• 1 Post
  • 5 Comments
Joined 1 year ago
cake
Cake day: August 4th, 2024

help-circle
  • sekki@lemmy.worldOPtoOPNsense@lemmy.worldVLAN Bridge with DHCP
    link
    fedilink
    English
    arrow-up
    1
    ·
    2 months ago

    Hmm I think I this does not work in case you meant to put the bridge as the parent of the VLANs, OPNsense does not allow this:

    now, define 3 vlan with the vlan tags you defined in the switch + ap, you need to say that the port they are received is the bridged port

    However I think I found another solution that works exactly as I want but it is very weird so be warned:

    • Created vlan01.11 and vlan02.11 on igc1 and igc2 respectively, assigned them, enabled them and gave each a static ipv4 (192.168.11.1 and 192.168.11.2)
    • Created a bridge with both VLANs as members, did NOT assign and enable this (when I do the setup breaks (?!))
    • Use KEA DHCP instead of ISC:
      • In settings listen on both VLAN interfaces
      • In subnets create the subnet with subnet=192.168.11.1/24 and a pool of 192.168.11.21-192.168.11.254, uncheck “Match Client-id” and “Auto collect option data” and set Routers, DNS and NTP Servers to 192.168.11.1 and 192.168.11.2

    This way KEA will give out IP addresses on all interfaces with a static IP in the defined subnet. Make sure to disable ISC DHCP as it otherwise caused issues with KEA and somehow also Unbound (I also enabled “Register ISC DHCP4 Leases” in Unbounds settings because I had weird issues with SERVFAIL there).

    I repeated this process for the vlan0x.13 and vlan0x.14. Now internet access works on all VLAN interfaces, aswell as the normal interfaces and I can still define Rules for each VLAN.

    What I don’t get about this is why I cannot assign or enable the bridge interface… but I guess it works soo I’m happy. Thank you for your suggestion though!


  • sekki@lemmy.worldOPtoOPNsense@lemmy.worldVLAN Bridge with DHCP
    link
    fedilink
    English
    arrow-up
    1
    ·
    2 months ago

    Mainly I want to have separate USER, IOT and GUEST VLANs. So for example I don’t want guests to be able to access IoT devices.

    The AP and Switch tag these VLANs based on SSID and Port a device is connected to, so OPNsense receives tagged traffic that I can put rules on. I could probably just connect the AP to the Switch and be fine, but the Switch is 1Gb and the AP has a 2.5Gb port so I would like to keep both the switch and the AP connected to OPNsense directly.

    Having the switch and AP on their own subnet is not really a requirement, but I guess it would be nice to also be able to control who can access their webinterfaces.

    So really I just want to have:

    • AP connected to one port on the firewall
    • Switch connected to another port on the firewall
    • Both AP and switch tag frames and pass them to OPNsense so I can apply rules.
    • Devices on vlan01.11 can talk to devices on vlan02.11 and so on
    • A single DHCP provides IPs to all devices connected to both the Switch and AP

    Does that make it more clear?