sekki

joined 1 year ago
sorted by: new top controversial old
VLAN Bridge with DHCP in c/opnsense@lemmy.world
[–] sekki@lemmy.world 1 points 4 months ago (1 children)

Hmm I think I this does not work in case you meant to put the bridge as the parent of the VLANs, OPNsense does not allow this:

now, define 3 vlan with the vlan tags you defined in the switch + ap, you need to say that the port they are received is the bridged port

However I think I found another solution that works exactly as I want but it is very weird so be warned:

  • Created vlan01.11 and vlan02.11 on igc1 and igc2 respectively, assigned them, enabled them and gave each a static ipv4 (192.168.11.1 and 192.168.11.2)
  • Created a bridge with both VLANs as members, did NOT assign and enable this (when I do the setup breaks (?!))
  • Use KEA DHCP instead of ISC:
    • In settings listen on both VLAN interfaces
    • In subnets create the subnet with subnet=192.168.11.1/24 and a pool of 192.168.11.21-192.168.11.254, uncheck "Match Client-id" and "Auto collect option data" and set Routers, DNS and NTP Servers to 192.168.11.1 and 192.168.11.2

This way KEA will give out IP addresses on all interfaces with a static IP in the defined subnet. Make sure to disable ISC DHCP as it otherwise caused issues with KEA and somehow also Unbound (I also enabled "Register ISC DHCP4 Leases" in Unbounds settings because I had weird issues with SERVFAIL there).

I repeated this process for the vlan0x.13 and vlan0x.14. Now internet access works on all VLAN interfaces, aswell as the normal interfaces and I can still define Rules for each VLAN.

What I don't get about this is why I cannot assign or enable the bridge interface... but I guess it works soo I'm happy. Thank you for your suggestion though!

VLAN Bridge with DHCP in c/opnsense@lemmy.world
[–] sekki@lemmy.world 1 points 4 months ago (3 children)

Mainly I want to have separate USER, IOT and GUEST VLANs. So for example I don't want guests to be able to access IoT devices.

The AP and Switch tag these VLANs based on SSID and Port a device is connected to, so OPNsense receives tagged traffic that I can put rules on. I could probably just connect the AP to the Switch and be fine, but the Switch is 1Gb and the AP has a 2.5Gb port so I would like to keep both the switch and the AP connected to OPNsense directly.

Having the switch and AP on their own subnet is not really a requirement, but I guess it would be nice to also be able to control who can access their webinterfaces.

So really I just want to have:

  • AP connected to one port on the firewall
  • Switch connected to another port on the firewall
  • Both AP and switch tag frames and pass them to OPNsense so I can apply rules.
  • Devices on vlan01.11 can talk to devices on vlan02.11 and so on
  • A single DHCP provides IPs to all devices connected to both the Switch and AP

Does that make it more clear?

6
VLAN Bridge with DHCP (lemmy.world)
submitted 4 months ago* (last edited 4 months ago) by sekki@lemmy.world to c/opnsense@lemmy.world
5 comments fedilink
 

Hi! I'm currently trying to set up my network as seen in the image. USER VLAN has the tag 11, IOT VLAN has the tag 13 and GUEST VLAN has the tag 14. These are tagged by an Omada AP and Omada Switch on individual ports.

So far I have:

  • Assigned igc1 (LAN) and igc2 (Wifi) and enabled them (no IP configured).

  • Created a Bridge between igc1 and igc2 so they are in the same subnet, which I think of as some sort of management subnet.

  • Configured a static IP (192.168.10.1/24) on this Bridge and enabled DHCP. All devices are reachable here and it is also possible to reach the internet from the Omada devices.

  • Created VLANs vlan01.11, vlan01.13, vlan01.14 with their parent being igc1 (Omada Switch).

  • Created VLANs vlan02.11, vlan02.13, vlan02.14 with their parent being igc2 (Omada AP)

  • Assigned all of them and enabled them (no IP configured)

  • Created a Bridge between each pair (vlan01.11 + vlan02.11 etc.)

Now my problem is that seemingly no matter what I do some devices on the VLANs cannot reach the internet because they cannot reach their Gateway.

I tried:

  • Configuring a static IP to the VLAN Bridge (192.168.11.1 for USER VLAN) and enabling DHCP on it with the correct subnet. Doing so not a single device was able to reach the Gateway, but they were able to talk to each other. DHCP worked this way for both endpoints.
  • Instead of configuring a static IP to the VLAN Bridge I configured it right on the vlan02.11 interface and enabled DHCP there. Doing so only the devices on the wifi are able to reach the Gateway but the devices connected via the Switch cannot. In addition DHCP does also not work for devices on the Switch.

Does anyone here maybe have a hint on what I am doing wrong?

Edit: I also tried:

  • Combinations of net.link.bridge.pfil_member and net.link.bridge.pfil_bridge but that didnt work either.
  • Removing the bridge and using only the vlans but with the same subnet
Does anyone else use this way of taking notes? in c/memes@lemmy.world
[–] sekki@lemmy.world 1 points 6 months ago

If you are interested try Localsend, its even less effort than sharing via a messenger and its peer to peer. You can enable auto downloads for trusted peers then it will be sent directly to a folder of your choice once you send from your phone.

Umschulung zum Lokführer: Nur jeder Zweite besteht in c/dach@feddit.org
[–] sekki@lemmy.world 1 points 9 months ago (1 children)

Cool! U-Bahnen sind vermutlich aber noch weniger kompliziert als Züge, da es ja unterirdisch noch weniger gibt, was die Gleise blockieren könnte. Zudem Fahrerlos im Sinne von komplett Automatisch oder im Sinne von Ferngesteuert? Wenn das schon automatisch für U-Bahnen möglich ist, erklärt sich mir noch weniger, warum so etwas nicht für Züge möglich ist.

Umschulung zum Lokführer: Nur jeder Zweite besteht in c/dach@feddit.org
[–] sekki@lemmy.world 1 points 9 months ago (3 children)

Allerdings gibt es diese Probleme ja genauso auch bei Autos. Vor allem viel häufiger, da sich im Straßenverkehr ja nicht nur andere Autos und Hindernisse, sondern auch Fußgänger und Zweiradfahrer befinden. Von daher würde ich auch denken, dass Züge einfacher automatisierbar sein müssten als Autos. Hab zu automatisierten Zügen allerdings auch noch nichts so wirklich gehört, was mich auch wundert weil alle Welt so auf automatisierto Autos abfährt.

ich🧍iel in c/ich_iel@feddit.org
[–] sekki@lemmy.world 18 points 10 months ago

In Pisse sitzen

rule in c/onehundredninetysix@lemmy.blahaj.zone
[–] sekki@lemmy.world 8 points 10 months ago

Fairphones have them too.

Wie im Krieg: Verletzte und Tote durch Feuerwerk in c/dach@feddit.org
[–] sekki@lemmy.world 8 points 1 year ago

Bin nicht sicher was du meinst, es gibt schon seit langer Zeit Krieg, nicht erst seit "jetzt". Der Vergleich ist demnach immer schon schlecht gewesen.

Smartphone buyers meh on AI, care much more about battery life - 9to5Mac in c/apple_enthusiast@lemmy.world
[–] sekki@lemmy.world 1 points 1 year ago (1 children)

I don't know what a Fairphone costs where you live but where I live the Fairphone 5 starts at 550€ and the model with more storage and memory is 629€. That is no where even in the near of three times the price.

Smartphone buyers meh on AI, care much more about battery life - 9to5Mac in c/apple_enthusiast@lemmy.world
[–] sekki@lemmy.world 3 points 1 year ago (5 children)

There are phones that give you this choice. The Fairphones for example. The back cover is easily removable and you can pop out the battery like in the ol' days. It has an IP55 as far as I know.