Seperating traffic with VLANs in the network is great way to improve network security. When I switched to VLAN capable switches and access points, I did exactly that. I created seperate VLAN's for personal use, business use and for IoT like devices. This improved security greatly, but with all the devices living in seperate VLANs all sorts of autodiscovery type of features of course did not work.

So that is OK but not great. Not being able to easily find my Hue bridge from my laptop or phone does limit the flexibility. Same goes for stuff like Apple TV, the Jet direct printer etc.

Then I remembered my experiments way back of using OpenBSD not as a firewall/router, but as an transparent ethernet bridge. With the capability to actually filter traffic while doing that. So that is the plan.

First I needed some proper gear to do it with. Raspberry PI was out, because I don't want to deal with USB connected extra ethernet devices. So I figured the PCEngines APU2 would be great. I already own one, but it is in use as an OpnSense firewall (great stuff!). So the first step was ordering a new APU2 from pcengines, which I did.

So yesterday I had some time left to install the operating system and hook it up to the network for further setup. This is where I am right now. Next steps is configuring ethernet ports, maybe VLANS and then creating transparent bridging links with packet filtering.

When this pans out as planned, my business, personal and IoT devices will live in three seperate VLAN's, linked together with the APU2/OpenBSD bridge, all living in the same IP segment.

Then it is just a case of setting up proper packet filtering rules that will allow autodiscovery e.o. to work seamlessly all while blocking other unwanted and/or unplanned traffic.

Should be fun!

configure bridge

It is of course possible to use a single ethernetport and configure multiple VLAN on this port. But I want to make sure I could get a 1 Gbs transferrate between VLANs, so I will use multiple ports on the APU and a switch to connect the different VLANS. Getting the basic bridge running was easy using a nixCraft blogpost. So this is wat I have now:

ghost# ls -l /etc/hostname*
-rw-r-----  1 root  wheel  28 Jan 21 09:26 /etc/hostname.bridge0
-rw-r-----  1 root  wheel  29 Sep 27 20:02 /etc/hostname.em0
-rw-r-----  1 root  wheel  20 Jan 21 09:26 /etc/hostname.em1
-rw-r-----  1 root  wheel  21 Jan 21 09:26 /etc/hostname.em2
-rw-r-----  1 root  wheel  20 Jan 21 09:26 /etc/hostname.em3

with this contents:

ghost# cat /etc/hostname.bridge0
add em1
add em2
add em3
up
ghost# cat /etc/hostname.em1
up media autoselect
ghost# cat /etc/hostname.em2
up media autoselect
ghost# cat /etc/hostname.em3
up media autoselect

This config was activated by rebooting the device. The em0 device is not part of the bridge and will be used for management access. If I go full paranoia, I will disconnect em0 and just use the serial access if I need to change anything. The APU2 device has no working IP config on the bridge so accessing it should be pretty much impossible via that route.