Similar to my WireGuard spaced repetition post in concept - I want to reinforce my learning process by doing something over again from memory as best I can.
This one was for the “IOT” VLAN - basically, the VLAN that I want to use for devices that need LAN access, but not WAN access. The VLAN setup was the same, the only difference was the firewall rules.
And it worked!
One key point about this configuration is I was able to confirm that I could run multiple wireless networks from one radio. So my previous theory that I could run up to 5 distinct wireless networks from this one router seems to be correct!
Configuration summary
Three places I needed to configure:
- The WAP
- The switch
- The OPNsense router
WAP
- Add a switch VLAN for port 3
- Add a bridge device for the new VLAN
- Add an interface with a static IP using the new bridge
- Add new interface to one of the wireless radios
Switch
- Enable port (un-park it) and add a sensible description
- Add the new VLAN
- Set the new VLAN as untagged on applicable port (add the port to the VLAN)
- Set Native VLAN to None on applicable port
OPNsense router
- Add the new VLAN as an interface
- Assign the new VLAN interface
- Configure the new VLAN interface with a new IP/subnet
- Enable DHCP on the new VLAN interface
- Normally would enable DNS here, but this VLAN doesn’t need it
- Add default allow firewall rules on the new VLAN interface
- Add explicit block to WAN (BEFORE the explicit allow rules)
Lastly, plug in (a third) cable from the configured port on the WAP to the configured port on the switch.
Final steps
- Confirm firewall rule accuracy (ping other devices in the LAN, but not communicate to the WAN)
- Confirm both WLANs work at the same time
EOF