the assignment is often done via certificates, because MACs are too easy to fake.