Seperating traffic with VLANs in the network is great way to improve network security. When I switched to VLAN capable switches and access points, I did exactly that. I created seperate VLAN's for personal use, business use and for IoT like devices. This improved security greatly, but with all the devices living in seperate VLANs all sorts of autodiscovery type of features of course did not work.
So that is OK but not great. Not being able to easily find my Hue bridge from my laptop or phone does limit the flexibility. Same goes for stuff like Apple TV, the Jet direct printer etc.
Then I remembered my experiments way back of using OpenBSD not as a firewall/router, but as an transparent ethernet bridge. With the capability to actually filter traffic while doing that. So that is the plan.
First I needed some proper gear to do it with. Raspberry PI was out, because I don't want to deal with USB connected extra ethernet devices. So I figured the PCEngines APU2 would be great. I already own one, but it is in use as an OpnSense firewall (great stuff!). So the first step was ordering a new APU2 from pcengines, which I did.
So yesterday I had some time left to install the operating system and hook it up to the network for further setup. This is where I am right now. Next steps is configuring ethernet ports, maybe VLANS and then creating transparent bridging links with packet filtering.
When this pans out as planned, my business, personal and IoT devices will live in three seperate VLAN's, linked together with the APU2/OpenBSD bridge, all living in the same IP segment.
Then it is just a case of setting up proper packet filtering rules that will allow autodiscovery e.o. to work seamlessly all while blocking other unwanted and/or unplanned traffic.
Should be fun!
It is of course possible to use a single ethernetport and configure multiple VLAN on this port. But I want to make sure I could get a 1 Gbs transferrate between VLANs, so I will use multiple ports on the APU and a switch to connect the different VLANS. Getting the basic bridge running was easy using a nixCraft blogpost. So this is wat I have now:
ghost# ls -l /etc/hostname* -rw-r----- 1 root wheel 28 Jan 21 09:26 /etc/hostname.bridge0 -rw-r----- 1 root wheel 29 Sep 27 20:02 /etc/hostname.em0 -rw-r----- 1 root wheel 20 Jan 21 09:26 /etc/hostname.em1 -rw-r----- 1 root wheel 21 Jan 21 09:26 /etc/hostname.em2 -rw-r----- 1 root wheel 20 Jan 21 09:26 /etc/hostname.em3
with this contents:
ghost# cat /etc/hostname.bridge0 add em1 add em2 add em3 up ghost# cat /etc/hostname.em1 up media autoselect ghost# cat /etc/hostname.em2 up media autoselect ghost# cat /etc/hostname.em3 up media autoselect
This config was activated by rebooting the device. The em0 device is not part of the bridge and will be used for management access. If I go full paranoia, I will disconnect em0 and just use the serial access if I need to change anything. The APU2 device has no working IP config on the bridge so accessing it should be pretty much impossible via that route.