OpenBSD Vlan setup

[Crypt]

Greetings,

I am currently in the process of setting up a new firewall/Router using OpenBSD 6.7 due to some issues I am having with my current firewall. I have multiple vlans configured on my switch and existing firewall. In my case, I have vlans 1, 10 and 999. The problem I am having is that I have seen a couple of walkthroughs for this where they have em0 and em1, but assign the parent to em0. Should I be assigning the hostname.vlan10 as such:

inet 192.168.0.2 255.255.255.0 192.168.0.255 vnetid 10 parent em0

or should it be

inet 192.168.0.2 255.255.255.0 192.168.0.255 vnetid 10 parent em1

Any assistance would be greatly appreciated.

[jggimi]

• The parent you assign provisions the physical NIC (Network Interface Connector) that will carry the tagged Ethernet (VLAN) frames.
• The names "em0" and "em1" you've seen in walkthroughs refer to the first and second NICs that happen to use the em(4) driver.
• Your hardware's NICs may not use the em(4) driver at all. Your dmesg(8) output will show which NICs your kernel can find.

[Crypt]

Oddly enough, my system uses em0 and em1 and seem to tbe hte deafult for Intel based NICS. I should have said that em0 is for the wan connection and em1 is for the private side. Also, minus the IP's the two I inet lines I posted earlier are directly from my system configuration. Though, I might have figured it out. Once I get PF all configured, I'll be doing the connectivity testing

[jggimi]

I happen to use a VLAN infrastructure that doesn't have an internal vs. external NIC. All physical NICs are both private and Internet-facing, using VLANs to define all connections. I accomplish this with a managed switch, where the VLANs are mapped to physical ports -- some shared, some unique.

Additionally, each server has three physical NICs, vr0-vr2, which are aggregated into a single trunk(4) pseudo-NIC, and the servers use carp(4) for high availability.

• Each server is connected into 3 ports on the managed switch. Physical connectivity of 2 servers is simply 6 separate Ethernet cables.
• All VLANs are defined with trunk0 as the parent NIC, the aggregate of each server's 3 physical NICs. The managed switch I have supports the trunk(4) aggregation.
• The gateway (internet-facing) subnet is just one of many VLANs; an untagged port on the switch is mapped to this VLAN and connects to the ISP.

[Crypt]

Greetings,

I also have a managed switch that has a few vlans on it. My hardware firewall died and I ended up creating on with Opnsense as a virtual on my ESXI server. I have been having issues with that as well and finally decided to just build one out with OpenBSD as I already have 2 OpenBSD DNS servers running, that do ad blocking. I have thought of securing the web access more, but how far down that rabbit whole do I really want to go?

So I have a management vlan, internal vlan and an IOT vlan, which cannot talk to one another. I am also running an access point that is vlan capable as well.

I currently have:
inet 192.168.0.2 255.255.255.0 192.168.0.255 vnetid 10 parent em1
Listed under /etc/hostname.vlan10 and I am able to ping the assigned IP. Once I finish with the PF configuration, I;'ll know if this will still work or if I need changes.

Currently, I have a NIC specifically assigned on my ESXI server for the firewall. em0 goes directly to the modem and em1, goes to the managed switch. The switch has 2 trunked ports, one that goes back to the firewall/router and the other is for the access point.

All this in my apartment.

[jggimi]

Here's a "graphic" of the infrastructure:

Code:

There are 8 physical ports in use on my small managed switch:

{Internet} -- 
     {LAN} --
     {FW1} -- 3x
     {FW2} -- 3x

I used to have 7 VLANs, but I'm down to having only 4, now: Internet, LAN, Intra-Server, and switch management.

[Crypt]

This is what i currently have in mine:

##################
#Variables #
##################
wan = em0
intra = "vlan10"
iot = "vlan999"
mgmt = "vlan1"