OPNsense Forum

Archive => 19.1 Legacy Series => Topic started by: ghost on February 19, 2019, 06:46:09 am

Title: Lan port for VLAN trunk
Post by: ghost on February 19, 2019, 06:46:09 am

　I use a hwawei switch with multivlan, 1, 121, 122, 123, 124,
I want to set a trunk port with GB4 and link to lan port(bge1) on OPNSense,
let vlan 1, 121~124 can link internet,

　I don't make sure how should I set at OPNSense.
if anyone can help me?

Thank you

Title: Re: Lan port for VLAN trunk
Post by: bartjsmit on February 19, 2019, 08:09:13 am

Interfaces, Other types, VLAN, Add. Set bge1 as the parent interface and configure tag and description to suit. Interfaces, Assignments, New interface. Pick the new vlan from the dropdown. This will add an interface starting with OPT. Click it, tick enable, and set the name and description to match the VLAN. Save your settings.

After that, set firewall rules, DHCP service, etc. on your new interfaces.

Bart...

Title: Re: Lan port for VLAN trunk
Post by: ghost on February 19, 2019, 10:43:32 am

I set it this way now,
but my client in vlan 121 can't ping the OPNSense lan ip.

I don't know how to fix it.

Thank you

Title: Re: Lan port for VLAN trunk
Post by: bartjsmit on February 19, 2019, 11:46:05 am

Did you create a rule to allow ICMP?

Everything starts off denied

Bart...

Title: Re: Lan port for VLAN trunk
Post by: ghost on February 20, 2019, 04:10:20 am

I create the vlan rule from copy the lan config, I didn't see the LAN icmp rule,
but my pc outside the vlan can ping the OPNSense host lan ip.

I try to create a ICMP rule for VLAN, but still can't ping the OPN host lan port form vlan..
and, OPN host can't detect the test client in VLAN too...

Title: Re: Lan port for VLAN trunk
Post by: newsense on February 20, 2019, 05:35:38 am

It should be ICMP VLAN - This Firewall

Title: Re: Lan port for VLAN trunk
Post by: ghost on February 20, 2019, 08:21:27 am

I set a rule from "vlan121 net" to "The Firewall", test client in port 21(VLAN 121)still can't ping the OPN host.
OPN host can't ping test client too.
but my work nb from switch eth port 1(vlan1) can ping the OPN host without ping rule.

I post my switch and OPN config

Title: Re: Lan port for VLAN trunk
Post by: newsense on February 20, 2019, 08:29:06 am

Well, you didn't mention any IP Addressing scheme which is where the likely problem is at this point.

"This Firewall" means the IP of the VLAN interface, so if your VLAN 121 has 10.1.121.0/24 and the interface is .1 then you'd ping 10.1.121.1

Also your port 21 appears to be untagged...

Title: Re: Lan port for VLAN trunk
Post by: ghost on February 20, 2019, 09:40:49 am

all my ip in vlan are same block/netmask with lan ip(192.168.1.x/24),
I use vlan in switch just for port isolate(e.g: client in VLAN 121 can't connect client in VLAN 122...)
but all clent is 192.168.1.x/24, and OPNSense lan port ip is 192.168.1.7(example),so...
how should I set then every VLAN client can ping the OPN host lan ip(192.168.1.7)?

and port21(vlan121) untag mode was configured by huawei switch access mode.
but I had try, it can connect to other client in the same vlan121 on another switch(port21/sw2)

I meaning, if OPN host lan port plug on sw2 port21(vlan121 too), sw1 and sw2 connect with GB3(trunk port),
OPN host and test client in vlan121 can ping each other,
but if the OPN host lan port plug on GB3(sw1 trunk port), they can't see each other.

Title: Re: Lan port for VLAN trunk
Post by: newsense on February 20, 2019, 09:46:57 am

I would recheck the proper VLAN tagging on the ports, but that being said, this is not an OPNsense issue.

Title: Re: Lan port for VLAN trunk
Post by: ghost on February 21, 2019, 11:12:16 am

Maybe I should set VLAN port isolation on switch,
I will try it first.

Title: Re: Lan port for VLAN trunk
Post by: ghost on February 22, 2019, 11:05:44 am

Now I can let vlan port isolate from switch and connect to internet in NAT mode,
but I want to change to roting mode.

Internet -- OPN host -- Lan(VLAN121) -- Switch -- client in VLAN 121(public IP)

How should fix my config?

Title: Re: Lan port for VLAN trunk
Post by: ghost on February 25, 2019, 07:53:27 am

I had config out a roting mode for VLAN
https://docs.opnsense.org/manual/how-tos/transparent_bridge.html
when create a bridge, select VLAN and Wan(not Lan and Wan),

But an interface just can create a bridge,
so if you have a lot of VLAN, then...
your OPN host must have enough interface to match your vlan number.

I don't know if anything I lost and need to watch out?

Title: Re: Lan port for VLAN trunk
Post by: bartjsmit on February 25, 2019, 08:04:56 am

You need to keep sight of the basics. To put it simply:

A firewall is a layer 3 device - it deals with IP addresses. A VLAN is a layer 2 device - it deals with broadcast domains. If you want to firewall between layer 2 VLAN's, you need to ensure that their layer 3 subnets do not overlap.

In your case you would set:

VLAN 121 subnet 192.168.121.0/24
VLAN 122 subnet 192.168.122.0/24
etc.

Bart...

Title: Re: Lan port for VLAN trunk
Post by: newsense on February 25, 2019, 08:06:45 am

Quote

I had config out a roting mode for VLAN
https://docs.opnsense.org/manual/how-tos/transparent_bridge.html
when create a bridge, select VLAN and Wan(not Lan and Wan),

But an interface just can create a bridge,
so if you have a lot of VLAN, then...
your OPN host must have enough interface to match your vlan number.

I don't know if anything I lost and need to watch out?

You've lost the firewall and barely made up a switch - if that...

Blindly following tutorials when you don't actually understand networking and/or security implications of your decisions is a recipe for disaster.

Title: Re: Lan port for VLAN trunk
Post by: ghost on February 25, 2019, 09:02:20 am

Yes, I didn't config firewall rule yet,
I just want to make sure the routing mode can work first.

But after a little time test, it will broken it's connection after several minutes,
then connect again after a little time,
I don't know if my configuration problem.