Topic: opnSense VLANs (Read 2801 times)

chenks · « **Reply #15 on:** October 27, 2023, 11:45:54 AM »

Quote from: Chrysalis on October 26, 2023, 08:57:33 PM

Firewall -> Rules -> VLAN51

If nothing there, the easiest way is Firewall -> Rules -> LAN, click the copy icon on "Default allow LAN to any rule " then change interface to VLAN51 on the edit box and save it, the rule will appear under VLAN51.

ok just done that, but still no internet access when connected to the VLAN

Chrysalis · « **Reply #16 on:** October 27, 2023, 02:14:44 PM »

So automatic outbound NAT, DHCP has gateway configured (please check this client side to see if they have gateway IP set), and now an allow rule on the VLAN for outbound traffic.

I am probably stuck at this point, but I will come back in if I think of something.

There is the possibility there is VLAN tagging issues, but you said LAN stuff is working so I didnt consider that.

chenks · « **Reply #17 on:** October 27, 2023, 02:20:08 PM »

Quote from: Chrysalis on October 27, 2023, 02:14:44 PM

So automatic outbound rules, DHCP has gateway configured (please check this client side to see if they have gateway IP set), and now an allow rule on the VLAN for outbound traffic.

I am probably stuck at this point, but I will come back in if I think of something.

There is the possibility there is VLAN tagging issues, but you said LAN stuff is working so I didnt consider that.

well i get an IP from the VLAN 192.168.51.21
192.168.51.1 is reported back as being the "router" which i assume is the gateway just with a different name

however, when connected to the LAN i can't access any local devices that are on the main LAN 192.168.50.x - i have an ip cam with has a webui and i can't access that when on the VLAN.

chenks · « **Reply #18 on:** October 27, 2023, 02:55:04 PM »

update
i made a changed to the firewall rule that was copied from the main LAN, the source field i had to also change to VLAN51.
this now means that, when connected via the VLAN, i can access local devices using IP on the main LAN, and can access webpages but only using an IP address (ie 1.1.1.1), it still failed when trying access anything using a URL.

Chrysalis · « **Reply #19 on:** October 27, 2023, 02:57:15 PM »

Ok check your DNS resolver settings, and make sure the 192.168.51.1 is configured as a listening interface, and also make sure the subnet is on the access list if one is configured.

Its just DNS broken now.

If using unbound.

Service -> Unbound DNS -> Access lists
and
Service -> Unbound DNS -> General , then click on advanced near bottom and see what outgoing network interfaces is set to, as well as network interfaces near the top.

chenks · « **Reply #20 on:** October 27, 2023, 03:00:18 PM »

Quote from: Chrysalis on October 27, 2023, 02:57:15 PM

Ok check your DNS resolver settings, and make sure the 192.168.51.1 is configured as a listening interface, and also make sure the subnet is on the access list if one is configured.

where do i check that?

Chrysalis · « **Reply #21 on:** October 27, 2023, 03:00:31 PM »

Just edited it in.

chenks · « **Reply #22 on:** October 27, 2023, 03:02:50 PM »

Quote from: Chrysalis on October 27, 2023, 03:00:31 PM

Just edited it in.

ok i don't use access lists, so that i blank.

in the main unbound settings.
network interfaces just lists "LAN", so i should add "VLAN51" to that.
outgoing is set to "all"

edit- yes that now allows web access using URL.

so i can now access local LAN devices and access internet when connected via the VLAN.
is there anything else i should check?

Chrysalis · « **Reply #23 on:** October 27, 2023, 03:13:17 PM »

I dont think so, seems everything is working as you want now?

chenks · « **Reply #24 on:** October 27, 2023, 03:22:12 PM »

i think so.
the plan is to put all the IoT and cameras on to a separate VLAN.
but as a starting point have the VLAN have full access to everything, i can then start locking down various things.

some cameras need internet access to work properly (ring etc), but others don't need it all (reolink), and some like to have internet access but won't be getting it (eufy).
all my camera link into HKSV, either natively or via scrypted), so all they need is local access to see the home hub.

i'll probably create some access restrictions aliases to pick and choose what can have access to what. am i right in thinking that will work?

Chrysalis · « **Reply #25 on:** October 27, 2023, 03:24:17 PM »

Yeah, I do something similar as I have already broken down my guest VLAN into two groups and couldnt be bothered to make a 3rd VLAN, so I have an ACL that is a more permissive environment than the default guest one.

chenks · « **Reply #26 on:** October 27, 2023, 03:29:32 PM »

i already have the VLAN working in unifi controller so in terms of WIFI the VLAN is up and running.
still need to work out how to configure the TP-Link switch to assign VLAN to specific ports.

it's not a fully managed switch, but is "semi" managed and does have VLAN options.
it's the TL-SG1016PE and i think it's 802.1Q i need to use to set it up on the switch

News:

Author Topic: opnSense VLANs (Read 2801 times)

chenks

Re: opnSense VLANs

Chrysalis

Re: opnSense VLANs

chenks

Re: opnSense VLANs

chenks

Re: opnSense VLANs

Chrysalis

Re: opnSense VLANs

chenks

Re: opnSense VLANs

Chrysalis

Re: opnSense VLANs

chenks

Re: opnSense VLANs

Chrysalis

Re: opnSense VLANs

chenks

Re: opnSense VLANs

Chrysalis

Re: opnSense VLANs

chenks

Re: opnSense VLANs