I'm trying to segment my network a bit. I'm trying to have 3 VLANs. VLAN 1, Vlan 100, and VLAN 200.
My Switch is a managed TP-Link. One Port 1, which is where the Firewall is connected. I have configured the port for VLAN 1 untagged, VLAN 100 Tagged, VLAN 200 Tagged. I created 2 other ports 7 & 8 to be untagged on VLAN 100 and 200 for testing.
In the firewall I created the 2 new VLANs. Attaching them to the LAN interface. I assigned each interface and gave them a static IP on a new subnet. I created new firewall rules on each interface. Basically allow all ip4. I also added DHCP for each interface.
I can't ping the ip's and the firewall can't ping my computer. I have nothing in the firewall logs from or to that interface ether. Any idea what I'm missing here?
a picture of your interfaces, interface assignments and firewall rules for each interface would be helpful.
I can do that.
So I spoke too soon. I don't know how to add pic inline.
So I am attaching them. Sorry.
and some more.
untagged vlans are unsupported if you are using tagged valns on the same interface.
Can you expand on that please?
I thought I could have, for example.
The native / default VLAN (which is untagged)
Then a tagged VLAN
If I can't do that. What is the proper way to setup OpnSense to have more than one VLAN on the LAN interface?
It is not entirely unsupported but discouraged because things that rely on promiscuous mode like DHCP tend to stumble over mixed tagged and untagged frames in the FreeBSD network stack. The general recommendation is not to use a native VLAN on FreeBSD.
If your switch on the other end insists on running one VLAN untagged/native, set it to one you don't use. I use 1001 for that in all my infrastructure.
Then simply assign LAN to e.g. VLAN 1 (tagged) ... or any other number, of course.
I think I understand.
So if I want 3 VLANs make all of them including the base LAN tagged. I will try that.
So the base interface LAN doesn't appear to have a way to attach a VLAN ID. Do I just delete the IP address for this interface and give it to a VLAN interface that is attached to the physical interface LAN?
You go to Interfaces > Assignments and assign "LAN" to "VLAN-1" instead of igb0 - done, LAN is now tagged.
Since OS 22.1 you also need to assign the parent igb0 to a dummy interface and enable that. Architectural reasons, I hope they find a more intuitive solution in the future.
Thank you. I'll give it a shot.