Make more networks with this feature - How to Create a VLAN // OPNsense Firewall

Thanks for watching Music in Session! I really appreciate the compliment.
You're too kind. I'm happy to see my viewers and subscribers see me that way 🙂. I'm thinking of eventually doing some live streams where I can do some virtual hang outs and talk about networking, security, software, and projects I'm working on that my viewers would find useful.

Thanks for watching @Bandicoot803!
Appreciate the compliment and your feedback! 😊
Side comment, I love your username! I was a Crash Bandicoot fan in my younger years, playing the original game on PS1, and then playing on a Game Boy Advance after that. Fun game!

Thanks for the compliment Jack! Appreciate the viewership 😊

Thanks for the compliment and the sub! I really appreciate it. I'm glad to hear that, as thats exactly what I'm trying to do, so thanks for the validation 🙂
I actually have quite a bit of security background, and thats how I try to apply all my network teachings. With that, I would like to get into IPS / IDS, I have yet to explore it with OPNsense or the software in general, but suricata / snort has been on my radar. As I get more experience, I plan to make more videos around using security feature sets, especially from firewalls like OPNsense and pfSense. I'm not sure when that'll happen, but its been on my mind.

You're welcome @swixk! Thanks for watching.
So when making a VLAN (on top of a LAN), you can't use the same IP address range as the LAN, at least to my understand. That would cause collisions. The LAN (LAN2), I created in this video was 192 . 168 . 100 . 1 / 24, and the VLAN is 192 . 168 . 150 . 1 / 24. The DHCP range / pool only matters for assigning out IP Addresses, which isn't really relevant to the core concepts of creating VLANs,

Thanks for watching @recalion! I really appreciate the compliment 😊

Thanks for watching @DougLiebig!
Thats a great question. So in a prior video, I made a Raspberry Pi managed switch using OpenWrt, and took that opportunity to talk about VLANs.
ua-cam.com/video/d3aYMqt-b_c/v-deo.html
So prior to this video, I simply created the VLAN config on the switch, tagged it on the port connecting between the OPNsense PC and RPi, and untagged this VLAN (150) on the switch, specifically on the port that I connect to my computer. So once I connected my mac to the Raspberry Pi, it received the VLAN of 150.
Additionally, if you're curious, you can do this without the Raspberry Pi switch. You should be able to configure VLANs on macOS, and likely for Windows and Linux, though I haven't tried it there. Then you can simply drop into the VLAN by directly connecting to the OPNsense PC, just as if you were connecting to the RPi switch in this video.

Thanks for watching Johnny Bravo! I'd also have to thank you for the bit of nostalgia with your name. I remember watching that cartoon in my younger years.
So thinking of it that way, having multiple physical ports, you can create a dedicated network for each port, and thereby achieve network segmentation that way. I could make that 150 lan on the third or fourth ethernet port. With VLANs, you basically get the added benefit of being able to create multiple networks on one interface. Which also means you can manage these networks virtually, and assign them to different downstream devices as you please.
Biggest benefit is really this. Say you want to connect your devices to different networks. If you did it with just phyiscal ports, that means you'd need a network switch for each of those ports, just to get more ethernet ports for your devices (desktops, servers, access points, etc). With VLANs, you can create the multiple networks on one port, then attach a managed switch, which is capable of filtering out VLANs, and then on the switch, you can assign each ethernet port to a different VLAN. This cuts down on your hardware that you'd need, and makes it more manageable. Let alone, the cable runs you'd have to do increase your costs as you'd need cabling for each unique physical port on your multiple switches, if you were using VLANs.
So with VLANs, I put multiple networks on one ethernet port, and then attach a managed switch at the end of it, and now I can connect two different devices, say a desktop PC, and a server, to my one managed switch, and place them on different networks, instead of needing two unmanaged (Layer 2) switches, to achieve the same end result.

@@DevOdyssey Thank you, that makes sense

@@johnnybravo8736 You're welcome!

VLANs are required if you need to share internet and/or internal network access to devices in different rooms and restrict access to certain networks (Unlike LANs, VLANs won't let you access other networks just by simply changing your IP address), and we are talking about rooms where are 30 or more devices. You can be sure as fuck, that no right minded person would spent money on cabling and such, when 1 switch per room and single wall socket + 2 or 3 on the network room would do the trick :D

@@Kilzu1 Thanks for watching! Could you imagine a world without VLANs, where every network would need its own cable? I mean enterprises are already bursting at the seams with network cable stuffed walls and ceilings. Without VLANs, you'd have no room for any other building equipment, like duct work, insulation, etc. So yea, no one in their right mind would put all these cables to only use one network per cable. VLANs definitely serve their purpose with network segmentation for IoT devices, clients and servers.

Thanks for watching @mrmartymac!
Means a lot to hear these types of compliments, so thanks for taking the time to share it with me. Glad to hear my videos have been helpful. I try to create my content in such a way that would help me if I were to be learning it from scratch; following a step by step process with explanations for particular settings to provide contextual understanding. I find that I learn concepts best by implementing them in "real use cases". So while I'm creating a VLAN specific in OPNsense, you can take the concepts here and create VLANs on any network hardware.
Looking forward to creating more content in my personal style. Especially since it involves me first learning this process, repeating it, and then scripting it out for a youtube video (basically repeating the process at least 3 times). Appreciate having a fan like yourself!

Thanks for watching Matt!
If I’m being very honest, I did overlook that step and only realized it at the end of the video once it was said and done. Since that step related to another video I I’m in prices of making, I left out the additional detail and saved it for my next video. I wanted to get to it sooner and you would’ve seen that video by now if I didn’t have a lapse in my schedule, so my apologies there. I don’t mean to waste your time finding another video to explain it.
In addition this rule isn’t exactly necessary for making VLANs, though anyone making a VLAN would certainly want to use it, and so at that point firewall rules are absolutely necessary.
Nonetheless, you can refer to this link for more information in firewall rules and making them.
www.sunnyvalley.io/docs/network-security-tutorials/how-to-configure-opnsense-firewall-rules
This company actually makes OPNsense plugins that provides the “next gen features” like application based firewall rules, which is really cool in my opinion and something I hope to try and make a video on in the future. Until then, I hope the link helps and gets you going with making the firewall rules you need.
Anyway, I do appreciate compliment, and thanks for being a viewer 😊

@@DevOdyssey no problem I found it the info required soon after in the end, thanks for the link. You said you had a video on setting up firewall rules so I was more interested to see that than anything. I also found that I needed to set these rules in order to access the gateway so adding the link is helpful if its available. I did a blanket allow rule all to test and it let me access the gateway and between all VLANs as a starting point. Thanks again, you get to the point and make it easy to skip through and set up easily. Appreciate it 👍

@@mattian1035 Glad to hear you found what you needed. Yea I had one coming up, and I’ve been working on it, but lots has happened in my life that took my time away from producing the video, including frying the power button on my mini firewall appliance I used in this video when doing other testing, so I had to get another one. I’m working on this one next and I should get to recording it soon.
Once I’m done with the video, and published I’ll definitely be adding the link to the description here and as a card.
Yea a blanket rule is a good place to start so you can access the gateway interface for managing OPNsense, and access other networks. Then based on your needs, you can lock down ports and restrict access via firewall rules. I’ll definitely be covering good practices in my video, including what I use in my home network.
You’re welcome! I try to format the content so that anyone from all different skill levels can skip through and get the information they need, whether it be a high level run down, or just the actual implementation part. Happy it helped you in that regard.
Best of luck in your network setup, and feel free to ask any other questions you may have. I have more knowledge in my head that I just can’t get out as fast in video format as I learn it haha.

@@DevOdyssey fair enough sorry to hear, will keep an eye out for that video. Thanks again

@@mattian1035 all good no worries, it happens and is part of the learning process. Needless to say I’m not gonna to by moving jumpers around on random pins again anytime soon without extra knowledge.
Definitely keep an eye out, I just flashed the new firewall pc today with OPNsense, so I should be back on track to getting that firewall video made.
You’re welcome, see you in the next video!

@sahandjavid8755 You're welcome, thanks for watching!
Great question, and I appreciate you giving me an example like Unifi products, as I have personal experience with them.
Technically, yes, you can do this without a managed switch. You'd still need a cloud key or their software on a VM to manage their equipment (APs and switches), but other than that, you dont need a managed switch technically. You can broadcast the VLANs as different SSIDs, but I believe you are limited to 3 VLANs. So If you have 3 or less VLANs, this would work fine, but if you have more VLANs that you want to use within your network, then directly plugging in probably doesn't make too much sense.

@@DevOdyssey why only 3 vlans? Because there are only 3 ports (+1 wan port)?

@@sahandjavid8755 I can't exactly explain why other than thats a limitation imposed by UniFi on how many VLANs can be broadcast. I assume it has to do with the number of wireless radios available for the access point I have used, but I can't be certain since I haven't worked with more UniFi access points. I'm just going off my experience, which so far has only been with one access point. So maybe you can do more than 3 using a different access point, or maybe its being limited by UniFi management software. Guess theres really only one way to find out.

@@sahandjavid8755 Just to give an update, I did a quick google search and saw that they can actually support 4 VLANs. Its been awhile since I was messing around with these settings to it must have slipped my mind, but the answer I found when searching is 4. I only needed 3 at the time so thats where my mind went first. I'm sure this number varies depending on your AP manufacturer but nonetheless I wanted to share my corrected update.

Thank you @DavOdyssey. Maybe this is a OpenSense software limitation! But theoretically nothing should stop opensense to have any number of vlans (to the number in the vlan range standard)

Thanks for watching @khanthedag7269!
You're comment and compliment are much appreciated. So how are you plugging into it? If you plugging directly into the port from your PC, then you will be assigned an IP in the 100.x range. Thats becuase if you don't set your interface to be VLAN aware (basically untagging it on the PC side), its going to use the default LAN2 network.
I'm not sure what machine you are using (PC, Linux, macOS, or something else), but it will need to be VLAN capable in order to properly get onto the VLAN. Better yet, if you happen to use an managed switch, as I show in my video of using a Raspberry Pi as a managed switch, then you should be able to do the proper VLAN tagging on the managed switch and get an IP address assigned in the 150.x range.

Thanks for watching @stricken5tein!
It's not necessary, and you can use the LAN already on OPNsense by default. I simply made it to kinda start from scratch, and have a separate interface for this configuration. This was my way of making sure if I messed something up on my new, second, LAN or VLAN, I still had the default LAN I could use to to access the web GUI.

Thanks for watching @Patrick_010!
While the video does go through fully on creating a VLAN, being the focal point, I did not touch on firewall rules because I knew I'd intent to make another video on it, where I can give it the attention it deserves with detailed explanation. Though, testing network connectivity, those rules are required. Simply OPNsense is following the best practice of denying all traffic on new interfaces if not explicitly allowed, which was an oversight when making the video.
Nonetheless, I did cover firewall rules in the video below, which would compliment this video perfectly, as a next step in network configuration.
ua-cam.com/video/CT3XNpWrFEE/v-deo.html

Thanks for watching @starfoxBR77!
Now that is really strange. Troubleshooting that would require nothing less than looking at the logs and seeing for an indications of VLAN failures. I have not ever experienced this so I'm not even sure how to properly diagnose the issue. It seems like it might be more of an internet access issue, versus the actually VLAN interface simply failing. This could indicate other issues upstream. Does the VLAN internet access ever come back?
Whats the hardware you are using? At worst, it may be unstable for VLANs, but thats not the first assumption I'd go to. Diagnosing this can be difficult, and requires extensive testing to really see where the issue lies. It can get even more complicated if you are virtualizing your OPNsense instance, and networking goes down, as that can be a result of your hypervisor and virtual network setup. So if you do have it setup that way, thats a possible issue as well, but again, not the first place I'd go to.
I'd first look at the logs to see if there are any system failures, or see if you are getting internet access blocked in firewall logs, and go from there. It then might require additional testing after that.

@@DevOdyssey Thank you a million for such a comprehensive reply 🙏

@@DevOdyssey To your points: Once I create a VLAN, I set the firewall rule for DNS access allowing internet navigation and around 30 minutes later internet access is gone both in Wi-Fi and cable.
I'm using box from the Chinese manufacturer of Protectli (YANLING Nano N1141) with OPNSense directly installed, connected to a Manage TP Link switch. Two ISPs load balanced.

You’re welcome! Happy to help.
I ah e heard of Protectli before, but haven’t bought any them, at least not yet. Their offerings look pretty enticing.
Thanks for proving that context as well. So knowing this, I imagine you must have a rule that allows HTTP/HTTPS traffic out. That aside, have you checked to see if DNS requests are being blocked after that 30 minutes period? That’s where I’d check first, though if that’s the case, I don’t know why that would be blocked and seems very random. If not, I’d recommend seeing if any outbound traffic is being blocked, and doing a ping test as well.
When doing your ping test, be sure to send the ping from the VLAN interface directly, which you should be able to do under the interfaces -> diagnostics option in menu in the left.
I have to say kudos on the setup too! I’d love to have a load balancer ISP setup, I don’t think I can do that with two hardlined ISPs, and one would have to be a cellular carrier. It’s something I’m thinking about but want to ensure I can use my own hardware instead of their cellular modem / router box combo. With eSIMs, I’m not sure that’ll be the case, and if so, I’d have to splurge on a 5G modem that supports eSIM and my carrier.

@@DevOdyssey Got you!! So many insights! Can't wait to test it all out!

Thanks for watching @vn_loc7316!
You know its just one of those things in IT, turning it on and off just makes anything you do work, or resolves any issues that arise haha. And sometimes its just for good measure. I mean hey how many times do you have to turn on a Windows machine when its updating 😂

Thanks for watching Олег!
I wasn’t familiar with wstunnel but after doing some researching, I now understand what and why you’re asking for this. Given I haven’t tried this before, I can’t say this is something that I would get to anytime soon.
It looks like someone did write an article about this and how to accomplish it.
Written tutorial
nerdonthestreet.com/s/19
OpenWrt forum discussion
forum.openwrt.org/t/wireguard-over-wstunnel/142523/48
So in the mean time, I recommend you follow the article linked above and the OpenWrt forum discussion to get a better understanding of how you can accomplish this, and what requirements are necessary, as without any experience I can’t speak to this now. Though it looks like this is possible.
If I do get around to this, I’ll post a video, but in the mean time I can’t recommend I will. Best of luck with your setup!

@@DevOdyssey Thank you. We at telegram group are dealing with these issues. And we make different settings to hide VPN traffic. Soon many providers will block it. This is already happening in many countries. The situation is particularly difficult in Turkmenistan and Uzbekistan.

@@user-dr1pm7fw7e You're welcome! It's a sad state of affairs in the world when governments block open access to information, and stop these protocols from working to prevent their citizens from accessing open and public information. I'm sorry to hear you are experiencing that, but I hope the article that I referenced helps you out, as I don't think I'd get to a wstunnel video anytime soon.
With technology, its always a cat and mouse game, where one tries to get ahead of the other. I would only hope they don't try to block this, but its unlikely, especially when web sockets are a foundational part oft he internet, its difficult to block that unless deep packet inspection is occurring and that traffic can be stopped before any encryption, but again, that doesn't seem likely, and would break the internet for those countries.

Danke fürs zuschauen @dominikseildein6049! Entschuldigen Sie, während ich Google Translate verwende, um zu antworten. Die Beschleunigung soll das Video auf einer angemessenen Länge halten, aber ich sehe, dass es dadurch schwierig werden kann, dem Video zu folgen. Ich empfehle, das Video in diesen Abschnitten zu verlangsamen, um es genauer verfolgen zu können.

You got me 😂