GOOD video, you makde this flow 100% perfect, I'm ust toying with the idea of switching from pfsense to opnsense.. Just playing with it in a test environment ! Thanks for your hard work !
@@jowerstechsolutions thank you sir. A switch is arriving tomorrow and I plan on implementing vlans into my network for guests and IOT. I have a vlan aware AP (ruckus r700) I bought used that’s supports vlans. Pretty excited to get it started.
Appreciate your work! However, I wonder if I just want to use opnsense as a gateway/firewall to the internet, the vlan settings, dhcp settings, all routing protocols are configured on the switch, do I have to assign the same vlan on Web GUI? And what do I need to do in OPNsense because if I just let the opnsense as initial wizard setup, the internet will not be able to reach the vlan hosts. DHCP service is provided by Switch!
Great video. I’ve been trying to setup VLANs on my Cisco 2960- S switch for a while. Your video is the only one that actually worked for me. Thank you. Just one question. I followed your SSH setup. I’m unable to SSH into switch. From Linux terminal I tried ssh “user”@“domain”. In OPNsense I then assigned a static iP for the Cisco MAC. And no luck. How to you ssh into the switch?
Created a similar setup. Parent LAN - 10.255.x.x, VLAN_10 - 192.168.x.x, VLAN_30 (Native) - 10.10.x.x. When I connect the PC to native vlan_30 port, it takes ip of Parent LAN and not native LAN.
Maybe you can answer because I haven't had any luck on the forums. Neither has anyone since 2018 really. I have a pair of LAGGs. One per managed switch. One is MT9000, the other is MT1500 (default.). I want to carry vlan 1 (MGMT) with DHCP untagged across everything, and the rest of my VLANs (most with DHCP4, but some static...) as tagged across the LAGG trunks. Not really a difficult design, except OPNSense/PFSense wants VLANS attached to physical instead of logical devices. Do I create a bridge for spanning these 2 LAGG groups? Do I even create VLAN 1 or do I just have to do DHCP4 on the LAGGs and not even define it as a VLAN? If I do that, how does it carry over to the second L2 domain if I can only assign DHCP4 on one of the interfaces? I really wish that BSD had: - VLAN default gateways as logical, not physical. - Switchport mode access for VLAN 1 to push that subnet to each place I need it. Looks like it only allows tagged VLAN assignments? - Better documentation.
You do not need to create VLAN 1. VLAN 1 is "implied" on the physical interface. All other "sub" interfaces are logical under the LAN interface. You need to logically create and assign any subsequent interfaces under the LAN.
I was always under the impression that the point of having VLANs is to separate traffic between the devices in separate VLANs. i.e. you do not want the devices from VLAN 11 talking to VLAN10 and vice versa. Your firewall rule allows access to ANY, defeating the purpose of separating the devices in the first place. Clearly the rules need further refining - this is actually why I found your video in the first place. My VLANs are too locked down.
Yes, that is correct. VLANs are meant for network segregation, however, with firewalls and/or ACLs you can be very granular with allowing inter-vlan routing. When this video was made, I allowed ANY for the purpose of the lab but this should not be done in production if your intention is to completely separate traffic. I hope this helps!
how about such scenario: 1- IoT devices: VLAN1 - access only to Home Assistant - not to internet 2- Home Assistant (also here some serves for HA: MQTT, NodeRed, etc): VLAN2 - access to IoT devices, access from home laptops VLAN4, and remote access to it via VPN, 3- home servers - media/plex/samba etc - VLAN3 - access only to/from home laptops VLAN4 and remote access to it via VPN 4- home laptops VLAN4 - phones/laptops etc - access to VLAN2, VLAN3, VLAN4, internet 5- guest - access only to internet I am thinking loudly and cannot manage it on Opnsense, managed switch and 2 AP (1 for IoT, 1 for 1 for home laptops and guest)
Hi i am Bob, in have multiple vlans with networks running on my network. i also have dhcp and dns server up working fine with palo alto firewall but i want to change to opnsense. The challenge is that i dont know how to create all the networks in the opnsense like i did in the palo alto. after i setup the opnsense and connected it to the network only machines on the same IP range with the firewall could access the internet
@@jowerstechsolutions in Cisco you moved to CLI but my switch is only with GUI, but I think I got the point: Tagget is the trunk/port with all VLANs coming i.e. from Proxmox or in my case from Opnsense (that is on Proxmox), Untagged is the out port towards router or computer that is connected to the specific VLAN (so trunk/tagged port i.e. 1 has VLANs: 100, 200, 300 while Untagged port for VLAN 100 router would be i.e. port 8 for VLAN 200 i.e. port 7 and so on - right?)
Dude, thank you! I'm migrating to OPNsense from UniFi and this unmuddled the VLANs, which was my biggest hurdle. Appreciate it.
No problem! Glad to help!
Dude, I like your knowledge. Well done. You've earned a sub. Especially since you helped me setup my network.
Glad I could help! and Thanks for the sub!
Thank you for simply explaining this
Thanks! We enjoy giving the straight forward assistance.
GOOD video, you makde this flow 100% perfect, I'm ust toying with the idea of switching from pfsense to opnsense.. Just playing with it in a test environment ! Thanks for your hard work !
Thank you for your support!
Excellent walkthrough; thank you!!!
Glad it was helpful!
Thank you sir. If I wanted to send multiple but not all vlans out of a switch port would that also be known as Trunk?
Yes, that would still be a trunk
@@jowerstechsolutions thank you sir. A switch is arriving tomorrow and I plan on implementing vlans into my network for guests and IOT. I have a vlan aware AP (ruckus r700) I bought used that’s supports vlans. Pretty excited to get it started.
Should every dhcp connection beeing emable? If a device connect to the firewall, which ip would he get?
Yes, each network or sub network needs it's own DHCP pool
Is the firewall or the switch doing the dhcp routing here?
Firewall is the DHCP server. I only do layer 3 switching in large/enterprise environments if it's necessary. Most networks that I do don't require it.
Appreciate your work! However, I wonder if I just want to use opnsense as a gateway/firewall to the internet, the vlan settings, dhcp settings, all routing protocols are configured on the switch, do I have to assign the same vlan on Web GUI? And what do I need to do in OPNsense because if I just let the opnsense as initial wizard setup, the internet will not be able to reach the vlan hosts. DHCP service is provided by Switch!
Simply disable dhcp on opnsense and make the firewall the default gateway on your L3 switch
Great video. I’ve been trying to setup VLANs on my Cisco 2960- S switch for a while. Your video is the only one that actually worked for me. Thank you. Just one question. I followed your SSH setup. I’m unable to SSH into switch. From Linux terminal I tried ssh “user”@“domain”. In OPNsense I then assigned a static iP for the Cisco MAC. And no luck. How to you ssh into the switch?
Need to generate crypto, enable login on vty lines, create passwords for user mode & privileged mode, and crate local user
Created a similar setup. Parent LAN - 10.255.x.x, VLAN_10 - 192.168.x.x, VLAN_30 (Native) - 10.10.x.x. When I connect the PC to native vlan_30 port, it takes ip of Parent LAN and not native LAN.
Are you directly connecting your PC to the firewall or to a switch?
Maybe you can answer because I haven't had any luck on the forums. Neither has anyone since 2018 really. I have a pair of LAGGs. One per managed switch. One is MT9000, the other is MT1500 (default.). I want to carry vlan 1 (MGMT) with DHCP untagged across everything, and the rest of my VLANs (most with DHCP4, but some static...) as tagged across the LAGG trunks. Not really a difficult design, except OPNSense/PFSense wants VLANS attached to physical instead of logical devices. Do I create a bridge for spanning these 2 LAGG groups? Do I even create VLAN 1 or do I just have to do DHCP4 on the LAGGs and not even define it as a VLAN? If I do that, how does it carry over to the second L2 domain if I can only assign DHCP4 on one of the interfaces?
I really wish that BSD had:
- VLAN default gateways as logical, not physical.
- Switchport mode access for VLAN 1 to push that subnet to each place I need it. Looks like it only allows tagged VLAN assignments?
- Better documentation.
You do not need to create VLAN 1. VLAN 1 is "implied" on the physical interface. All other "sub" interfaces are logical under the LAN interface. You need to logically create and assign any subsequent interfaces under the LAN.
I was always under the impression that the point of having VLANs is to separate traffic between the devices in separate VLANs. i.e. you do not want the devices from VLAN 11 talking to VLAN10 and vice versa. Your firewall rule allows access to ANY, defeating the purpose of separating the devices in the first place. Clearly the rules need further refining - this is actually why I found your video in the first place. My VLANs are too locked down.
Yes, that is correct. VLANs are meant for network segregation, however, with firewalls and/or ACLs you can be very granular with allowing inter-vlan routing. When this video was made, I allowed ANY for the purpose of the lab but this should not be done in production if your intention is to completely separate traffic. I hope this helps!
how about such scenario:
1- IoT devices: VLAN1 - access only to Home Assistant - not to internet
2- Home Assistant (also here some serves for HA: MQTT, NodeRed, etc): VLAN2 - access to IoT devices, access from home laptops VLAN4, and remote access to it via VPN,
3- home servers - media/plex/samba etc - VLAN3 - access only to/from home laptops VLAN4 and remote access to it via VPN
4- home laptops VLAN4 - phones/laptops etc - access to VLAN2, VLAN3, VLAN4, internet
5- guest - access only to internet
I am thinking loudly and cannot manage it on Opnsense, managed switch and 2 AP (1 for IoT, 1 for 1 for home laptops and guest)
Good stuff.. thnx man !
No problem!
Wouldn't it be nice if it were all just typed out as a template so that you don't have to do too much work
Haha maybe
thank you so much!
You're welcome!
Hi i am Bob, in have multiple vlans with networks running on my network. i also have dhcp and dns server up working fine with palo alto firewall but i want to change to opnsense.
The challenge is that i dont know how to create all the networks in the opnsense like i did in the palo alto.
after i setup the opnsense and connected it to the network only machines on the same IP range with the firewall could access the internet
Did you setup the firewall rules to allow traffic off of that subnet?
I got everything until you moved to Cisco ;-( But it is better than nothing I suppose ;-)
What are you missing?
@@jowerstechsolutions in Cisco you moved to CLI but my switch is only with GUI, but I think I got the point: Tagget is the trunk/port with all VLANs coming i.e. from Proxmox or in my case from Opnsense (that is on Proxmox), Untagged is the out port towards router or computer that is connected to the specific VLAN (so trunk/tagged port i.e. 1 has VLANs: 100, 200, 300 while Untagged port for VLAN 100 router would be i.e. port 8 for VLAN 200 i.e. port 7 and so on - right?)
All was good until you got to the switch part of the tutorial. You lost me bra.
I will be posting an up-to-date video on this next week since this video is a couple years old and out of date