Archive > 21.7 Legacy Series
VLAN/Multiple OPNsense LAN Ports Question
bimbar:
I do agree, mixing tagged and untagged one one port is usually possible, but mostly not best practice.
Hence no need to document that specifically for opnsense, since most network equipment is capable of it, it's just not the done thing in professional circles.
So, for example, cisco distinguishes that very clearly, and kind of disincentivizes it in their switches, where there is:
- switchport mode access - switchport access vlan xxx, so that's untagged only on a specific vlan
- switchport mode trunk - switchport trunk allowed vlan xxx,yyy,zzz,..., and that's tagged with a vlan filter, and there's a native vlan, usually 1, and vlan 1 is just not used as a productive vlan.
On the other hand, more consumer oriented switches like netgear don't make that clear at all. I just checked a netgear switch I own, and I can just merrily tag and untag different vlans in any combination on the same port, even multiple untagged vlans. I wonder why they permit such a silly thing.
guest30640:
--- Quote from: pmhausen on October 14, 2021, 03:44:21 pm ---If you have an interface, e.g. "igb2", then the untagged VLAN - no matter the number within your larger infrastructure - on that port is simply that: the igb2 interface.
In FreeBSD for every tagged VLAN you create an additional VLAN interface, name it e.g. "vlan27" and set tag 27 and parent interface igb2. That's all there's to it. So you need to create a "vlan1" interface and set the tag to "1" to run it tagged.
If the other end is e.g. a Cisco switch with
--- Code: ---switchport mode trunk
switchport trunk native VLAN 200
--- End code ---
then everything that is VLAN 200 somewhere in the rest of your network will arrive untagged and hence on the "igb2" interface on your OPNsense.
So the "don't mix tagged and untagged" advice in the case of OPNsense boils down to: "don't use the 'naked' parent interface for anything on a trunk port, use only the VLANs".
In all my data centers I create a "native-dummy" VLAN that does not carry any traffic, does not contain a single access port, and assign that as native VLAN on all trunks. This way anything a customer might throw into a trunk port untagged does end up in the bit bucket and not somewhere in my management plane or other customer's VLANs.
Did that make it more clear? HTH,
Patrick
--- End quote ---
Yes it does, thank you very much Patrick. I'll go away and correct my config.
Navigation
[0] Message Index
[*] Previous page
Go to full version