Half done - half hoped for - running into issues

[JiveTalking]

Hello all,

So happy to have found a safe place for a newbie such as myself....

My network plan imagined by me (before I heard of VLANs) is simple I thought, best laid plans and all that.

The Layout & History:
My office and living room have a broom closet between their facing walls - so I put a 6port Vault running OPNsense in the closet, had my ISP run their fiber modem into the closet, and drilled holes in the left and right walls of the closet, into each of the rooms mentioned.  I connected cat6 from my PC to the LAN port on my Vault, and of course the modem to the WAN port.

All was well - I had internet access in my office.  That was to easy, I was very happy, for a bit.

I then attached a new TPLink 8port Gbit Smart Switch in between my Office PC and the Vault router LAN port- all was still well, and I then cat6 my Linux PC & laptop also - all 3 devices still good, but I was about to learn of the special settings for LAN ports on routers.

I then ran cat6 through the other wall hole (living room) to a TPLink 5port Gbit Easy Smart Switch, and you guessed it nothing plugged into that found the internet... all is not well :/ and I didn't know why.... I did a ton of research but other peoples network layouts were to complicated for my understanding and needs.

My goal was higher level access for my Office/LAN/Devices computing needs (1 - 4 devices) - and restricted access for the 2 switches installed via cat6 in other rooms.  #1=Living room next to Office through closet, and #2=upstairs above the Office/closet.  These switches would be for media TV and simple laptop Net searches, and email. 

I have since heard of VLANS, which I still don't fully understand - I will dig into learning of these after I get some additional security understanding set up in my OPNsense (the entire point of this adventure in the first place is much better security).
- Many thanks Network Guy for your informative articles ♥ which have really helped, and scared me.

I felt that the trouble might be in my interfaces - so I set one up for em2 (em0 is WAN, em1 is LAN) the same as the one for my LAN except I gave it ........20.1/24 where the LAN is ........10.1/24 - Still no access for em2.  Why that IP - I have no idea I just guessed.

I have poked around, lost internet access - oops, got it back again (no idea how I lost it, or got it back, yikes!)

But I have seen that there are no Firewall rules for my em2 living room could be an issue I say.  But I read when OPNs mostly comes set up like an off the shelf router - security sucks = all access, maybe this just means for LAN port - so sad.  FW scares me, I almost didn't make it through setting up Intrusion Prevention System - Thanks again Network Guy!  Not sure I have that done right, but nothing broke so I call it a win!

So - best network layout practices for setting up 2 limited port/switches - mostly for Internet browsing and media?  While... not killing my LAN this is my current quest.

I read where you say this type of wired/switches sucks bandwidth, or better, competes for bandwidth - I want a 99% wired home network, I was hoping not to daisy chain the whole thing, so I can deal with rooms/hardware independently - it's how I think.  Something that looks like an octopus, router being the central hub/brain banished to the broom closet.

If and when I do add low range wifi I would like it to be turn-off-able <-- my technical term.  I do not have any IoT to deal with -yea!  I do hope to add things as I learn and go - pi hole, physical redundancy for my LAN, backup power source, maybe my own email server, maybe a NAS server for home media (a girl can dream).

Q2: any good beginners practical How-To books?  So far there seems to be a huge vacuum in this: "for personal use, home networking" space.  So glad to find Network Guy is addressing this

I've attached my network layout/map - all rooms are only 4-12' apart.

[Home Network Guy]

Glad you found my site useful and a safe place for newbies!

Instead of having a separate switch in each room, you could have one switch in your closet. However, it means you would need to run an Ethernet drop for each device in all the rooms. It is easier to manage to have 1 centralized switch, but if your house isn't wired and you aren't willing or able to run more wires, the approach you are taking will work also!

Using a separate interface on the OPNsense box for each switch (like you are doing) is a better approach than chaining a bunch of switches. Chaining a bunch of switches introduces extra points of failure (if one switch dies) and could negatively affect performance. For a home network, if you have to chain a few switches in a few locations where it may be hard to run extra Ethernet drops, performance likely won't be terrible unless you are doing lots of high bandwidth file transfers at the same time, for example. I know some people may get upset if you chain switches, but sometimes it's just more convenient in a small home network (if it is found later that performance is an issue, then perhaps it would be worth the effort to run some extra Ethernet drops).

You mentioned wanting to use VLANs for improved security. If each of your rooms needs to be in a separate network, you don't necessarily need to use VLANs. Since they are on separate physical interfaces, you can simply keep the network traffic separated via appropriate firewall rules. If you want some devices in each room to be on the same network as devices in another room, then you could make use of VLANs to create a virtual network so the devices appear to be on the same network even though they may not be physically connected to the same switch.

With that said, for the em2 interface you mentioned there are no firewall rules on that interface. By default, any new interfaces (including VLANs) have no firewall rules. When there are no firewall rules, it means all traffic will be blocked. You need to add rules to allow network traffic. You will notice that the LAN has a default "allow all" rule which allows access to all networks and the Internet. If you want to isolate different networks, you need to modify the rules to allow access to the Internet but not other networks (unless you want them to have access to a local server, etc).

For testing purposes, you could mimic that allow all rule in your em2 interface to see if you can get access to the Internet. If that works, then you can work on locking down access between your interfaces. If you don't use VLANs, the configuration will be more simple but if you plan to setup VLANs, you have to set them up on the interfaces in OPNsense and your network switches. You also have to be careful not to lock yourself out when changing the VLANs on your switch/OPNsense. You will need to be connected to a port that's not on the VLAN you are trying to set up (VLAN 1 is a safe default since that is untagged traffic).

[JiveTalking]

Thanks for the reply Dustin,

Instead of having a separate switch in each room, you could have one switch in your closet. However, it means you would need to run an Ethernet drop for each device in all the rooms. It is easier to manage to have 1 centralized switch, but if your house isn't wired and you aren't willing or able to run more wires, the approach you are taking will work also!

This is good to know... whew!  Your reply helped me to realize something - where other's want devices connected and able to share things across their home network, I do not.  This is because my LAN --> switch --> Office has all I want to share   Next 2 switches will be used exactly the same, but in different rooms, and that is to watch media, check email and search the web, in a limited more secure fashion.  I want division between these interfaces and my LAN - so both can be their own network or their own switches/interfaces as you say.

What is an Ethernet Drop? - I thought that's what my switches were, at least in my imagination

For testing purposes, you could mimic that allow all rule in your em2 interface to see if you can get access to the Internet. If that works, then you can work on locking down access between your interfaces. If you don't use VLANs, the configuration will be more simple but if you plan to setup VLANs, you have to set them up on the interfaces in OPNsense and your network switches. You also have to be careful not to lock yourself out when changing the VLANs on your switch/OPNsense. You will need to be connected to a port that's not on the VLAN you are trying to set up (VLAN 1 is a safe default since that is untagged traffic).

I did just this last night - and it looked good, that is to say my laptop which connects to the internet from my office made a wired connection em2.
But wait, I could not reach the internet.... browser never resolved, command line could not find packets, I could not update my system :/

On the surface my em2 interface Firewall rules look the same as my em1/LAN except for -Destination- I was instructed to put LAN net in there to prevent my switch devices from connecting to my LAN devices....  This sound good so I change that one setting different from my LAN's settings.

But the term Destination and then LAN net sounds like my em2 switch is heading to my LAN and not avoiding it.  So I changed the setting to "Any" and now I can reach the Internet, but I really have very little security - sigh

 - any thoughts?

~ Beth

[Home Network Guy]

An Ethernet drop is just what they call running an Ethernet cable down through walls (the cable is "dropped" down the wall).

If you don't feel comfortable with creating aliases, you could create 2 block rules for the em2 interface to block access to the em1 and em3 interfaces and put them before the allow all rule. So the rules for em2 could be:

(replace em1, em2, em3 with the names you use in OPNsense for those interfaces)

Interface: em2
Action: Block
Source: em2 net
Destination: em1 net

Interface: em2
Action: Block
Source: em2 net
Destination: em3 net

Interface: em2
Action: Allow
Source: em2 net
Destination: any

Repeat the process for the other 2 interfaces. You could always try accessing a device on each network to make sure everything is blocked properly.

[JiveTalking]

Ethernet Drop, I get it now.  In my situation it will be an Ethernet float, as the direction is up

If you don't feel comfortable with creating aliases, you could create 2 block rules

I don't yet understand aliases or groups for FW's - the usual - when to use them, how, why, when not to use them.... you know perspective, I have none... yet.  Thank you for the block set up info - That will work until I do gain more understanding.

Repeat the process for the other 2 interfaces. You could always try accessing a device on each network to make sure everything is blocked properly.

How does one access another device - I am a total newbie yikes! 

Thanks so much,

[Home Network Guy]

I wrote about firewall aliases so when you want to dive deeper, you could check it out.

As for testing if you can connect to your other devices to ensure everything is blocked, you could trying pinging them from the console/command prompt. Type:

ping 192.168.1.50

Using the IP addresses of your machines (or hostnames). If they are on the same network or your firewall rules aren’t blocking the device, you’ll get a response back. So if you know the device is on the same network, getting a response is ok. If it’s not on the same network, you shouldn’t get one back.

If you have any services running on your systems like a web server, you could try accessing those as well to see if you can get a connection. It depends on what you have running on your network. If you can’t access something that’s on another network (like a printer, file sharing/sync server, Apple TV, Roku, Xbox, PlayStation, etc.), then your rules are blocking properly.

You can also check the live firewall logs to see if your rules are blocking any network traffic. That might be the easiest way but you have to be a little familiar and comfortable with the live firewall log. You can filter the log to just the one network or device you are trying to access so you don’t get flooded with as many log entries. It’s hard to see what’s going on if you have a lot of network activity and you don’t filter it.

[JiveTalking]

Thank you, I will try pinging.

I have not experimented because I'm working from an old Windows PC (highest comfort level) to set all of this up and log into control management consoles for now.  I know Windows will change my settings on the fly if I ask it to connect to this or that, so I know better not to, but pinging should be safe.

Thank you for all the options and about your aliases article, very cool.