News:

Welcome to the Home Network Guy forum!

Main Menu

Purpose of VLANs in OPNSense

Started by ejayb9, September 09, 2021, 03:51:19 PM

Previous topic - Next topic

ejayb9

What's the purpose of the VLAN's in OPNSense? I'm trying to figure out under which circumstances a VLAN is required, and also under which circumstances is it plain useful. Or if it just complicates a configuration.

Only thing I can come up with is if it is an unmanaged switch then a VLAN would be needed. I'm using a 4 port Protectli and each port (WAN, LAN, OPT1, OPT2) can be configured to an interface (em1, em2, etc...) so, I don't see the reason to add a VLAN on top of that.

But I do notice that machines in OPT1 can talk with machines on OPT2, even though they are in different IPs. For example, if OPT1 is 192.168.2.100-125 and OPT2 is 192.168.3.100-125. They can ping/telnet whatever to each other unless I put in a block rule for each interface. I'm not sure if a VLAN would stop that from happening, I haven't had much luck configuring VLAN's on a Protectli.

Thoughts? Should VLANs be used always, or for specific situations, or only when absolutely necessary?

Home Network Guy

VLANs are a way to logically divide up your network into separate smaller networks. It is useful when you want to put restrictions between devices on both networks. So you can keep your employees or guests in your house on a separate network so they can't access more critical parts of the network. VLANs can be used to improve security but by itself, it doesn't improve security. You have to have the proper firewall rules in place. VLANs + firewall rules provides you with improved security.

VLANs are not required to use but are commonly used because it saves money (it saves physical rack space, hardware costs, electricity, etc). You can accomplish the same thing without VLANs but you would need to have a separate network switch for each separate network. That is how they could separate networks before VLAN technology existed. They would use separate routers/switches to create physically separate networks.

VLANs allow you to be more efficient with your hardware. You only need 1 switch (but you can have more if you need more ports or if you want some PoE ports you can save money and buy a switch with fewer ports). You can create several networks using one router and one network switch. It will appear as though they are separate physical networks but they in fact are not on physically separate hardware. Another benefit of VLANs is you don't have to physically have every device that's on the same network plugged into the same switch. This can cause problems if you have switches in different locations in your office or home since you have to make sure the device is plugged into the proper switch. If you want to switch networks, you have to physically move the Ethernet cable. With VLANs, you can simply change which network a device belongs to by changing it on the switch itself without needing to move any cables. So you can reconfigure your network very easily with VLANs since there in increased flexibility.

If you have multiple interfaces, you could plug a small unmanaged switch (which is cheaper) in each port and have separate networks without VLANs or you could use 1 (or more) interfaces with 1 bigger network switch (depending on how many devices you want to connect) that supports VLANs and you can create 1 or more VLANs to start separating your traffic. VLANs add a little more configuration in OPNsense but it's not a lot different than setting up the physical interfaces. You just have an extra step of creating your VLAN tag(s) and then you assign the VLANs to a physical LAN interface. You will have extra configuration for your network switch. You create the same VLANs in your network switch (making sure that the port that connects to the router from your switch is set to TRUNK or allows all VLAN tags to pass through -- different switches have slightly different terminology but the concept is the same).

It sounds like your firewall is allowing all connections for all of your interfaces. If you want your traffic to be isolated, you will need to add rules to block traffic between the interfaces while still allowing traffic to the Internet (unless you want an offline network which is handy for security cameras for instance if you worry about being exposed to the Internet).