I have tried a few times by now But I still can't wrap my head around it.
Over at the pfSense board people were getting emotional while telling me it can;t and should not be done.
I am looking to have multiple interfaces (each with their own 10.x.y.y./16 range) so that I can fine tune the firewall zones.
10.0.0.1/16 = IPMI
10.1.0.1/16 = network gear
10.2.0.1/16 = hypervisors
10.3.0.1/16 = data
When not carefully in a strick order setup using luci then the config gets mangeld and in my case is easy to get in an unusable state.
I now have a OpenWrt VM with snaptshots of each and every step I take. Can someone please help me take the next steps? I can roll back to absolute zero if need be
I have in mind a quite advanced rule set in where one zone can talk to the other and others can not etc etc and also a guests zone and the likes.
The problem seems to be then when I use luci (because I am not an avid CLI/UCI user) the config can get mangled when used by newcomers like I am.
network diagram (in text);
WAN -> Asrock Rack (NIC1) passed through via hypervisor to OpenWrt VM for WAN interface
Asrock Rack (IPMI NIC) -> installed hypervisor (yeah it seems weird but given that one can reach it by preconfiguring the network settings on a directly attached device it can work/ and it did work) We can skip this part if is seems too outlandish. I will set it up once all the rest is in place.
Asrock Rack (NIC0) -> installed hypervisor eth bridge to OpenWrt VM for LAN
It is not really clear what you want to achieve. I understood that you somehow want to have multiple subnets to segregate your local network or groups of clients into logically isolated segments or zones to apply traffic policies upon them. Is that correct?
If so, how do you plan to implement that isolation? On layer 2 doing VLAN trunking over one of the NICs? On layer 3 by handing different DHCP subnet settings depending on client MAC? Maybe even have multiple vNICs and deal with traffic routing or VLAN trunking on the hypervisor?
Yes I'd like to segment the network (multiple zones) and be able to setup advanced firewall rules bewteen segments / zones. Somethings along the following lines.
10.0.x.x/16 for IPMI (direct connection to motherboards only accessible via the Trusted interface)
10.1.x.x/16 for Network related stuff e.g. Routers, AP's and Switches
10.2.x.x/16 for Virtualization only accessible via Trusted
10.3.x.x/16 for Data only accessible via Trusted and a hand full of Servers
10.4.x.x/16 Trusted vlanned
10.5.x.x/16 Guests vlanned (internet only)
10.6.x.x/16 IoT vlanned (Trusted and specific ip's only)
10.7.x.x/16 Peripherals vlanned (Trusted and LAN only)
and a few others
10.20.x.x/16 Wireguard to other site. All devices there basically have the same interface scheme but +20. so;
10.(20 + 0).x.x/16 for IPMI
10.(20 + 1).x.x/16 for Network stuff
and so on and so on
Snort or something similar to detect intrusion and a graphical way of seeing what is going on the network. ntopng seems suitable.
Why don't you want to use VLANs on an external interface? If you don't have an external interface for each network segment you want to connect then VLANs is commonly used in combination with a VLAN capable switch.
An alternative is to use a layer 3 switch. But then I guess you need a switch which supports policy based routing if you want to send traffic via the firewall.
Not sure I follow you entirely. Perhaps a network diagram can help me explain what I am looking to setup.
I guess the question I am asking is; is this a total ridiculous plan and if so can one please elaborate?
It makes sense to configure the connection between the LAN NIC and the managed switch as a VLAN trunk, i.e. tag all VLANs on the LAN NIC and the switch port.
The ports you connect devices to can then be configured as access ports, i.e. each with one untagged VLAN (same as PVID). Or you can configure more trunks if access points, or other routers and switches need more than one VLAN.