Beginner's Guide to Set up a Full Network using OPNsense

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
shortly after I created my YouTube channel I created a video series on how to build a full network using open sense I based that video series off of a written guide that I did on my website and that guide was actually somewhat you know geared towards more intermediate level users because I was just kind of pulling together a bunch of Concepts that I had on my website that I written about over the years and I wanted to show it all in one big guide just to show how everything works together because sometimes when you see small little pieces of you different topics and it's hard to put them all together and have a fully functioning Network so I thought that would be a helpful guide for people and it seemed pretty well received but I didn't go into a lot of detail like especially when it comes to link aggregation if you actually need it or not so there's a lot of users are just creating link aggregations whether they know they needed it or not and I know with one gigb interfaces it's definitely easy to saturate interfaces you know most home users are probably not going to be saturating their Network very often if you're just streaming data and you don't have any servers or any you know nasas or whatever on your network you're not transferring a lot of data between networks so you link aggregation might have a little less uh of a benefit for many users so there's different topics like that that kind of you I didn't clarify in a lot of detail so I'm going to leave a lot of those types of topics out in this video and I'm going to do a more simplified version of that guide I actually already have it on my website and I'll link to it below um but this is will be the video version of that and I'm hoping to do it all in one video because it's actually that much more simplified that I can actually fit it all in one video and hopefully it'd be a little bit less overwhelming if you're new to open sense cuz I know sometimes the that bigger guide trips a lot of people up in certain areas uh because it's just a lot of Concepts all at once I'm still going to have to assume some basic level of networking cuz if I took the time to stop to explain like what it was an IP address and a MAC address and you know different various networking uh Concepts we would get so bogged down in all those details that we would miss the overarching concept of how to set up the full Network and there's a lot of different other topics about you know you can do multihoming and stuff with your devices so you're not you know using a lot of bandwidth across networks which I do briefly touch on in my written guide and I might mention it later in my um video as well but those are just little topics you can kind of Branch out once you get your main Network set up and this is going to just be about the network architecture so I'm going to assume you have uh Hardware such as the protect Le VP 2420 which I'm going to be using in this example and I'm going to be using the network switch such as the TP link uh t 1500g uh -10 MPS which is just an8 Port Poe switch it's managed I'm going to be using a grandstream wireless access point which supports vlans so all of my Hardware supports vlans so it's kind of similar to my other guide where I have three devices mainly I'm setting up for the network architecture I'm just going to make the architecture a little more simple because we're just going to only have in this example two networks we have one physical Network and one virtual Network one VLAN so let's get started all right so now let's configure op sense you could use the default IP address of 192.168.1.1 or you can use open sense. local host name um I like to use the IP address because if we change the host name we don't have to uh change it in our browser and S potentially sign back in so let's just uh use the IP address which I already have it typed in up here and this will bring up the open sense um interface here we just have to accept the risk because it's a self-signed certificate and as you can tell I already have uh signed in before so um so as you can see there the wizard will pop up the initial configuration after a few seconds it'll go to the general setup instead of going through the wizard I'm going to show you how to configure open sense with the normal menu options so you know where they're located at instead of going through the wizard because all the options that are in the Wizard are actually in open sense they just put them together in a nice little format there for you to set up if you want to go through the wizard uh for beginners it might be nicest to walk through that wizard but I just want to show you where they're actually located cuz that's where you'll be be tweaking that stuff later when you actually need to make changes so if you click on the logo in the upper left hand corner it'll take you to the dashboard in which is under the lobby menu so you have all these different um default uh widgets here displayed it shows all the services that are running and the gateways and the interfaces and as well as some system information here of CPU usage and RAM usage as you can see RAM usage on open S is actually pretty low when you don't have anything running right out of the box it's using uh 715 megabytes of RAM and and 183 is actually Arc size for ZFS so if you're using ZFS ZFS uses a lot more memory which is fine if you got plenty of memory so let's go to uh system settings General this is where a lot of the settings are in the Wizard page a lot of them are here located here you can give your router a you know host name and a domain name the domain name is used for your entire network not just for open sense so anytime you want to access a local client you can just just use most of the time the host name but if you want to use the fully qualified domain name fqdn right you can actually type in like open sense. looc domain and you can get to this open sense uh web interface if you have it allowed via firewall rules or whatever but uh if you want uh something different here like I can put in Homen network.com right because I own that preferably if you own the domain name you can put it in here or you can make up one it doesn't exist on the internet just make sure you don't pick one actually exists cuz it your your DNS will resolve to your local domain they might get confused with real ones so we can call this router if you want right router. home network out.com so you can make that whatever you want you can pick your time zone that you're in um it sets it the UTC by default and there's different themes here that you can install but you have to go to the plugins page and install that because a lot of people like dark themes and you can actually download a couple different versions of dark themes for open sense which is nice okay so down here in the network section you can put DNS servers in here if you want this is DNS servers that are used by um the system which is open sense itself okay out of the box you can leave these alone cuz in this example I'm not going to show a more advanced DNS configuration for since this is a beginner guide so I'm going to leave this stuff as a default because out of the box this allow DNS server to be overwritten by DCP on the WAN interface well basically allow you to use your internet provids uh DNS service which which is a good way just to get started and then once you get that working and you know your network is functioning properly then you can maybe uncheck this and we can you can set up some o other DNS options that I've went over before in other guides on my website and uh some of my other uh videos potentially will have some of this information as well if you want to go to more advanced DNS uh so for now we're just going to leave all these things and so and then you can set save when you're done for the administration page there there might be a few settings here you might want to change uh out of the box it's using a self sign certificate you can enable uh strict security transport protocol that help prevent potential malicious users from trying to hack you know and take over your https sessions and stuff like that it's probably not a super uh high priority for home users if you're not exposing it to the internet especially but it could be helpful you know for something bad on your network it could help that enable some of these features uh let's see if there's anything else here uh DNS rebinding can cause problems sometimes if you're trying to um access certain services on your local network but I don't like to disable them because that's actually a good Security check to have there's other ways around uh this you can you can enter alternate host names here to that will be ignored for DNS rebinding I know Plex uh uses like Plex do direct as a domain host name that sometimes a DNS rebinding might interfere with so we have some HTTP compression settings here you can enable these if you're most boxes are probably fast enough you can probably enable this and I don't know if it really speeds up the web pages that much this could be helpful if you have if you want to connect remotely um hopefully over a VPN not open to the world but if you know you want the web pages to be as small as possible as compression can maybe help speed it up just a little bit when you're trying to access Pages remotely the listen interfaces um I sometimes will set this to just one network that I want to manage open sense from but since I'm only going to create two separate networks for this I I may I may recommend just setting this to the land Network once we're done but we want to make sure we get everything set up first you can always go back and just uh only allow it to be on the land Network cuz that's going to be our trusted Network and then that way you can disallow access to your open sense from your untrusted network so you don't want people trying to log in open sense right so that might be a good option to set once you know everything is working um so let's go down here you're can to enable SSH I'm not going to show how to do these types of things because I'm just assuming that most beginners are just going to use the web interface but you can log in if you know what SSH is to get a secure shell into uh open sense so you can use command line that's sometimes helpful so that's pretty much it for those options so let's go to miscellaneous one of the things you might want to set here is your thermal sensors I'm using an Intel processor if you want to show your CPU temperatures in a widget on the dashboard you definitely need to select this Hardware here for thermal sensors because otherwise it will not show your temperatures or at least not properly so you definitely need to select that uh I think it's helpful for especially for many PCs that are fanless that have this temperature displayed so we'll go ahead and set that so if we go down the uh Power savings you can actually set this to different options here I think it's actually by default using High adaptive but it's not actually enabled so if if you click this check box you can enable this because High adaptive this allows it to be the maximum performance uh and it helps regulate like the CPU core uh speeds and stuff like that to help uh you know boost performance or even limit performance if you're worried about temperatures so there's some other options for dis uh usage and stuff that you can do like Ram discs and stuff like that for logging this is really useful if you don't have like an SSD or something and you're trying to put it on a system it's using like I don't know micro SD or some kind of crazy storage it's actually not very reliable you you definitely want to make use of some of this Ram discs for logs but if you do that you'll lose them of course when you reboot so we can just hit save on this cuz I actually do want to have this enabled so I'll show you real quick since we just enabled this option if we go back to the lobby and the dashboard here and we can add a widget and we will add thermal sensors so we'll close that out hit save and then all of a sudden you got CPU temperature sensors here since I picked uh Intel you can actually see that there's my core temperatures all right now let's look at interfaces and what we need to do to configure that so let's go over to interfaces and go to assignments I have a four port Mini PC which I mentioned earlier which is the protect VP 2420 and I have only two interfaces assigned one's for the W interface and one's from the Lan interface as you can see I actually swapped these two interfaces I did that when I did the initial installation because by default the WAN would be igc1 and the landan would be igc Z I like to have the wi interface on either the far left or the far right depending on the just how my connections are I I don't know if I just prefer that because I used to use consumer grade routers and they always had the W interface off the one side but um it this is really a preference it doesn't have to be this way I just want to let you know that you might see this uh reversed if you just left it at the default installation I mentioned this in the written guide how to switch these so you can actually do this from the console if you want before you actually log in so when you plug in you're in the proper interface and you can actually do that by going to the console and doing option one and then reassigning their interfaces which I have a video overlay here to show you that process as I'm discussing it right now and so but an alternate way of doing it is that you can actually come in here and swap your interface from the web interface the bad part about going to the web interface is you'll get disconnected and you'll have to move your physically move your connection over to the other Port after you save these changes and then log back in again potentially so it's more disruptive to do it through the web browser that's why I prefer to do it during the installation or at console uh command line and then you can just swap those interfaces so you'll see that I actually have two other interfaces that I don't have assigned to anything and this guide I'm actually not going to use any either one of those interfaces I'm just going to use the L interface and we're going to add a VLAN so even though I could actually make use of two different networks with two different interfaces I actually just want to put one VLAN on one of these physical interfaces the land interface just as a demonstration to show how to set up banss I want to show at least the concept of how to set up your first VLAN and then you can add more later if you want so to set up vlans we actually can't do it from here we actually need to go to other types and then we'll go to VLAN so we got to set up our vlans before we can assign them because the land interface is already good so we just click add over here and then the parent interface remember we said will be the land cuz remember virtual networks have to reside on top of physical networks so a virtual land is actually just a a a logical Network on top of a physical Network so let's make this VLAN tag a 10 and we'll just leave it at best effort I'm not sure how much the VLAN priority affects performance it might give supposed to get priority um you know based on what you select here um but I you know best effort is fine for our purposes we can call this untrusted cuz that's going to be our untrusted VLAN and let's hit apply okay once we hit apply we actually just go back over to assignments so when we go back to the assignments page you can actually see that we now have a VLAN in here that you can actually assign is the untrusted VLAN and the parent interface is igc1 so let pick that the description is already set from what we had before for the VLAN which that's what we want which is uh nice that prefills that he didn't used to do that I think that's a newer feature and we'll just hit um the add button okay and then we hit save because you don't want to hit save because you have to add it first and you'll notice it pops up in here in the list and then you hit save now that you hit save you'll see that the interface now appears over in the left-hand menu uh as untrusted so we just need to enable this interface I like the prevent interface removal this keeps you from accidentally deleting the interface out um so it's kind of a nice extra measure to make sure you're not deleting us out and for the ipv4 we're going to set up a static ip4 address for the interface itself but it also gives us an IP address range for your network so this is kind of interesting you can think of an interface as your gateway to a whole entire network so the IP address at the bottom here we're setting up is actually for the interface itself we're going to set it up as um 192168101 I always like to make the interfaces. one you don't have to but that's a that's kind of a convention a lot of people use and for this uh this is the cider notation so we want to pick uh 24 this is what creates our the size of our Network so 24 just means this last octet of the four octets that we have in our IP address that last octet is how many IP addresses you can use and in that uh last octet for ipv4 ipv4 addresses you get um from2 to 254 cu0 and 255 are reserved for Network purposes And1 is used by interface so we get 2 to 254 is our total range that we get for this uh interface so so we hit save and we apply changes I'm not going to mess with IPv6 configuration in this guide but I have went over that in other guides so that way we just not get we don't get bogged down in detail so we just get an ipv4 Network set up and then if you want to explore IPv6 later uh that's something you can do so now let's go to the services dhcpv4 and then click on the untrusted network we need to set up DHCP for the network so then you get automatic IP address assignments which you definitely will want on your network so click on enable and then we can select this range here if you want to copy and paste so you don't have to type as much so you I'm just going to set an example range of just 100 IP addresses you can actually change this if you want so I'm just going to do 100 to 200 I recommend leaving a little bit of the space available if you want to use static IP addresses because they need to be outside of this range so I wouldn't go from it says you can use um 1 to 254 but you can't use one because that's the interface but you can go from two to 254 so I don't recommend putting that full range in here unless you don't plan to have any static IP addresses because if you have servers and stuff you might want to have some static IPS so let's scroll down and hit save now we have dccp enabled on the network and for DNS so I'm going to look at DNS real quick and go to general settings by default it's enabled in all interfaces which is what you want this makes it easy some of the settings I recommend you do since we're trying to keep DNS simple for this example is just register DHCP leases and DCP static mappings if you register these whenever you um have a DCP client or a static mapping defined for a client on your network you can actually just access it by the host name and Unbound DNS will know exactly what IP address it is for that that clients so it's handy to have this so you don't always have to type IP addresses for all your devices to access them so I like having those enabled and the only other thing is maybe is I think is good to have is flush DNS cast during reload you don't have to do this but like to me it's helpful because if you're making any DNS changes on your network and you you have to restart you restart the service or or changes get applied or whatever I really like having to clear this stuff out because stuff gets kind of stuck in there like old IP addresses Associated to certain host names and stuff like that so I like having this flushed because it kind of helps make things uh happen quicker and you gain you may lose a little bit of DNS performance until everything is cached again but on a local network it's you're not going to notice that speed difference too bad I don't think so you might have a little bit of an issue there but that for the most part is helpful when you're making changes when you're not making any changes this has no really effect until you're reloading the service so so that's it apply changes so one last thing we need to do is configure firewall rules because this will uh isolate your two networks from each other so then nothing can access anything between the two networks so you have completely separate networks so your untrusted devices cannot uh reach into and get access to your trusted devices let's go ahead and go to firewall and go to um aliases so the first thing we're want to do we're want to create a private Network Alias because this is important to help isolate networks when you only have like two networks you don't have to go this route but if you're adding several uh vlans and interface networks and stuff I like just blocking all the entire um private IP address ranges because it actually just helps you not forget in the future to add in new networks every time to your firewall rules when you add a new network so you can potentially leave something open wide open without realizing it and so it actually is a little bit less secure um so I feel like this way it's you're blocking everything by default and then you have to go in and allow specific access so safer to do it this way that's why I like to prefer to do it this way so I'm going to show you this real quick so we're going to call this private networks and then uh so this going to be networks is our Type U for Content we're going to do 10.0 0.0 sl8 and then hit comma and then it'll it'll make that box around it and then we'll do 172 do uh 16. 0.012 and then comma and then we do the last range 192.168.1 do or. Z 0.0 16 right and then we'll click description down here and we'll say um RF RFC 1918 private uh IP address ranges okay you can put whatever you want for the description it's good to be um to describe these things and hit apply so then these these the Salas can be used in your firewall rules uh the reason we're creating an alias it allows us to select multiple uh values in a firewall rule because by default you can only select one value uh whether it's an IP address or a network range you only get one value you can enter in each firewall rule but if you create an alias you can have as many values as you want in the content here and you only have to refer to a single Alias inside your firewall rule so I'll show you how that works once we get down here to the rules um let's go to land first by default everything's wide open you get access from Land uh as the source to allow any so you you it's going to allow access to all your networks including the internet so what we're going to do since we're not doing IPv6 in this configuration guy we just delete this one um what we'll do is we'll actually just edit this in my guide written guide I just said delete it just so you don't get confused with the configuration but since I'm showing you visually I think it's fine if I just edit this existing one just to show you uh what you need to do to change this to make it a little bit more uh restrictive because right now we're we're going to be allowing access to our untrusted network from Land which you might want to do but I think it's still good to kind of keep the networks isolated so you're not reaching out to your untrusted devices from your trusted Network in case there's something malicious happening from your trust Network right something bad gets in there right so we'll just go ahead and isolate this so right now the only thing we really need to do our destination is going to be inverted okay and our destination is actually we're going to pick our private IP addresses private networks yeah and so and we're going to we're going to change our description to say this is going to allow access um to the internet but block access to private networks so I want to describe this real quick cuz I I've mentioned this in other guides before but and written my written content but this destination invert means um not so basically when the destination is not a private Network then it'll allow it because we this is a pass rule as you can see at the top so that's when you have this box checked is very important we're basically saying anything that's not a private Network allow that connection so anything that's not private is what public right so that would be the internet so we're basically allowing only the internet with this one simple rule with this one simple rule we're allowing access to the internet but we need to add one more rule after this so we'll hit save I'll show you what it what we need to do okay let's not hit apply changes until we're done because you'll start blocking things you don't want to block here okay um so let's add one more rule here want this to be on pass and we want the protocol to be uh TCP to be is fine and we want the source to be land net because that's our Network that we're in and we have the destination to be land add address and the destination Port is pick DNS so what we're going to type here for description is allow access to DNS server on Lan interface because the rule that we just added will block all the private IP addresses which includes the interface itself because once the traffic leaves starts to leave the the Land network and hits the landan interface that firewall rule will block anything even on the land interface so you're going to end up blocking DNS on your server this is a consequence of blocking all private IP addresses instead of just blocking only the the other network you could do that we could just blocked untrusted network if we wanted to right but I like this private IP address you know it requires one extra rule here at the top um so we need to actually click this box and move it up here so we want to have these two rules so then we're allowing uh then we can hit apply now so we want to allow access to DNS server on the landan address which is your interface address and then we want to allow access to the internet if you follow this same pattern uh for each feature interfaces then you automatically get isolation and you only requires two rules so it's actually you know one way you can do it it's not the only way you you could make this a single rule but you'd have to keep adding in your new networks right every time you make an update So to avoid that you just do it like this so what what we what we need to do now is go to the untrusted network so as you can see if we go here when you create any new interface and new network it actually has no rules by default which means everything's blocked by default so if you just want to complete isolated network doesn't have access to Internet or anything else like for you know camera you know IP cameras on your network you actually leave it like this right then you're already you're already isolated but we want this one to have access to the internet just like the other one and but but not access to the land Network so let's go back to the land Network we actually clone the rule to make it a little bit easier right so let's go ahead and clone this first rule and then what we'll have to do we have to make sure we change the interface to untrusted and we want to change the land net to untrusted net and you want this to be landan address to be untrusted address and then we can can leave everything else the same except for this description cuz we are being very specific in our description so we just make sure we hit save okay and now let's go back to land and we can clone the second rule and we have to pick the usted Network again and this one we just pick untrusted net okay and and because we actually left a generic uh description we don't have to update that and so as you can see it actually put this on at the top so what we need to do is we want to make sure our DNS entry is first so it won't get so actually will get applied so we want to hit apply changes so there you have it that's all you need to do to have completely isolated networks if you want the untrusted network to reach into your land Network for something you have hosted there um you can actually go and add a new rule you just have to make sure it's above this bottom rule so anytime you add a new rule you just have to make sure it's above that bottom one and you should be good to go um you can actually make it access like a specific device on your Land network if you want on specific ports so you know you're allowing some access you're still controlling what access is allowed and so at least it's better than a flat Network where everything can have access to everything as I mentioned before that's all we need to do for opos it's actually not too bad uh to to get started out of the box with two separate networks are completely isolated so now we're going to configure our network switch next what I recommend doing is just plugging directly into the network switch first and get it configured because we need change IP address on it usually and then before we plug that into open sense and then once we plug it in open sense we'll do some test to make sure everything's good and then we'll go and configure the access point last so let's go ahead and go do that and switch over to configuring our switch so now I'm going to configure a static IP address to configure our network switch so I know my TP link is in 192.168.0.1 so I'm actually going to configure my devices to be in that same network so let's go to manual and I'm going to set my IP address here to be 0.10 just to make it something different than the switch's IP address and the subnet mask is going to be 255 255 255 zero and then we just hit apply okay we'll close that out okay so now I'm going to type my switch's IP address in here which is like I mentioned earlier and hit enter and now it's going to take me to the TPL Link login page which takes a second to load this TPL link switch's web interface is a little bit slower than some of the other TP Link switches I have I'm not sure why but it doesn't like it's a very fast um switch interface but it works it it's it's not too bad once you get logged in so it's going to be admin admin by default so let's do that so what we're going to do is first thing is we're going to do is change the system IP and you can see where I said it's you know 0.1 here we actually want to make this 1.2 because our our interface is 1.1 so let's make us 1.2 and we can actually um we can actually set the Gateway if we want it's not supercritical but um for the switch cuz it's not really shouldn't be access to Internet or anything but we'll set this to 1.1 because that's just going to be our Gateway interface and we'll hit apply and when we do that we'll lose access to our page okay so what we're going to have to do now is actually set our IP address to be in the same network again so if I go to wired settings and set this up and I'll have to do is just change this to one instead of zero for the IP address 1.10 and sometimes I just do this is to make sure um it applies quicker because last time it took a few seconds longer than I was expecting you see how it redirected us to 1.2 already so I just hit enter on it and now we're back to the page the redirect won't work until I change the my systems IP address right so we got accept the risk again all right admin admin let's get back in here okay now we see if we go back to system IP it's what we want it to be because it will now be on the same network as our land Network let's go to uh L2 features and the set up a VLAN because this will be pretty simple straightforward on our VLAN page we want to use the 802.1q VLAN that's the official VLAN protocol and so if we go to add notice there's one VLAN already there which is our system VLAN so this one is going to be our untrusted VLAN so it's called untrusted and in our example the first Port is going to be plugged into the router so we need to make that tag port and the second Port is going to go to our wireless access point so that needs to be Tagged so anytime you want to create a VLAN between routers and switches and access points anything that's VLAN aware you need to make those tagged interfaces because this will allow the VLAN traffic to pass through these interfaces and these interfaces that are tagged are allowed to carry more than one VLAN all right and and my example I did on the website I just made port five like a smart TV just as an example so we just make one port an untrusted VLAN so we can actually test out a wired device that's on an untrusted Network so any of your devices you plug in like PC laptops game consoles TVs you know NASA and stuff like that um these will be your untag ports because those your end devices they don't have to be V aware um so anything that you plug into your device that's not a switch or router or um an access point you can actually put them as the untag ports and untag ports can only be belong to one VLAN so this is what VLAN you want the ports to be on is your untagged ports right tag ports is where you want your VLS to pass through to carry multiple VLS on a port which is between all your devices right that beaware and untag is just the port you want for your specific devices so try to reiterate that a few times just hopefully it's clear when you use untagged versus Tagg because that's always confusing with vlans so let's click create and now we have the untrusted network and one last thing we got to do this is a thing you don't always have to do this on all network switch Brands but for TP Link you actually have to go to the port config for port five because we we added it to the um VLAN when you actually need to set your VLAN ID to 10 and hit apply if you don't do this it actually won't uh set properly set that port to the right Network so this is very crucial all your tag ports can be Port one so you don't have to change any other ports it's only the ports where you're plugging your devices in you want them to belong to a certain Network so this is a little gotcha step here if you're not careful with TP Link switches because it seems like a lot of other switches UniFi and grandstream and some other brands that I've tried out they actually automatically put that PIV ID in there for you which is nice even older TP Link switches the web interface would fill that P PIV ID in based on what VLAN configuration you set I'm not sure why the new VLAN interface uh forces you to do that um but I don't really like that because that's a gotcha sometimes it trips me up too we need to hit save to apply changes because if you don't hit save on your changes for your switch when you reboot your switch you lose everything you lose all your settings from the last time you hit save so a lot of switches you have to apply your changes because this this lets you the reason they do that is so if you mess your configuration up you could just reboot your switch and you're not locked out and screwed up right so uh they make you save it one final time to make sure that the changes are when you know it's a good working State then you can hit save and your changes will stay so that's all you actually really need to do to configure VLS on the network switch and so it's actually pretty simple to add a single VLAN in there since we're not doing lag configurations and all kinds of other stuff in here uh it's very simple and straightforward now what we need to do is plug Port one into the land port of open sense okay I plugg my switch in open sense I'm going to set my connection back to automatic DHCP and see what we get here okay apply and just for good measure just disconnect reconnect because it makes it a little quicker okay so let's go to the console clear this out let's do IPA as you can see we have a an IP address in the one network which is great so that means we should be able to go back to our open sense which I have left open so let's go see if we can go back to the main menu here and so we can we can actually log in open sense so now that we're on the dashboard we know that the client can actually get an IP address on the proper Network for The Trusted Network that we have and remember on my example I can plug into three p 3 4 or 6 s and 8 on my eight Port switch because remember port five is in the other network so I'm going to go ahead and plug into um I'm going to open this back up so I'm going to plug in Port five and I want to see if I get an IP address in that Network all right so let's check our IP address and as you can see I'm in the1 network here uh IP address is 192.168.1.100 so that's one quick way you can actually check if your VLAN configuration is correct is just by plugging into the other Port because it's it belongs to the VLAN which is in a diff technically a different network so all we have left to do now is configure the wirel wireless access point so I'm going to plug back into the trusted Network because by default the wireless access point is going to be in the1 network so I want to be in that same network so I can actually configure the grand stream so I'm going to go ahead and do that now okay so now I'm plugged back into the trusted Network the landan network um so I'm going to go to services dhcpv4 and then go to leases and I'm going this will show me all the IP addresses that are on my network because the wireless access point gets automatic IP addresses assigned to it I don't know what it actually is so going to the leases page is the easiest way to find that and you can see it's assigned a 106 so this is my grandstream wireless access point okay we got to accept our warnings because everything has self-signed certificates by default so the username is going to be um admin and on the bottom of your wireless access point for grandstream it actually has the default password it's nice that they actually have a custom default password for each wireless access point instead of admin admin right so it's kind of a some manufacturers do that to make their out of the box experience a little bit more secure um in case people forget to change your password right so I'm going to type that now now that I typed that in you'll see there's option for master or slave because you can actually have wireless access points controlling other wireless access points without having to run separate controller software like UniFi I've noticed that you can control other access points this way but if you have a network switch like I have a grandstream network switch you can't control more than one device from it but it's interesting that their Wireless access points are set up to where you can control multiple wireless access points from a single one so that's kind of cool but um if you want to manage switches in addition to that wireless access points you probably want to install a local controller or use their Cloud controller so let's sign in okay the first time you sign in you're going to go through a setup wizard um you only have to do this for the first time but if we go through next so we're going to set up two wireless networks uh one for the trusted Network and one for the untrusted network so by default it's going to be on the trusted Network so we'll go ahead and set that up and you'll see uh here's our wireless access point we'll just hit next um we want to have it enabled and we could say give it a name whatever you want to call this network and I'm just going to call H&G land because that's our Land network and you can leave it on WPA 2 or you can do um WPA2 or three sl3 you could do both if so we can just goad and pick that and pre pre-share key is just basically your your wireless password and you notice that we already have our device set in Our member devices you just have to make sure that there's a device over here because if it's on the left hand side it won't add it to your device it'll create the network but it won't assign it to your provision it to your device so so it's important to put this over here by default it automatically puts this one here because it knows you're trying to set this device up okay so now we can just hit complete and then it it's pretty cool it shows you all the little processes that are getting uh set up here and once this is done you will have a default Network set up all right so it says we have one access point here and no clients so this is like a nice little dashboard here so what we what we need to do now is just we're going to set up a second Network for our untrusted network if if we go here before we do the second network if you go to edit you you can actually access the more options than the setup provides you so if you scroll down here you could do cap the portal client isolation um and there's options for vlans and stuff like that so there there's a lot more options when you go to uh edit this if you if you have mobile devices in here I recommend setting the the the dtim period to like three to save a little bit of battery life on your mobile devices so that's one thing you might want to do on that one so we just go and save that um we can hit apply just go and apply those changes so what we need to do now is set up our second wireless connection by clicking add and we're going to enter the SSID as hng U untrusted you might not want to call your network untrusted if you're going to broadcast cast it out maybe something like guest or something but something more subtle um but I just want to make this clear which network we're setting this up for I want to enable this SS ID we want to set up the VLAN of 10 so that's all you need to do to set set it to a VLAN it's very simple you just put the VLAN ID um so security mode we do WPA 2 and three and then we'll do our password Here is our pre-shared key okay and then since this is our untrusted Network we might want to enable client isolation it it prevents wireless devices from communic directly with each other so it's not a bad idea for an untrust Network to enable that it's very good for like guest mode and stuff like that when you don't you you don't want to trust maybe your guests that are on your network um so we can set the dtim period to like three for wireless battery savings and before we hit save I always keep forgetting this but you have to go to device membership and we have one available device which is our current wireless access point click that box and then move it over to the member devices as I mentioned earlier this is done automatically for your first wireless network if you go through that Setup Wizard when we create new ssids we actually have to move that over um it doesn't do it for you automatically so that's important otherwise it doesn't get applied to your access point um so let hit save then apply okay once the changes apply successfully you have both access points here and let's go ahead and turn off our wire Network just so our wireless devices get priority here and we'll we will uh check each one of these to see if we get an IP address in the proper Network so I turn off the wire connection okay let's connect to that Network okay so let's check our IP address and see what network we're in as you can see we are in the one network with 107 as our address uh it's different than our wire device which was 104 so now we're going to check the other SSID and see what we get okay we're going to sign into to that one so now let's check our IP address addess as you can see we got a101 uh 10101 so we actually are in the10 untrusted network so as you can see we got an IP address in each Network so we know that both wireless networks um are configured properly with open sense and that's all you really need to do to get the basics to get started of separating out your devices so now we have a trusted Network you can put stuff on your land Network and you can move your untrusted devices on your untrusted um VLAN so I hope you found this helpful and beneficial in getting started on creating your first VLAN and get your network set up to kind of get a few devices like trusted and untrusted devices separated and from here you can actually explore different topics and and as you learn more about Open sense and firewalls and networking you just got to keep in mind your architecture as you grow just make sure it makes sense and it's reasonable um and nothing too crazy and complex because it doesn't have to be super complex to be still more protected than just the flat Network as you can see I configured this uh almost in real time you know in in less than an hour right so just to get a basic Network started um so it doesn't have to take forever it doesn't have to be super complicated I just want to show you like it doesn't take hours and hours like my previous guy I broke it up in the four videos because it did take you know you know two to three hours because is a little more involved if you just want to start off really basic it doesn't have to take forever so until next time I see you guys [Music] later oh
Info
Channel: Home Network Guy
Views: 9,474
Rating: undefined out of 5
Keywords:
Id: CXp0CgilMRA
Channel Id: undefined
Length: 41min 29sec (2489 seconds)
Published: Sat Nov 04 2023
Related Videos
Ultimate Beginner's Guide to OpnSense - Installation - Part 1
Jim's Garage
11K
HOW TO SETUP OPNsense: From First Boot to Fully Functional (with IPv6!)
apalrd's adventures
30K
Can Cat5e do 2.5Gb?
QSFPTEK
1.1K
pfBlockerNG Alternatives
Zenarmor
705
How To Setup VLANs With pfsense & UniFi 2023
Lawrence Systems
158K
Unifi Express Review: Insights From Testing the New Network Controller, Firewall, and Mesh Unit
Lawrence Systems
42K
The shocking truth behind migrating from pfSense to OPNsense - Important contemplation before you do
LS111 Cyber Security Education
7K
Set up a Full Network using OPNsense (Part 1: Overview)
Home Network Guy
24K
pfsense VS OPNSense
Lawrence Systems
271K
Awesome 10 GbE Router for Homelab | Overview of Supermicro X10SLH-LN6TF
Device Casting Couch - Tech Podcast
14K
Set up a Full Network using OPNsense (Part 2: OPNsense)
Home Network Guy
42K
UniFi: How to Securely Configure Switch Port VLAN Traffic Restrictions and Avoid VLAN Hopping
Lawrence Systems
25K
How to Configure OpnSense - vLAN, VPN, Port Forward, Firewall Rules, WireGuard, DHCP... - Part 2
Jim's Garage
8.3K
BEST WiFi Optimization Settings!
Crosstalk Solutions
277K
I hope you don't need internet.... - PfSense Router Update
Linus Tech Tips
2.3M
5 AWESOME Home Server/NAS Operating Systems
TechHut
25K
Advent of Code Revisited: Day 18–25
HyperNeutrino
931
UniFi Network 8 VLAN Overview
Willie Howe
4.7K
Replacing the Self Signed Certificate in OPNsense with Let's Encrypt
Home Network Guy
4.1K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.