View Single Post
  #1   (View Single Post)  
Old 10th February 2019
Zmyrgel Zmyrgel is offline
Port Guard
 
Join Date: May 2008
Posts: 30
Default VLAN's with OpenBSD router

Hi,

I have functional OpenBSD 6.4-current router (apu2b4) connected to my WAN, Wireless AP and dumb switch. I used vether0 and bridge0 interface to make router function like a switch. This system works fine but I recently got devices in the connected to the switch which I don't want accessing rest of my network so I thought to bring in some VLAN to aid securing my network and to learn a bit about them in the process.

I purchased Netgear GS110TP smart switch to play with some VLANs etc but I can't wrap my head around how all this should be set up so everything runs smoothly.

So my working gateway config was following:
em0 ( connected to internet )
em1 ( connected to wireless AP)
em2 ( connected old unmanaged switch)
vether0 on 10.0.0.1/24 network
bridge0 ( bridge members em1, em2. vether0 )

LAN daemons listened on vether0, stuff like httpd, dhcpd, nsd etc.

My plan is to improve things in three steps so to minimize downtime and chance on misconfigurations. Step 1 was the easy one, I replaced the unmanaged switch with the managed switch but didn't configure any VLAN's etc. Everything worked fine still.

Step 2 is where I'm currently stuck, add two VLAN10 for trusted and VLAN20 to untrusted devices and keep things working with wired connections while keeping the wireless AP working with old connection.

So I made following adjustments to Netgear switch:
port1 - port4 members of VLAN10, port1 connected to OpenBSD gateway em2. Port1 tagged and ports 2,3,4 untagged.
Ports5 -8 VLAN20 all untagged.

I connected my desktop to port5 on the switch so it should get assigned to VLAN20.

I added 2 vlan interfaces to the OpenBSD gateway:
Code:
hostname.vlan10:
inet 10.0.10.1 255.255.255.0 10.0.10.255

hostname.vlan20:
inet 10.0.20.1 255.255.255.0 10.0.10.255
I changed my dhcpd daemon to assign addresses on those subnets and bind to vlan10, vlan20 and vether0 interfaces and restarted it.

I added "pass on { vlan10 vlan20 }" rule to /etc/pf.conf and reloaded pf rules.

I assigned IP's manually on my desktop and tried to ping 10.0.20.1 but I can't get even ping to go through. Wireless AP still functions and I can connect from there to 10.0.10.1 and 10.0.20.1 so vlan interfaces are up and reachable.

But more general questions:
I assigned VLAN10 to switch port1 and set it to "tagged". My understanding is that tagging interface on Netgear devices should send the VLAN id's to my OpenBSD router. I did see vlan10 ids with tcpdump but I didn't see any mentions for vlan20. Should the VLAN20 stuff go through port1 with my above configuration or does it require some other tweaks on Netgears side?

Do I need to make anything special on my gateway side? My understanding is that once traffic flows from switch it comes from em2 to vlan10 and vlan20 interfaces on router and then pf rules NAT those forward with following rules:

Code:
match out on egress from !egress nat-to (egress) set prio (2, 5)
pass on { vlan20 vlan10 }
And once I move my AP from gateway to switch vlan20 I can drop the vether0/bridge0 interfaces from my gateway. Is the above correct reasoning or should I do things differently.
Reply With Quote