OPNsense router-on-a-stick proof-of-concept with Cisco switch

Related posts:

• Musings on setting up router-on-a-stick on OPNsense router and Cisco switch
• Configuring router-on-a-stick on Cisco router and switch in Packet Tracer

At this point in the process I’ve written out the idea, polished off some of my Cisco CLI rust by going through a test configuration, and wrote out a list of things I needed to figure out to replace the Cisco router with my OPNsense firewall/router.

I had come across this post and also this post in my initial research, and figured I’d need to adapt a pfSense guide to work with OPNsense - and was prepared to do so. Lucky for me, I decided to dig a little bit more into it. I figured I wasn’t the first LAN enthusiast to purchase a 2-port firewall device and run into more segmentation issues down the road. Turns out I was right! This post basically did all the work for me - Martin, wherever you are, big thanks! (And to Michael for inspiring that post.)

I ended up massively simplifying the configuration outlined in the post, as I just wanted to proof-of-concept this before making any purchases. Here’s what I went with:

• USER VLAN 10, subnet 10.1.10.0/24
• MGMT VLAN 99, subnet 10.1.99.0/24

Note

I went with 10.1.*.* instead of 10.0.*.* just to avoid conflict with my existing LAN running on 10.0.99.0/24, as I want the third octet to match the VLAN #.

Configure switch

The switch I nabbed from work is a Cisco C3560 running IOS 12.2(25)SE.

Configuration commands:

! General configuration
enable
configure terminal
hostname switch
no ip domain-lookup
enable secret cisco
service password-encryption
ip default-gateway 10.0.99.1

! SSH configuration
ip domain-name lan.local
crypto key generate rsa general-keys modulus 1024
username cisco password cisco
int vlan 20
no shutdown
ip address 10.0.99.3 255.255.255.0
line vty 0 15
transport input ssh
logging synchronous
login local

! Console line configuration
line console 0
logging synchronous
password cisco
login

! Create VLANs
vlan 10
name user
vlan 99
name mgmt
vlan 101 ! unused/parking VLAN
name park

! Configure trunk port
interface FastEthernet 0/1
description Trunk port to OPNsense router
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 10,99
no shutdown

! Configure User (VLAN 10) port
interface FastEthernet 0/2
description User access port VLAN 10
switchport mode access
switchport access vlan 10
no shutdown

! Configure Mgmt (VLAN 99) port
interface FastEthernet 0/24
description Mgmt access port VLAN 99
switchport mode access
switchport access vlan 99
no shutdown

! Shutdown other ports and assign to unused VLAN (101)
interface range FastEthernet 0/3-23
description VLAN 101 unused
switchport mode access
switchport access vlan 101
shutdown
interface range GigabitEthernet 0/1-2
description VLAN 101 unused
switchport mode access
switchport access vlan 101
shutdown

end
write

OPNsense router

As a review, here’s what we need to figure out, and answers / solutions:

• Sub-interfaces
  • Creating VLANs will accomplish this! You set a parent interface on the VLAN when you create it.
• dot1q encapsulation
  • dot1q is the default when you create a VLAN. Where OPNsense (BSD) runs into issues seems to be with the native VLAN / untagged traffic - source - general advice is to set the native VLAN to something unused on the switch, thus not sending any untagged traffic to the router.
• DHCP
  • IP addresses/subnets and DHCP can be assigned per VLAN interface on the router, as they’re essentially virtual interfaces.
• Firewall rules (ACLs)
  • With all the former being possible, this will be easy. I wasn’t really worried about this part.

Also, I didn’t think about setting DNS per interface until writing this, but that should be easy.

Really the bottleneck / my confusion here was how to create the “sub-interfaces” - now that I know it’s just creating VLANs, the rest of the configuration mostly falls into place.

Creating sub-interfaces / VLANs

I will always despise writing instructions to navigate a GUI, but here we are again. I’d rather do this than screenshot everything.

• Interfaces → Other Types → VLAN
  • ”+” to create VLAN 10
    • Parent interface: LAN
    • VLAN tag: 10
    • VLAN priority: Best effort (0, default)
    • Description: USER
  • ”+” to create VLAN 99
    • Parent interface: LAN
    • VLAN tag: 99
    • VLAN priority: Best effort (0, default)
    • Description MGMT
• Interfaces → Assignments
  • Assign VLAN 10 with description USER
  • Assign VLAN 99 with description MGMT
• Interfaces → [USER]
  • Enable interface: checked
  • Prevent interface removal: checked
  • IPv4 configuration type: Static IPv4
  • IPv4: 10.1.10.1/24
  • Save and Apply changes
• Interfaces → [MGMT]
  • Enable interface: checked
  • Prevent interface removal: checked
  • IPv4 configuration type: Static IPv4
  • IPv4: 10.1.99.1/24
  • Save and Apply changes

DHCP

Pretty straightforward here. Enable DHCP per interface and allocate a range of addresses to give out to devices.

• Services → ISC DHCPv4 → [USER]
  • Enable DHCP server
  • Range from 10.1.10.100 to 10.1.10.199
• Services → ISC DHCPv4 → [MGMT]
  • Enable DHCP server
  • Range from 10.1.99.100 to 10.1.99.199

DNS

Also very straightforward. Simply enable DNS on the new VLAN interfaces.

• Services → Unbound DNS → General
  • Under Network Interfaces, check new interfaces MGMT and USER

Firewall rules

I’m done for this evening. Will figure these out later! (I’m not procrastinating, you’re procrastinating!)

Verifying config

Connected the switch to the router via the port I set to trunk, then connected my laptop to the switch’s access ports one-by-one. I got an IP, and internet access!

Next steps

Model out my network

I will definitely be adding at least one VLAN to the current configuration - guest network totally isolated from others, for all untrusted devices. Might end up with more, we will see.

But I want to take a little effort and model it out so that the numbering makes sense and it’s not a total mess to extend or alter configuration later. I really like the idea of having VLAN in the third octet, for example.

We’ll see what ideas come to mind.

Research and purchase a switch

I’m tired of shitty consumer grade networking equipment - gonna bite the bullet and buy a modern business-grade Cisco switch.

I just wanted to avoid the situation I found myself in right after having this idea, with my Netgear “business-grade” switch - I am NOT about to sign up for a Meraki account just to log into my damn switch, or pay a subscription fee to access features baked into the switch. Doing my homework to ensure that doesn’t happen.

From what I can tell, I think the Cisco Business Switch 350 series will meet my needs (and probably then some). The 8- or 16-port non-PoE models range from about $150-250 on ebay, very doable.

• Cisco CBS350 Models comparison
• Cisco CBS350 Administration guide
• Cisco CBS350 CLI manual

EOF