[ale] VLANs and logging

Bryan L. Gay ale at bryangay.com
Tue Apr 23 22:52:34 EDT 2019


I run multiple VLANs in my home the way you described it.

My router is OPNSense in a VM on my hypervisor (Xen in my case). It has two
virtual interfaces: WAN and LAN
Those interfaces are virtual, but they each belong to a bridge on my
hypervisor: br0 and br1 for lack of a better naming scheme (I actually name
my internet-facing bridge WAN0)
Each of those two bridges has a separate physical ethernet card as a
member. One connected to my ISP, the other connected to a trunk port on my
managed switch.
I use OPNSense to be DNS and DHCP on the VLANs other than my admin VLAN and
VoIP VLAN. I use isc-dhcpd for those, which runs on my hypervisor. If you
don't want to do this, you simply enable DHCP-Relay on the VLANs that need
DHCP services, and those requests get forwarded to your DHCP server on
another VLAN where you've added the additional scope. OPNSense can handle
this.
I also have an additional bridge that has no physical ethernet interfaces.
This bridge is for VM-to-VM backend communications, such as for webservers
to talk to database servers. Since there is no physical ethernet card, the
bandwidth is the full capability of the network driver.

My WAP is a Ubiquity that handles VLANs very well.

I have a SSID for Guest. This is mapped to a VLAN on its own subnet, and
the firewall ONLY allows Internet access. I also have the option of
bandwidth throttles, schedules, and captive portals if I choose.
I have a SSID for Admin. This has a full-length WPA2 key that no one ever
types into anything. This is on a VLAN that can go through my firewall to
access my Admin VLAN. When I setup FreeRadius, this will move to a
Radius-based auth.
I have a SSID for IoT. Roku, Google Home, Chromecasts, etc., go here. They
can all talk to each other without issue, and they have Internet access. If
I need an app on my phone to talk to one of these devices, I join this SSID
with my phone.
I have a SSID for generic Internet. This is where my family's laptops and
desktops go. This VLAN is allowed to access my file server, and it uses a
dedicated DNS for filtering.

Each SSID is on its own VLAN.
There is also a VLAN for VoIP. I have 2 VoIP phones. No big deal. OPNSense
has a sip proxy these phones connect to, where the SIP connections are
proxied to my sip server on the Internet.

The OPNSense VM, running under Xen, can add VLANs to the LAN virtual
interface. There's nothing I need to do on the hypervisor. pfSense can't do
this (this is why I upgraded from pfSense to OPNSense).

My hardware:
A hypervisor with two NICs.
A managed switch (Ubiquity UniFi 8-port PoE)
Ubiquity UniFy AP AC Pro

The only thing that is multi-homed is the OPNSense VM, but it's not really.
It just has a VLAN virtual interface added for each VLAN it needs to route,
and each of those has a subnet assigned with the VLAN IP set as the gateway
IP.

I arrived at this solution after trying many others.

On Thu, Apr 18, 2019 at 11:18 AM Derek Atkins via Ale <ale at ale.org> wrote:

> DNS does not need to be on a multi-homed server -- you can have your
> router perform layer-3 routing between your VLANs to your DNS server.
>
> DHCP, however, does need to be multi-homed, or at least your router (which
> needs to be multi-homed) needs to know to forward DHCP broadcast packets.
>
> All other "A must be able to talk to B" issues can be handled by IP-based
> routing between your VLANs.
>
> -derek
>
> On Thu, April 18, 2019 11:10 am, Alex Carver via Ale wrote:
> > Right, I know that they would normally be on untagged ports.  That's the
> > basics which I understand.  It was my hope that there was a different
> > method of implementing VLANs that I didn't know about that didn't have
> > to involve a multihomed router and possibly multihomed devices.  My hope
> > did not materialize and the only way I knew how is the only way
> available.
> >
> > As for DHCP I don't want the DHCP/DNS on the router because the router I
> > would likely get would not do those functions anyway (being a pure
> > router).
> >
> > On 2019-04-18 06:46, Phil Turmel via Ale wrote:
> >> Only the router and the DHCP server need to be on trunk lines. (Consider
> >> having the router perform DHCP, too.)  All other devices would be on
> >> untagged ports for the VLAN you wish them to be a part of.
> >>
> >> On 4/17/19 11:53 PM, Alex Carver via Ale wrote:
> >>> Not the router, the multihomed devices that are on trunk lines from the
> >>> switch.
> >>>
> >>> On 2019-04-17 14:59, Phil Turmel via Ale wrote:
> >>>> It's a pretty basic premise of routing that the router has to have an
> >>>> address in the subnets it is going to route between, as it must offer
> >>>> a
> >>>> gateway address *in the subnet* to the leaf nodes.
> >>>>
> >>>> On 4/17/19 2:50 PM, Alex Carver via Ale wrote:
> >>>>> I was hoping to avoid having multiple IPs on them but looks like I
> >>>>> can't
> >>>>> since each VLAN virtual interface will have to have its own IP.
> >>>>>
> >>>>> On 2019-04-17 08:47, Phil Turmel via Ale wrote:
> >>>>>> A trunk port w/ tagged VLANs for your router and DHCP server is all
> >>>>>> you
> >>>>>> need.  These devices are then virtually multihomed (in addition to
> >>>>>> your
> >>>>>> router's uplink).
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > https://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
> >
>
>
> --
>        Derek Atkins                 617-623-3745
>        derek at ihtfp.com             www.ihtfp.com
>        Computer and Internet Security Consultant
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> https://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.ale.org/pipermail/ale/attachments/20190423/969dd5ed/attachment.html>


More information about the Ale mailing list