OPNsense Forum
Archive => 22.7 Legacy Series => Topic started by: z0rk on January 16, 2023, 01:03:30 am
-
Hello,
I am running OPNsense 22.7.10_2-amd64 on a desktop with three NIC cards: WAN, LAN (192), and LAN02 (172). I have to abandon this setup and switch to a laptop.
I understand that instead of using USB Ethernet adapters it's better to setup VLANs with a managed switch (https://forum.opnsense.org/index.php?topic=9363.msg42382#msg42382) like the TP-Link TL-SG10 series.
Setting up VLANs on OPNsense itself seems straightforward enough. I've looked at screenshots of the TL-SG10 configuration interface and read up a bit on the topic of VLANs (https://www.theregister.com/2017/06/30/vlans_at_20/).
Traffic flow should be something like this I believe:
Internet > Modem > Switch port 1 (WAN) > Switch port 2 (LAN) & port 3 (LAN02)
This seems straight forward enough but for some reason I still struggle on how to get this to work. I was hoping that someone in particular who is familiar with TL-SG10s can help to get this fast tracked.
Thank you very much
-
What is the model number of your TP-Link? Make sure it ends in 'E', such as the TL-SG108E. They have a few unmanaged switches in the same price range with similar model numbers.
On the SG108E, select VLAN, 802.1Q VLAN and create yours, e.g:
VLAN ID 555, VLAN Name WAN, under Untagged tick your WAN modem switch port 1 and under tagged tick your OPNsense laptop port 2, click Add/Modify
VLAN ID 172, VLAN Name LAN02, under Untagged tick the devices/AP's that have 172 addresses, click Add/Modify
VLAN ID 192, VLAN Name LAN, under Untagged tick the devices/AP's that have 192 addresses, click Add/Modify
If you have a Multi-SSID AP you can add its port to multiple VLAN's as Tagged.
Bart...
-
Hello,
I am running OPNsense 22.7.10_2-amd64 on a desktop with three NIC cards: WAN, LAN (192), and LAN02 (172). I have to abandon this setup and switch to a laptop.
I understand that instead of using USB Ethernet adapters it's better to setup VLANs with a managed switch (https://forum.opnsense.org/index.php?topic=9363.msg42382#msg42382) like the TP-Link TL-SG10 series.
Setting up VLANs on OPNsense itself seems straightforward enough. I've looked at screenshots of the TL-SG10 configuration interface and read up a bit on the topic of VLANs (https://www.theregister.com/2017/06/30/vlans_at_20/).
Traffic flow should be something like this I believe:
Internet > Modem > Switch port 1 (WAN) > Switch port 2 (LAN) & port 3 (LAN02)
This seems straight forward enough but for some reason I still struggle on how to get this to work. I was hoping that someone in particular who is familiar with TL-SG10s can help to get this fast tracked.
Thank you very much
Post pics of the 802.1q and pvid pages in the switch and interfaces/vlans from the router.
-
I found this video helpful.
Netgear GS108Ev3 Review and Setup
https://www.youtube.com/watch?v=VY6WPrMZjyk
Admittedly it covers a Netgear 8 port GS108Ev3 and not a TP-Link. Though I'm pretty convinced that TP-Link took more than a casual glance at the Netgear counterpart.
If you are about to buy a switch, don't just pick one with enough ports to satisfy your immediate use case. With VLANs this is specially true. I made this mistake myself by buying a 5 port Netgear GS105Ev2. You'll outgrow a switch faster than you think.
-
What is the model number of your TP-Link? Make sure it ends in 'E', such as the TL-SG108E. They have a few unmanaged switches in the same price range with similar model numbers.
Yes, I meant the 'E' series. Thanks so much for this. I will get one of these and test it out. Again, thank you.
-
I found this video helpful.
Netgear GS108Ev3 Review and Setup
https://www.youtube.com/watch?v=VY6WPrMZjyk
If you are about to buy a switch, don't just pick one with enough ports to satisfy your immediate use case. With VLANs this is specially true. I made this mistake myself by buying a 5 port Netgear GS105Ev2. You'll outgrow a switch faster than you think.
I am sure to check it out, miroco. An TP-Link 8-port switch is about as much as I can afford right now. Thanks for the heads-up though. Cheers
-
Post pics of the 802.1q and pvid pages in the switch and interfaces/vlans from the router.
Will do once I get the switch. Thank you, Demusman.
-
VLAN ID 555, VLAN Name WAN, under Untagged tick your WAN modem switch port 1 and under tagged tick your OPNsense laptop port 2, click Add/Modify
VLAN ID 172, VLAN Name LAN02, under Untagged tick the devices/AP's that have 172 addresses, click Add/Modify
VLAN ID 192, VLAN Name LAN, under Untagged tick the devices/AP's that have 192 addresses, click Add/Modify
Hi Bart
I've purchased a TL-SG105E V5 and configured it.
I created three vlans to correspond with WAN, LAN (192) and LAN02 (172). They all use em0 as the parent interface which is the laptop ethernet port.
I then assigned each vlan (vlan01 - WAN, vlan02 - LAN, vlan02 - LAN02) to the pre-existing interfaces, ue0 (LAN), ue1 (LAN02) and em0 (WAN).
I connected modem > port 1, laptop ethernet port > port 2, 172 device > port 3, 192 device > port 4 on the switch.
When I rebooted opnsense DHCP didn't pick up the WAN.
When I connect my other laptop to port 4 to access opnsense at 192.168.1.1 it can't be reached.
Do you have any suggestions what to try next?
Thank you
-
Not gonna work like that.
You need one trunk port that goes to the laptop.
Then you need access ports for the devices to connect to.
So port 1 will be the trunk in this example but you can use any.
Port 1 will have all 3 vlans tagged on it.
Port 2 will be WAN which connects to the modem. untag vlan555 on it.
Port 3 will be LAN, untag vlan192 on it.
Port 4 will be LAN2, untag vlan172 on it.
The trunk brings all vlans to the switch, then you can use them on the access ports.
Don't use vlan1 on any ports.
Go to Vlan PVID page in switch and set the pvids to the same as vlan, so port 1 leave at 1, port 2 pvid vlan555, port 3 pvid 192, port 4 pvid 172
-
You're looking for this:
-
Don't use vlan1 on any ports.
Ok, I think I got it.
What do you mean by 'Don't user vlan1 on any ports'. Do you mean vlan ID 1?
Thanks much, Demusman
-
Yes, set vlan ID1 as not a member of any ports in the switch.
Just like the pic I posted.
-
Yes, set vlan ID1 as not a member of any ports in the switch.
Just like the pic I posted.
Ok, that's what I figured.
I am close but still no cigar.
WAN, vlan01 (switch port 2) doesn't pick up an IP address.
I've temporarily set LAN, vlan02 to DHCP and connected switch port 3 to my internal network. The laptop ethernet port is connected to TRUNK (switch port 1). I am able to access the OPNsense web GUI so I know that this bit is working, presumably LAN02, vlan03 as well.
Maybe I need to make some changes to the WAN interface configuration? I've attached a screenshot of my interface assignments and the WAN config page.
Almost there I hope :)
-
Are you sure you should get a public address?
Not sure how your modem works, if you get a private address uncheck block private addresses.
A way to check the switch would be to set a static address on your wan.
Turn off the firewall. (ssh in and do pfctl -d, -e will reenable)
Plug a pc into port 2 on the switch with a static address in the same subnet as the wan and see if you can ping it.
-
Are you sure you should get a public address?
The way I am currently set up in production is modem > NIC on desktop which is my WAN. WAN interface is set up with DHCP and it picks up a public address.
On the laptop WAN (vlan01) doesn't pick up any address 0.0.0.0/8 although it's configured for DHCP as well (see screenshots). I will do the testing as you suggested sometime tomorrow.
Thanks for all your help
-
Plug a pc into port 2 on the switch with a static address in the same subnet as the wan and see if you can ping it.
I was able to ping it.
Then I switched WAN back to DHCP, left the the firewall disabled, and plugged my modem in. It instantly picked up a public IP address from my ISP.
-
Not sure about this but once you set the WAN back to dhcp, that probably enabled the firewall again.
You can check by running pfctl -e, it'll probably say it's already enabled. Again, not sure if that enables it but any change in rules does so that may also.
You didn't say what type of internet, if you have a cable modem you will have to power cycle it anytime you change the directly connected device.
I wonder if your dhcp lease expired before you plugged the laptop back in and that's why it worked now. If you get a public IP there shouldn't be anything blocking that in the firewall.
Obviously, if it isn't already, reenable pf and see what happens.
-
Not sure about this but once you set the WAN back to dhcp, that probably enabled the firewall again.
You can check by running pfctl -e, it'll probably say it's already enabled. Again, not sure if that enables it but any change in rules does so that may also.
That would make sense as a best practice security measure. Also, after I switched back to DHCP I didn't power cycle the modem I only re-seated it back into port 2 and it picked up an IP immediately.
You didn't say what type of internet, if you have a cable modem you will have to power cycle it anytime you change the directly connected device.
It's a cable modem. Generally speaking I found this to be true, but not always, e.g. after I disconnected the modem from the switch I re-seated it back into my production OPNsense box and it picked up an IP without the need to power cycle.
I wonder if your dhcp lease expired before you plugged the laptop back in and that's why it worked now. If you get a public IP there shouldn't be anything blocking that in the firewall.
Obviously, if it isn't already, reenable pf and see what happens.
Possibly, I should have taken note of the IP. First I thought it was maybe related to a firewall rule as well, but I went over my WAN rules and they're identical to the rules of my production machine.
The next thing I'll try is to power cycle the modem and this time I will wait longer to see if it picks up an IP. Maybe I just didn't wait long enough.
Thanks!