Hello.
I've spent a couple weeks trying to get VLANs to work on my network. I am using the latest version of OPNsense (23.7.1_3).
Please see the attached images for some information. The switches are cisco catalyst 2960g if that helps. They are on the latest iOS.
I created a vlan and assigned it to the LAN interface.
Also attached is the vlan and firewall rules for it.
I've even tried access ports. When I do tcpdump on the vlan interface, there is nothing! I've researched online, nothing.
Is there anything I can try? I would think that the trunk ports would work and pass the vlans, I've reset so many times and tried so many solutions, nothing. LAN interface is on promiscuous mode.
Thank you
Here are the other two images, they did not post...
Just to be clear I'm new to OPNsense myself but what I am missing from your network setup picture is the device which is running OPNsense, that will probably useful to know where the routing is done?
I believe its the device that is at the right connected to modem nerveless this is a good question.
Where is OPN placed?
Do you run it as Bare-metal or on Proxmox?
Can you Show as well configuration of the VLAN on OPN?
Are all your UPLINK ports really TRUNK across all switches and as well towards OPN?
When you say you did TCP dump where TCPdump was made?
From your topology it looks like you have 2 UPLINKs on each network device even PROxMOx server, do you use any form of LAGG?
From where did you test connectivity, from the Proxmox server?
Do you have correctly configured VLAN tagging as well on PROXmox SErver?
Regards,
S.
This is a switch configuration problem because from my expierence so far vlan on opnsense never caused any trouble. You sure that every VLAN is available on the uplink port?
this is how its looks on a hirschmann switch:
1.1 is the uplink to opnsense.
opnsense config is like yours than.
Quote from: Hydranet on August 16, 2023, 07:41:03 AM
Just to be clear I'm new to OPNsense myself but what I am missing from your network setup picture is the device which is running OPNsense, that will probably useful to know where the routing is done?
It is the device to the left of the modem, I thought I labeled it. It has a LAN and WAN. Apologies for the confusion.
1. Where is OPN placed?
It is placed on a Dell PowerEdge R220. I'm not sure what your question means. I'm running it bare metal off a hard drive. I attached a photo with version and other information off he homepage.
2. Do you run it as Bare-metal or on Proxmox?
Bare metal.
3. Can you Show as well configuration of the VLAN on OPN?
I attached an image showing the config of the vlan.
4. Are all your UPLINK ports really TRUNK across all switches and as well towards OPN?
Two pictures are attached. leftswitch_trunk is the switch on the left, and rightswitch_trunk is the switch on the right. Po1 is a LAGG of three ports that is connected to proxmox.
5. When you say you did TCP dump where TCPdump was made?
Here's the command: tcpdump -i vlan011 -p -s 0 -vvvv
6. From your topology it looks like you have 2 UPLINKs on each network device even PROxMOx server, do you use any form of LAGG?
I simplified the topology, those are just the lines. There is only one uplink. I am doing LAGG of three ports connected to proxmox server.
7. From where did you test connectivity, from the Proxmox server?
I tried making an access port to my desktop, did not work. I tried setting vlan on proxmox containers, does not working.
8. Do you have correctly configured VLAN tagging as well on PROXmox SErver?
I believe so. I created a bond (bond0) that has three ports (in the LAGG), then created a bridge that is VLAN aware.
I am new to this stuff, I mostly followed online guides for creating the vlans.
not a good idea to start with highly cryptic cisco device, which is only understable after highly paid exercises :D
basically you need something like this:
as you can see, there are access ports in vlan and a trunking port that is connected to opnsense
Eh, looking at your pictures from CISCO switches you have there problems with improper configured VLANs :)
So, as dstr showed a very nice picture, what you want to achieve is so called Router-On-a-Stick. In order to achieve that you need to have the specific vlan in question configured on all switches on desired ports and have the VLAN as TRUNK on uplinks between the switches and the mentioned router.
(btw CISCo is not cryptic :D, Catalyst IOS is fine but XR and ACI are pain....)
So here in question is the VLAN100 which is configured on the OPN, and you can clearly see on one of those switches there is no VLAN100.
Lets us simplify the whole thing and do following:
1. The server
Configure the BOND as L3 and from the server side dont do any VLAN tagging for now.
2. Switches - no LAGs, no LACP, only one simple cable between NW devices
On all switches configure following:
conf t
vlan 100
name myTestVlan
On all Switches configure following under the Interfaces that are connected between NW devices:
conf t
interface Gi1/X
switchport trunk allowed vlan all
switchport mode trunk
On Switch where is the desired host connected. if its a LAGG use interface Po1:
conf t
interface Gi1/X
switchport access vlan 100
switchport mode access
3. OPNSense -
A. Configure VLAN 100 - L2 configuration in Interfaces > Other > VLAN, attach it to the parent interface that is connected to the main Switch
B. In Interfaces TAB > assign new interface for the VLAN100 as well for the Parent if it was not already done. Even if the Parent Physical interface doesnt have any IP it needs to be assigned other vise VLANs on OPNsense may behave wierd.
4. Test Ping from the Host/Servver towards the GW on OPNsense.
P.S. When you are configuring VLANs on a LAGG you need to apply the configuration on the interface of Po1 not on the individual interfaces. Physical ports inherit configuration from the Parent aka Po1.
P.P.S Once you test it and ping still doesnt work, if you are keen please do show run on both switches and share it. I can give it a look.
Regards,
S.
Thank you, it works!
I really would like to be able to specify a vlan tag on the server and have it work, what do I do to do that?
It seems I don't understand port trunking.
I want to be able to specify a vlan in my container network configuration, then have traffic go over that vlan. I thought that is where trunk port comes in.
Quote from: opnsenseforumuser on August 18, 2023, 02:33:05 AM
Thank you, it works!
I really would like to be able to specify a vlan tag on the server and have it work, what do I do to do that?
Glad to hear it worked, I did the config from my mind. Otherwise I would LAB it.
Quote from: opnsenseforumuser on August 18, 2023, 02:35:19 AM
It seems I don't understand port trunking.
I want to be able to specify a vlan in my container network configuration, then have traffic go over that vlan. I thought that is where trunk port comes in.
Most probably you have some gaps. Its essential to understand how TRUNK and SWITCHPORT works. You can still do a TAGGed vlan from a server, but then all you need to do is set the port that is connected on that switch towards the server with TRUNK mode and allow the VLAN on the port > We call this Prunning.
access (switchport) port a port that can be assigned to a single VLAN. The frames that arrive on an access port are assumed to be part of the access VLAN. This port type is configured on switch ports that are connected to devices with a normal network card, for example a host on a network.
trunk port a port that is connected to another switch. This port type can carry traffic of multiple VLANs, thus allowing you to extend VLANs across your entire network. Frames are tagged by assigning a VLAN ID to each frame as they traverse between switches.
In simple term what this does mean is, that when on a switch you set the port in access, the Switches assume the ingress traffic that is coming is not TAGGed, so it will TAG it for you on and remove the TAG once again if the traffic within the same device comes back to that specific port or any other access port within the VLAN.
If its a Trunk port the Switch assumes the ingress traffic is already TAGGed with the specific VLAN allowed on the TRUNK.
VLANs are basically about logical segmentation and who strips/assigns the TAG. If its ACCESS Switch/GW will do it if its TRUNK its on the HOST/GW.
There is more to it than explained above but this is the basic understanding you need to have.
Regards,
S.