Hello,
i'm running a minipc as a router/firewall with OPNsense 22.1.2_2-amd64.
At the moment, i just would like something like this:
OPNSense mini PC <---> igb2_vlan80 : Host1 (VLAN 80)
<---> igb3_vlan20 (VLAN 20)
At the moment, i'm only able to get DHCP working on I_LABO physical interface (igb2). It's working well, my host get the 192.168.80.2 IP and is able to ping the minipc.
When i assign the igb2_vlan80 to the I_LABO interface, DHCP doesn't work anymore. The host doesn't get any ipv4 (only 169.254.x.y).
I created a VLAN like this : parent interface = igb2, tag = 80 and pcp = 0.
This vlan is assigned to the I_LABO interface, activated with Static IP 192.168.80.1/24.
DHCP is enabled for this interface from 192.168.80.2 to 192.168.80.254.
IDS and VLAN HW filtering are disabled.
I don't understand what is missing to get DHCP working with igb2_vlan80 interface ??
Could you help me please ?
Edit : should I configure something related to vlan on the hosts ? i test with W10 and Rapsberry PI4.
Should I have igb2 interface assigned and active ? with static IPV4 ? with active DHCP ?
I think that's not necessary, right ?
I am not sure if i understand. Also you create vlan's on multiple physical interfaces. This is possible, but is this what you want/need? Are you connecting multiple switches to your router? To recap, usually you do.
interface LAN -> on physical interface igb2 -> with dhcp, like 192.168.1.1
virtual interface VLAN80 -> on physical interface igb2 (the name will be igb2_vlan80) -> with dhcp, like 192.168.80.1
So, for each (virtual) interface you have to:
* add a static ipv4 IP (gateway)
* DHCP (with range)
* firewall rule(s)
Hope it helps
With the 22.1 release to use VLANs you need to assign the physical parent interface to a dummy entry and enable that. No IP address or services, though. Just enable.
Thanks for your help :)
To clarify my goal : i'm thinking about this final configuration :
Modem <---> OPNsense MiniPC <---> igb0 : trunk to Netgear R7800 as Wifi AP + switch <---> eth1 : VLAN 20
<---> igb1 : VLAN 50 <---> eth2 : VLAN 80
<---> igb2 : VLAN 80 <---> eth3 : VLAN 30
<---> igb3 : VLAN 20 <---> wlan0 : VLAN 20
<---> wlan1.0 : VLAN 30
<---> wlan1.1 : VLAN 80
At the moment, i'm just trying to get DHCP working on a vlan interface.
When i active physical interface, with no static IP + no DHCP, the vlan interface + DHCP don't work.
When i active physical interface, with static IP 192.168.30.1 & DHCP, and when i active vlan interface with static IP 192.168.80.1 & DHCP, the host get IP from physical interface DHCP (192.168.30.10).
I disabled DHCP on the physical interface but i guess the lease is still working and the host is still with 192.168.30.10 IP.
Perhaps, i misunderstand how vlans work ?
you use vlans if you want multiple subnets on 1 physical interface (and 1 cable).
Also, your netgear is probably a "stupid" switch and not vlan aware. And the AP-part usually also does not support Vlans. You need a real Access Point or custom firmware (openWrt).
Try to determine your usual huge traffic flows. You do not want to pass all traffic through the router. (routing is "expensive"). You want to let the switch pass the traffic to the targets. But you can have a valid use case for your design.
Maybe this helps: https://www.youtube.com/watch?v=b2w1Ywt081o
It is for pfsense and unify switch but the principles are the same.
So, if you really need the interfaces on the minipc side. Start with this. Connect systems and look if you get a valid IP.
After that you configure your MANAGED switch with the correct vlans.
OK thx.
I would like to isolate several 4 kinds of devices : some computers, 1 webserver, domotics/iot and some stuff to learn/experiment.
So, is it useless to tag VLAN 50 on igb2 to isolate the webserver from others hosts ? Only firewall rules to do the job ?
The R7800 firmware is a dd-wrt version, and supports vlans in theory.
To optimise the bandwidth, i would like to have webserver and my main computer directly connected to the mini-pc.
Do i need to tag igb3 interface with tag 20 to have the computer in the same network than the eth1 and wlan0 interfaces ?
what i mean. Try to add devices which communicate with each other on the same to the same "switch". It is fine to connect your main machine to the router directly. But, if you then want to regularly connect to a NAS on another subnet then it has to route. But if you connect your main system AND your NAS to a switch this traffic will never reach the router. This is just for optimization.
If i understand your drawing correclty. You have devices directly on the minipci (like VLAN 80 en 20) but ALSO connected to your wireless side.
AFAIK this is not even possible. It is a different physical interface so you need to "route". (to your trunk). But maybe i am wrong :)
The easiest is:
WAN -> MiniPC -> LAN
-> A dedicated interface for your isolated webserver (VLAN not needed, but has its own subnet)
Connect this LAN to a MANAGED SWITCH.
Opnsense: Create the virtual vlans (IOT, GUEST) and use the same physical LAN interface.
Create the same (guest/iot) VLANs on the Wifi AP.
Assign the correct vlans to your managed switch ports.
I can not really help with ddwrt/openwrt. I found i much easier with my TP-Link EAP-245 and netgear GS108Ev3. Those projects contains a lot of "router" parts which you do not need. So, for the Wifi AP you only have to create a SSID, passphrase and enter a VLAN number).
A good drawing can help. Which devices are on what network. How many network wires and floors.
Draw all the switch ports. Describe what (and if) vlans are assigned for each port.
It is still on my todo list for my setup :)
Hello,
Thank you again for your help. I come back, trying to understand what's the problem.
Should this configuration work ?
Opnsense 22.1.2 with 2 physical interfaces :
- igb0 : LAN, 192.168.50.1/24, DHCP activated on 192.168.50.10-192.168.50.100
- igb1 : TEST, activated, no static ip defined, no DHCP service activated
- igb1_vlan15 : VLAN_TEST, 192.168.15.1/24, DHCP activated on 192.168.15.10-192.168.15.100
Disable hardware checksum offload
Disable hardware TCP segmentation offload
Disable hardware large receive offload
Disable filtering HW
Intrusion Detection is disabled
At the moment, my computer gets an IP from DHCP only when connected to igb0. No IP when connected to igb1.
Is this igb1_vlan15 configuration equivalent to untagged port ?
Edit: could it be an hardware problem ?
No, this is a tagged port. You need to connect igb1 to a VLAN capable switch, configure the switch port as "trunk" and plug your computer into a switch port that is configured as "access" with assigned VLAN 15.
Computers (in the regular case) don't participate in this VLAN tagging stuff. Tagged ports exist to connect a firewall or a hypervisor host to a switch and transport multiple VIRTUAL LANs over that single port. All computers are then plugged into the switch.
Like this:
Uplink
▲
│
│
│
│
│
│
┌─────────────┐
│ │
│ Modem │
│ │
└─────────────┘
│
│
│
┌─────────────┐ ┌──────────────────────────┐
│ │ Trunk Port │ │
│ OPNsense │──────────────────────│ VLAN capable switch │
│ │ VLANs 1, 2, 3, ... │ │
└─────────────┘ └───┬─────────┬─────────┬──┘
│VLAN 1 │VLAN 2 │ VLAN 3
│ │ │
│ │ │
│ │ │
│ │ │
┌──────┐ ┌──────┐ ┌──────┐
│ │ │ │ │ │
│ PC │ │ PC │ │ PC │
│ │ │ │ │ │
└──────┘ └──────┘ └──────┘
Or replace "Switch" with "Hypervisor Host" and "PC" with "VM" and you get the same picture in a virtualised environment.
HTH,
Patrick
Thank you so much, i think it's OK about the "trunk" link.
But, is it not possible to have an "access" port on my Opnsense ?
Something like this :
Uplink
▲
│
│
│
│
│
│
┌─────────────┐
│ │
│ Modem │
│ │
└─────────────┘
│
│
│
┌─────────────┐ ┌──────────────────────────┐
│ │ Trunk Port │ │
│ OPNsense │──────────────────────│ VLAN capable switch │
│ │ VLANs 1, 2, 3, ... │ │
└─────────────┘ └───┬─────────┬─────────┬──┘
| VLAN3 │VLAN 1 │VLAN 2 │ VLAN 3
| │ │ │
| │ │ │
| │ │ │
┌──────┐ │ │ │
| | ┌──────┐ ┌──────┐ ┌──────┐
| P C | │ │ │ │ │ │
| | │ PC │ │ PC │ │ PC │
| | │ │ │ │ │ │
└──────┘ └──────┘ └──────┘ └──────┘
In that case you need to create a bridge interface (a virtual switch) on your OPNsense that has the igb1_vlanX and e.g. igb2 as member interfaces. OPNsense is not a switch but a router so it does not have any "internal" idea of VLANs and access ports. The VLAN interface is more like a subinterface in traditional Cisco IOS speak.
If you create a bridge, you must assign the IP address to the bridge interface, neither the VLAN nor the physical port. This is important. And you cannot create VLANs as subinterfaces of the bridge IF. Always go
physical or lagg --> VLAN --> bridge
And with the IP address of course goes the assignment of the logical firewall interface.
HTH,
Patrick