OPNsense Forum

Archive => 21.1 Legacy Series => Topic started by: PWCDC on March 24, 2021, 12:40:55 am

Title: Questions About VLAN
Post by: PWCDC on March 24, 2021, 12:40:55 am

Hello,

I have some questions about how OpnSense handles VLAN.

In the following example, I have a quad port device running OpenSense.
igb0 is WAN.
igb1 is trunk for all VLANS.

Lets assume the following VLANS configured:

VLAN 100 - Management - Parent: igb1
VLAN 200 - Workstations - Parent: igb1
VLAN 300 - IoT Stuff - Parent: igb1

• In this example, how can I select which VLAN is native to the trunk port (if someone physically plugs into the port). This is a theoretical question, since I would likely have a managed switch which would tag all packets on the trunck anyway, but I don't see an option for it in opnsense. Ideally, it would be the management LAN.
• Is there a way to ensure all packets traveling to the trunk port (igb1) are tagged? Or at least a way to configure opnsense to react as though all untagged packets are in a particular VLAN? I assume this would be related to the question above.
• Is there a way to configure the additional physical ports (igb2, igb3, etc) as access ports for VLANs defined above, which already have their parent port assigned to igb1. I don't see an option for this.

Thanks in advance.

Title: Re: Questions About VLAN
Post by: Maurice on March 24, 2021, 12:44:36 pm

OPNsense is not a switch, so you shouldn't think in switch terms here.

- VLANs are always tagged. Untagged frames are handled by the parent. If you want the management LAN to be untagged, assign it to igb1 directly and don't create VLAN 100 at all.

- If you don't assign igb1, inbound untagged frames will be ignored and no untagged frames will be sent.

- You can e.g. create a bridge between VLAN 200 on igb1 and the igb2 parent. Since parents are always untagged, igb2 will then behave like an access port for VLAN 200. Bridges have performance limitations though, so you should only do this if you are low on switch ports.

Cheers

Maurice

Title: Re: Questions About VLAN
Post by: kosta on March 25, 2021, 09:39:00 am

Since you do have 4 ports available, why bother with VLANs for firewall management at all? Just give it one port for firewall management only, isolate it and be done with it. I would say this is the most secure option.