Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 10th February 2019
Zmyrgel Zmyrgel is offline
Port Guard
Join Date: May 2008
Posts: 30
Default VLAN's with OpenBSD router


I have functional OpenBSD 6.4-current router (apu2b4) connected to my WAN, Wireless AP and dumb switch. I used vether0 and bridge0 interface to make router function like a switch. This system works fine but I recently got devices in the connected to the switch which I don't want accessing rest of my network so I thought to bring in some VLAN to aid securing my network and to learn a bit about them in the process.

I purchased Netgear GS110TP smart switch to play with some VLANs etc but I can't wrap my head around how all this should be set up so everything runs smoothly.

So my working gateway config was following:
em0 ( connected to internet )
em1 ( connected to wireless AP)
em2 ( connected old unmanaged switch)
vether0 on network
bridge0 ( bridge members em1, em2. vether0 )

LAN daemons listened on vether0, stuff like httpd, dhcpd, nsd etc.

My plan is to improve things in three steps so to minimize downtime and chance on misconfigurations. Step 1 was the easy one, I replaced the unmanaged switch with the managed switch but didn't configure any VLAN's etc. Everything worked fine still.

Step 2 is where I'm currently stuck, add two VLAN10 for trusted and VLAN20 to untrusted devices and keep things working with wired connections while keeping the wireless AP working with old connection.

So I made following adjustments to Netgear switch:
port1 - port4 members of VLAN10, port1 connected to OpenBSD gateway em2. Port1 tagged and ports 2,3,4 untagged.
Ports5 -8 VLAN20 all untagged.

I connected my desktop to port5 on the switch so it should get assigned to VLAN20.

I added 2 vlan interfaces to the OpenBSD gateway:

I changed my dhcpd daemon to assign addresses on those subnets and bind to vlan10, vlan20 and vether0 interfaces and restarted it.

I added "pass on { vlan10 vlan20 }" rule to /etc/pf.conf and reloaded pf rules.

I assigned IP's manually on my desktop and tried to ping but I can't get even ping to go through. Wireless AP still functions and I can connect from there to and so vlan interfaces are up and reachable.

But more general questions:
I assigned VLAN10 to switch port1 and set it to "tagged". My understanding is that tagging interface on Netgear devices should send the VLAN id's to my OpenBSD router. I did see vlan10 ids with tcpdump but I didn't see any mentions for vlan20. Should the VLAN20 stuff go through port1 with my above configuration or does it require some other tweaks on Netgears side?

Do I need to make anything special on my gateway side? My understanding is that once traffic flows from switch it comes from em2 to vlan10 and vlan20 interfaces on router and then pf rules NAT those forward with following rules:

match out on egress from !egress nat-to (egress) set prio (2, 5)
pass on { vlan20 vlan10 }
And once I move my AP from gateway to switch vlan20 I can drop the vether0/bridge0 interfaces from my gateway. Is the above correct reasoning or should I do things differently.
Reply With Quote

networking, openbsd, vlan

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
arp, vlan issues after upgrade to 5.6 moviuro OpenBSD General 6 3rd November 2014 04:14 PM
bringing up vlan interfaces xiphias FreeBSD General 3 5th March 2010 04:04 PM
OpenBSD IRC channel chat about DMZ and vlan J65nko General software and network 3 25th December 2009 11:15 PM
How to make it work with VLAN-trunking? Seb74 OpenBSD Security 4 28th June 2008 02:08 PM
Bridge VLAN + Catalyst espenfjo FreeBSD General 2 6th June 2008 05:16 PM

All times are GMT. The time now is 11:08 AM.

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick