VLAN : on Opnsense or switch or both?
timconsidine last edited by timconsidine
Can’t find good answers by internet search.
Maybe I’m not seeing wood for trees.
Thought maybe some wise person here can point me in right direction.
New leased line to be made live this week (hopefully).
Installed Opnsense on a mini PC.
And have a 24 port switch to distribute connectivity (via patch panel to different rooms with wall ethernet ports).
So leased line —> Opnsense box —> Switch —> patch panel —> rooms.
I was planning to create VLANs for different groups (rooms) on the switch.
But I see Opnsense has VLAN functionality.
So I am confused whether I should set up the VLANs on Opnsense or on Switch … or both ?
I’m thinking to keep it simple and do it on switch as I am not sure the firewall needs different rules for each VLAN.
Primary objective of the VLANs is to segregate what devices the different user groups can see/access.
- "war room” (my office)
- family users
- office tenant in building
Firewall is just to implement basic “nothing in, anything out” policy, until I open up selected apps on server in war room.
Is that the source of the answer?
If VLANs have same firewall rules, do it on switch ?
If a VLAN needs different firewall rule(s), do VLAN on Opnsense or just create rule for traffic to an address.
Many thanks for voice of experience and wisdom.
robi last edited by
Depends what you do with the switch..
Generally it's better to do it at the switch level and have one place to manage all VLANs / rules.
Upstream to the switch there doesn't need to be any segmentation (VLANs), unless you have special needs which you haven't mentioned.
Keep it simple and manageable
Agree with @robi here - keep it simple, do it in one place!
@robi thank you - agreed
@doodlemania2 tahnk you also - good approach
@timconsidine if you want to route between the vlans and push them through the firewall you'll need to do a router on a stick configuration. That is where opnsense vlans will come into play. Unless u have a layer 3 switch.
@Mastadamus thank you
Not currently expecting to route between the VLANs but will bear this in mind.