Creating a VLAN on OPNSense

In this post, we will create a VLAN on opnsense, will add and configure it on a Netgear switch, and then add it to a Unifi Access Point to create a new WiFi network.

Note: this post is meant as a reference guide and does not go into detail about what a VLAN etc is. Those details can be found by reading the articles in the References section of this post.

Adding a VLAN on OPNSense

Create a new Interface

• Go to Interfaces > Other Types > VLAN
• Click Add
• Set each option in the new dialogue
  • Device --> Leave empty to generate the device name
  • Parent --> This is the physical port where the VLAN should reside.
  • VLAN tag --> The tag number of the VLAN. Should be something other than 1, and should be different from existing VLANs you have created.
  • VLAN priority --> The priority of the VLAN traffic
  • Description --> A short description of the VLAN
• Click Apply to create and apply the new interface

Create logical interface

• After creating the new interface, from the previous section, your VLAN should now have a name under the Device column. Make a note of it.
• Go to Interfaces > Assignments
• In the selection box besides New interface, select the new interface name from the previous step.
• Click the + button
• Click Save to save the changes
• The interface should now show up under the Interfaces menu, under the same name as the Interface (ID) in the Assignments page

• Select the new interface from the menu
• Check Enable Interface and Prevent interface removal
• In the IPv4 Configuration Type selection box, choose Stack IPv4 (Note: Any other configuration is not covered by this post)
• In the IPv4 address box, choose an IP address you wish to use for the interface. For example, I have assigned an address of 192.168.50.1, for my VLAN with a tag of 50. I always assign .1 as the gateway IP address for the VLAN.

Enable DHCP

• Go to Services > DHCPv4 > [Name of new interface]
• Click Enable DHCP server on the [Name of new interface] interface
• Enter a range of IP addresses that you wish the clients in the VLAN to use.

Note: If you get a No available address range for configured interface subnet size warning in the Available range box, your IPv4 address settings from the previous step are too restrictive. For example, you may have set a CIDR suffix to /32 which only allows for one host.

• Click Save

Add Firewall Rules

In this section we will assume WAN traffic should be allowed, but everything else (e.g. traffic within the VLAN, or to other VLANs) should be blocked.

• Go to Firewall > Aliases
• Create a new alias
  • Enabled --> checked
  • Name --> Internal_Networks
  • Type --> Network(s)
  • Categories --> leave blank
  • Content --> Add all IP addresses for your internal network. For example I have 192.168.1.1/24, 192.168.20.1/24, 192.168.30.1/24, 192.168.40.1/24, and 192.168.50.1/24.
  • Description --> All internal IP addresses
• Click Apply
• Go to Firewall > Rules > [Name of new interface]
• Create a new rule
  • Action --> Block
  • Disabled --> unchecked
  • Quick --> checked Apply the action immediately on match
  • Interface --> [Name of new interface]
  • Direction --> in
  • TCP/IP Version --> IPv4
  • Protocol --> any
  • Source / Invert --> unchecked
  • Source --> [Name of new interface] net
  • Destination / Invert --> unchecked
  • Destination --> Internal_Networks
  • Destination port range --> from: any, to: any
  • Log --> checked Log packets that are handled by this rule
  • Category --> leave blank
  • Description --> Blocks all internal IP addresses
  • Advanced features --> leave as defaults
• Click Save
• Create a new rule
  • Action --> Pass
  • Disabled --> unchecked
  • Quick --> checked Apply the action immediately on match
  • Interface --> [Name of new interface]
  • Direction --> in
  • TCP/IP Version --> IPv4
  • Protocol --> any
  • Source / Invert --> unchecked
  • Source --> [Name of new interface] net
  • Destination / Invert --> unchecked
  • Destination --> any
  • Destination port range --> from: any, to: any
  • Log --> unchecked
  • Category --> leave blank
  • Description --> Default allow LAN to any rule
  • Advanced features --> leave as defaults
• Make sure the Block rule is above the Allow rule, as OPNSense will apply the rules from top to bottom.
• Click Save
• Click Apply changes

Adding a VLAN to a Netgear switch

Note: These steps will only work on a managed switch.

If you're model of switch is not listed below, your steps may differ.

GS308E

These steps are relevant to the Netgear switch model GS308E.

• Navigate to the IP address of the switch in a browser
• Go to VLAN > 802.1Q > Advanced > VLAN Configuration
• Set Advanced 802.1Q VLAN to Enable.
• When prompted, click OK.
• In the VLAN ID field, enter the ID of the VLAN you wish to create and click Add. Note: This is the ID from the very first step of this post, where we assigned a VLAN tag.

In this example, I added a VLAN ID of 50.

• Go to Go to VLAN > 802.1Q > Advanced > VLAN Membership
• In the VLAN ID drop down menu, select the VLAN ID you just added
• Click each port until you get the required configuration (T for trunk port, U for access port)
• Click Apply.

In this example I've set port 8 to T, so it can pass traffic through to my second managed switch, and port 4 to T, so I can set-up a new Wifi Network with my Unifi APs.

GS724T

These steps are relevant to the Netgear switch model GS724T.

• Navigate to the IP address of the switch in a browser
• Go to Switching > VLAN > Advanced > VLAN Configuration
• Add the VLAN ID, VLAN Name, and set VLAN Type to static
• Click Add
• Go to Switching > VLAN > Advanced > VLAN Membership
• In the VLAN ID drop down menu, select the VLAN ID you just added
• Click each port until you get the required configuration (T for trunk port, U for access port)
• Click Apply.

Changing a Access port between VLAN IDs

In this example, port 19 is currently assigned to VLAN 1 (LAN), but I am moving it to VLAN 50.

• Go to Switching > VLAN > Advanced > VLAN Membership
• In the VLAN ID drop down menu, select VLAN ID 50
• Click port 19 until it shows U
• Click Apply
• Go to Switching > VLAN > Advanced > Port PVID Configuration
• Select port 19 (g19)
• Change the Configured PVID field from 1 to 50 and the VLAN Member field from 1,50 to 50
• Click Apply
• Go to Switching > VLAN > Advanced > VLAN Membership
• In the VLAN ID drop down menu, select VLAN ID 1
• Click port 19 until it is blank
• Click Apply

Adding a new WiFi Network to Unifi AP

Create Network

• Navigate to Unifi Network in your browser
• Go to Settings > Networks
• Click Create New Network
  • Network Name - The name of the new network
  • Auto Scale Network - Unchecked
  • Host Address - The gateway IP assigned in OPNsense (e.g. 192.168.50.1)
  • Advanced Configuration - Manual
  • VLAN ID - The ID of the VLAN that was created
  • Network Type - Standard
  • IGMP Snooping - Unchecked
  • Multicast DNS - Unchecked
  • DHCP - Leave default settings
• Click Add Network

Create new WiFi Network

• Go to Settings > WiFi
• Click Create New WiFi Network
  • Name - SSID of the new WiFi Network
  • Password - Password of the new WiFi Network
  • Network - Name of the network from the previous step
  • Broadcasting APs - APs you want to broadcast the new SSID
• Click Add WiFi Network

References

• How to configure VLANs on opnsense - homenetworkguy
• How to configure a VLAN on a NETGEAR managed switch - NETGEAR support
• Creating Virtual Networks (VLANs) - UniFi Network