Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: deuch on September 02, 2023, 07:53:45 PM

Title: VLAN and DHCP
Post by: deuch on September 02, 2023, 07:53:45 PM
Hello,

I've an opnsense box with 4 ports. I've connected one port for my WAN and the second for the LAN to a managed switch (TPLINK TL-SG108E latest firmware).

I've created a VLAN on opnsense (latest version and patches), VLAN 10, attached to the LAN interface as parent and set the DCHP service (static IP 192.168.1.1/24 and a range of 192.168.3.3 to 192.168.3.254).
Everyhting is started and enabled in opnsense.

Opnsense is connected to the switch at port 1. I've connected a laptop on the switch at port 8.

On the switch, I've set the port 1 and 8 for VLAN 10. And on the port 8 the PVID 10. (no tagged port)

But, the laptop receive only IPs from the LAN CIDR (192.168.1.X), as it looks like the VLAN does not exist or it is not recognized at all ....

My future setup will be more complex with  2 managed switches in cascade, but this simple setup seems to not work well ...

Do you have some ideas to help me please ?

The future setup will have 2 managed switches in cascade. On the second switch, only one port will be used with a Wifi AP for Kids in this VLAN 10. I've try to setup things like that, but it doesn't work too (ip of the LAN too).

On Switch 1 connected to the router : Port 1 and 2 in the VLAN 10. Port 2 tagged. All ports with PVID 1 (VLAN 1 configuration by default, 1-9 ports, no tag)
On Switch 2 : Port 3 and 2 in the VLAN 10. Port 3 tagged (the one connected to the other switch) and PVID set to 10 for the port 2 with the AP router connected on it.

Maybe I'm doing something wrong ...

The idea is to have the AP o na separate VLAN to enforce DNS servers and other stuff at the firewall level. But the device can still have access to the LAN (NAS etc ...). So if you have idea or tutorials for that it will be great !

Thanks a lot for the help.
Title: Re: VLAN and DHCP
Post by: Maurice on September 02, 2023, 08:32:01 PM
FreeBSD apparently doesn't like mixing tagged and untagged packets on the same physical interface. If you add VLAN 10 for LAN_kids, don't keep using the parent (untagged) interface for LAN. Instead, create a second VLAN and change the LAN assignment to that VLAN. And make sure the switch port OPNsense is connected to tags all VLANs (no native VLAN).

Cheers
Maurice
Title: Re: VLAN and DHCP
Post by: deuch on September 02, 2023, 08:50:38 PM
So the idea is to create 2 VLAN ? VLAN_Kids and VLAN_Normal on the same physical interface ? or 2 LAN on 2 physical Interface ?

I do not have LAN_Kids, only one LAN interface for the moment. The wire are already in the wall, so I do nove have so much choice  :)

Sorry I'm not an expert of the VLAN, so if you can explain me juste a little more, and I promise I will try to understand everything you will learn to me :)

Thanks again for your support and patience.
Title: Re: VLAN and DHCP
Post by: Maurice on September 02, 2023, 11:31:03 PM
In 'Interfaces: Other Types: VLAN', create 2 VLANs on the same physical interface (parent):
VLAN tag '5', Description 'VLAN_Normal'
VLAN tag '10', Description 'VLAN_Kids'

Then, in 'Interfaces: Assignments', assign the interface 'LAN (lan)' to the network port 'VLAN_Normal' and 'LAN_Kids (opt1)' to 'VLAN_Kids'.

Switch configuration is vendor specific. Just make sure that on the port where OPNsense is attached, VLAN 5 and 10 are both tagged.

Cheers
Maurice
Title: Re: VLAN and DHCP
Post by: deuch on September 03, 2023, 12:05:43 AM
In the switch, I will have 3 VLAN :
1, 5 (LAN) and 10 (LAN_Kids) with :

Port 1 is the one connected to opnsense
Port 2 is the one connected to the second switch

VLAN 1 : All ports, no tags ?
VLAN 5 : All ports or only the 1 ? tag on port 1 ?
VLAN 10 : Ports 1 and 2, and tags on both or only 1?
For the PVID, 5 for port 1 and 10 for port 2 ? Or every port/or the rest on 1 or 5 ?

On the second switch :
AP Wifi is connected on port 2
Port 3 is used for connection with the Switch 1

VLAN 1 : All port, no tags ?
VLAN 5 : All ports or only the 3 ? tag on port 3 ?
VLAN 10 : Ports 2 and 3, and tags on both or only 3?
For the PVID, 5 for port 3 and 10 for port 2 ? And the other port on 1 or 5?

Thanks.
Title: Re: VLAN and DHCP
Post by: Maurice on September 03, 2023, 12:29:37 AM
Quote from: deuch on September 03, 2023, 12:05:43 AM
In the switch, I will have 3 VLAN :
1, 5 (LAN) and 10 (LAN_Kids) with :

Port 1 is the one connected to opnsense
Port 2 is the one connected to the second switch

What will the other ports be used for? Access to 'LAN'?

Quote from: deuch on September 03, 2023, 12:05:43 AM
On the second switch :
AP Wifi is connected on port 2
Port 3 is used for connection with the Switch 1

What will the other ports be used for? And does the AP only have one SSID (for 'LAN_Kids')?
Title: Re: VLAN and DHCP
Post by: deuch on September 03, 2023, 07:34:16 AM
Quote from: Maurice on September 03, 2023, 12:29:37 AM
Quote from: deuch on September 03, 2023, 12:05:43 AM
In the switch, I will have 3 VLAN :
1, 5 (LAN) and 10 (LAN_Kids) with :

Port 1 is the one connected to opnsense
Port 2 is the one connected to the second switch

What will the other ports be used for? Access to 'LAN'?

Quote from: deuch on September 03, 2023, 12:05:43 AM
On the second switch :
AP Wifi is connected on port 2
Port 3 is used for connection with the Switch 1

What will the other ports be used for? And does the AP only have one SSID (for 'LAN_Kids')?

On switch 1 :
Port 1 : opnsense
Port 2 : connexion to the second switch
Port 3 to 8 : devices that use LAN (ps5, Xbox, Apple TV etc ...) and internet (they can talk each other and with devices on switch 2)

On switch 2 :
Port 2 : Kids AP with only one SSiD and need to be in LAN_Kids (only the kids device can connect to this one)
Port 3 : Connexion to the switch 1
Port 1, 4-8 : devices that use LAN (NAS, wifi AP for lan with 2 ssid : « normal (all devices exceptt iot)» and « guest (iot) », servers etc...) and internet, they can talk each other an with devices on switch 1

The KIDS AP need to be able to connect to LAN (The NAS, printer etc ...)
For LAN_Kids I enforce some Firewall rules and use a AdguardHome installed on the AP for kids as DNS Severs.
Zenarmor will be used too only on  LAN_Kids

Thank you again
Title: Re: VLAN and DHCP
Post by: Maurice on September 03, 2023, 02:19:33 PM
Okay, then it might be easier to use VLAN tag 1 for 'VLAN_Normal' on OPNsense.

Switch 1:

VLAN 1 : All ports, no tags ?

All ports, tags on port 1.

VLAN 10 : Ports 1 and 2, and tags on both or only 1?

Tags on both.

For the PVID, 5 for port 1 and 10 for port 2 ? Or every port/or the rest on 1 or 5 ?

PVID 1 for all ports. (Though you don't really need a PVID for port 1 because OPNsense will never send untagged frames if configured correctly.)


Switch 2:

VLAN 1 : All port, no tags ?

Yes.

VLAN 10 : Ports 2 and 3, and tags on both or only 3?

Tags only on port 3.

For the PVID, 5 for port 3 and 10 for port 2 ? And the other port on 1 or 5?

PVID 10 for port 2, PVID 1 for all other ports.


This will also put the AP's management interface in 'LAN_Kids'. If the AP supports VLAN tagging of SSIDs, you can configure port 2 like port 3 (VLAN 1 untagged, VLAN 10 tagged, PVID 1) to keep the management interface in 'LAN'.
Title: Re: VLAN and DHCP
Post by: deuch on September 03, 2023, 02:31:56 PM
I will try !

So I need to create a new VLAN_Normal with tag 1 on opnsense or it is not necessary ?
Title: Re: VLAN and DHCP
Post by: Maurice on September 03, 2023, 02:36:32 PM
Quote from: deuch on September 03, 2023, 02:31:56 PM
So I need to create a new VLAN_Normal with tag 1 on opnsense or it is not necessary ?

Yes, you have to do that. (Or change the tag from 5 to 1 if you already created VLAN_Normal.)
Title: Re: VLAN and DHCP
Post by: deuch on September 04, 2023, 09:15:29 AM
Do i have to do all those steps in a specific order ?

I've created the VLAN 10 and affected to the LAN_Kids (and igc1 interface as parent, same interface than the LAN)
I've created the VLAN 1 but didn't affected it to original LAN Interface (on igc1 for now and need to be set to VLAN 1).

Will i break something if i affect the VLAN 1 to LAN interface (communication lost etc ...).
I'm a homeworker so i'm trying to reduce to 0 the number of issue of my internet connexion :) So this is why i'm asking if all the setup need to be set in certain order and if some of them are safer than others :)

I'm using my AP on switch 2 to managed opnsense so i something goes wrong, i will have to connect to a interface of opnsense (i've setup a inteface named bachlup with DHCP and a lan cable already in place just in case)

Really appreciate your help and patience.
Thanks.
Title: Re: VLAN and DHCP
Post by: Maurice on September 04, 2023, 11:58:00 PM
Having configured a backup interface is a good idea, though you probably won't need it.

You can start with configuring switch 2 without breaking anything (assuming the kids' AP isn't the one you currently use). Then configure all the ports on switch 1, except for port 1. This shouldn't break anything either.

Then change the 'LAN' assignment on OPNsense from igc1 to VLAN 1. This will temporarily interrupt the connection to 'LAN', but you won't lose access to the management interfaces of the switches.

Finally, configure port 1 on switch 1 to restore connectivity to the OPNsense 'LAN' interface.

Cheers
Maurice
Title: Re: VLAN and DHCP
Post by: deuch on September 05, 2023, 12:24:39 AM
Hello,

I've made the change and it works :) Kids AP is in VLAN 10 and DHCP is working.
Zenarmor set to watch VLAN 10 too and looks good.

Thank you so much for such a great help and explanations !
Title: Re: VLAN and DHCP
Post by: Maurice on September 05, 2023, 01:08:09 AM
👍
Text only | Text with Images