Archive > 21.1 Legacy Series

Bridge with VLAN devices behaves weird

(1/2) > >>

KoS:
Hi

I have an Alix APU with 3 ports.

* One port is for WAN
* One port is connected to a Switch where I have multiple VLANs, but where I can also have untagged traffic on it.
* One port should be bridge into one of the VLANs

To make the setup more flexible, I have bridged all VLANs and am assiging IP adress only to the bridge interfaces.

So the current configuration looks like this:

--- Code: ---igb0
igb1 -> LAN
 igb1_untag
 igb1_vlan2
 igb1_vlan3
 igb1_vlan4
 igb1_vlan5
 igb1_vlan6
igb2 -> WAN

bridge0 = OpenVPN_Server_1, igb0, igb1_vlan3
bridge1 = igb1_vlan4
bridge2 = igb1_vlan2
bridge3 = igb1_vlan5
bridge4 = igb1_vlan6
bridge5 = OpenVPN_Server_2, igb1_untag

--- End code ---

I have a DHCP server on each of the bridge interfaces. If I connect a device at the switch on a port of e.g. VLAN2, I can successfully receive an IP address via DHCP. But neither can I ping the router, nor do I see any traffic coming in on that bridge interface (tcpdump). Neither can I get any traffic out from the router on that bridge. I have checked the firewall rules, but as don't even see that the packets would get blocked, it seems the problem must be somewhere else. Is my setup with the bridge & vlans wrong? Shall I do it somehow else to get to my desired result? Any idea where I shall start debugging?

If I connect a device on an "untagged" port of the switch, I end up successfully on bridge5 and can access the router & the internet.

FYI, the OpenVPN_Server_1 and 2 are in TAP mode, as I need to have the full traffic (including broadcast) via the VPN.

KoS:
I found the root cause of my problem: There is a limitation in OPNsense/FreeBSD that you cannot use a physical network interface with VLAN interfaces AND an untagged interface in bridges.
As I had the similar setup previously running on Linux, I didn't expect this to be a problem/limitation.

see e.g. here: https://redmine.pfsense.org/issues/11139

FYI: I have all "management" traffic un-tagged on the switches and all "data" traffic in different VLANs. e.g.  Ubiquiti UniFI access points have the "management" traffic always untagged and cannot be forced to use another VLAN. -> Even if it would be possible to change the management traffic to a tagged VLAN, it won't be possible to just plug-in a new access point out-of-the-box and it configures itself automatically by connecting to the UniFi controller, as you would first need to configure it manually.

Mark Rose:
Thank you for this!

I've spent countless hours trying to figure out why my VLANs had no access.

I'm also running Unifi APs. I also have an untagged bridge and several tagged bridges over the same interfaces.

It would be nice if the OPNsense interface at least warned that this configuration is unsupported.

Patrick M. Hausen:
@KoS can't you run the management VLAN tagged on the trunk port to OPNsense and untagged for all other ports, specifically the ones connected to your APs?

On all switches I know the so called "native VLAN" is a per port setting.

KoS:
@pmhausen
sure this is possible and is what I have to do for new installations where I want to use OPNsense.
This makes the setup less transparent, as not all trunk ports on the switch can be configured the same way. in the end it is ONLY the trunk port for OPNsense that needs to be configured differently, as the trunk ports for uplinks to other switches or APs can be configured all the same way.  -> and on existing installations i cannot just replace the existing router box (running voyage linux on the Alix APU boards) as I first need to re-configure the port on the switch.

Navigation

[0] Message Index

[#] Next page