hardware purchase advice is needed for intervlan routing needs?

benibilme2 · December 29, 2024, 5:52pm

Hello,

In my home, I am running a flat network with no vlans. I have two rb962 acting as wireless access points attached to unmanaged swithes. They all are connected to OpnSense firewall. I am currently using radius server, dhcp and user manager on one of the rb262 to apply mac based access control in wifi network but also for dhcp ip assignments.

New appliances all come with wifi and are network capable. My children have pc, labtops, phones, tablets and some require their own domain. My son recently infested our network with a virus, I have spent great deal of time to deal with that. I would like to create vlans for each member of the family and isolate their traffic, create vlans for iot, cameras etc. The usual stuff.

I would like to limit the intervlan traffic. For example, I would like deny some iot vlans to access internet, only allow members of family vlans to access our nas devices and other services etc. I presume there will be around 10 vlans than these vlans have different set of rules to access each other.

I have bought CRS326-24G-2S+RM to be able to do that and to get rid of unmanaged switches. My Opnsense device is four core intel celeron device with 8gb of ram. I was hoping to do all intervlan routing in CRS326. I do not know if I am done a sensible thing in my purchase.

My questions are

Is intervlan traffic as I described above CPU bound? Can it be done in CRS326? Can it be offloaded to hardware? Do I need to use separate router for that?
If I need a router, what do you advice as an hardware.

anav · December 29, 2024, 6:37pm

Yes!
One create as many vlans as required.
For management or base vlan you can use a trusted home vlan or a separate one.
The CRS will get an IP address on this trusted vlan
For vlan setup check out the appropriate example here → CRS326-24G-2S+RM
For decent vid on the topic → https://www.youtube.com/watch?v=YLtGQAQ8iS0&t=77s

Recommend take one port off the bridge
/interface ethernet
set [ find default-name=ether23 ] name=OffBridge23
/ip address
add address=192.168.11.2/24 interface=vlan11-Trusted network=192.168.11.0
add address=192.168.23.1/30 interface=OffBridge23 network=192.168.23.0
/ip interface list members
add interface=OffBridge23 list=LAN
add interface=vlan11-Trusted list=LAN
add interface=OffBrfidge23 list=TRUSTED
add interface=vlan11-Trusted list=TRUSTED

Plug laptop into port23 on the switch, modify ipv4 settings to 192.168.23.2 and you should be in, and a safe place to do all the vlan configurating!!

whatever · December 29, 2024, 7:04pm

As far as I know, the CRS326 cannot do hw accelerated L3 routing with firewall, which would be necessary for your use case. Doing routing on the CRS’s weak CPU is technically possible, but will be very slow.

Why don’t you use your existing opnsense box for inter-vlan routing?

holvoetn · December 29, 2024, 7:29pm

( 2 threads merged because they contained exact same question)