Hi everyone,

I’ve been running opnsense for a while now (mostly set and forget) and it has been a great addition to my network.

There is however one point I’ve never addressed and lately I’ve been thinking on doing it, but not sure how. Until now, my devices on my network they all are in the same default vlan, but with only 2 distinctions via firewall rules:

  • can connect to the internet
  • can only access local devices (so no internet. All iot sort of devices get this rule)

As expected, opnsense deals with dhcp and have also installed on the same machine adguard (with all expected rules to redirect all DNS traffic to adguard). All of my machines that are permanent in the network they have aliases and static ips.

I am aware this is not a great setup, and this is why I wanted to implement vlans to make sure if a rogue device is installed at first creates no harm to the network at large (meaning: devices by default fall into a vlan without access to the internet at least, more drastic measure is not allow access to anything besides the router). Eventually, a vlan where devices can only go to the internet can be added, and of course, a vlan that just has all the expected access to the home devices.

I did some research on this and there is information on how to do vlans and such but sometimes the explanation goes a bit over my head (or the explanations don’t cover some important details). So my broad question to all of this is:

  • do you guys know anyone that explains vlans on an understandable manner inside opnsense? Usually video form is best, but articles can be useful too
  • does this setup with 3 vlans makes sense in the 1st place?

If someone has input on how this can be best done I would like to know as well, since I can be approaching this in a too complex manner.

  • AbidanYre@lemmy.worldEnglish
    2·
    3 days ago

    If I’m understanding your network description that mostly makes sense. I would do it slightly differently though.

    1. Your devices get more or less free access to each other and the internet

    2. Basically a guest network. Free internet access but no (or very limited) access to local devices.

    3. IOT network with local access but no internet.

    Not aware of any good tutorials, but you can look at the OPNSense firewall rules as a starting point. You’ll need to add and/or change some anyway for your new VLANs.

    I have unifi set up with three matching SSIDs tagged to the respective VLANs.

    • ZeDoTelhado@lemmy.worldOPEnglish
      1·
      3 days ago

      Yes that sounds logical. Opnsense documentation I feel is good but for people that sort of know already what they need and want a full set of options. For someone who is somewhat clueless becomes less clear.

      I will try to have some time on this. Hopefully I can come to answers eventually