I'm setting up a new OPNsense device to replace the router on my network, and I also bought at netgear 610 WAP.
the OPNsense box has a (genuine) intel i350 T4 card in it, and I've assigned the igb0 interface to be my WAN port.
next I've assigned a VLAN 1 tag to the igb1 and setup DHCP on it. the entire rest of my wired network is on a single unmanaged 24 port switch, and this is fine, as all the devices on that switch are devices I would want on the same VLAN anyway. The issue is my Netgear access point can broadcast up to 8 SSIDs with different vlans, and I want to use three of them. the first being a private network that should be on vlan1 and have access to the entire network. the second VLAN2 should be a guest network, that only has access to the internet. and the third VLAN3 should be entirely isolated to itself and have no internet access and an only be able to access other devices on it's own vlan.
right now I'm only attempting to get the vlan1 and vlan2 working. and nothing works. no amount of bridging, firewall rules, or virtual interfaces, seems to be able to make the wireless vlan1 talk to the wired network, or even get DHCP to work.
I've added a diagram below of the physical network layout I'm attempting. As I've already spent three days on this, I'm thinking it would be more productive if someone could just look it over and tell me how I can make this work rather the go over what I've already tried, since I've tried some variation of everything at this point.
can you try renumbering your VLAN's? E.g. 100, 200, 300
VLAN 1 is interpreted as the default by a lot of network kit
That is a rather complex setup, because you do not have a VLAN-capable switch.
For this to work, you need igb2 separated into three vlans, let's call them vlan01, vlan02 and vlan03. But then, you need to create a bridge of igb1 and vlan01, which then makes up your main LAN. I do not know how Netgear APs handle trunked ports - e.g. Unifi normally has the configuration of the AP on the untagged interface, so you probably need to define a management network on igb2 itself in addition to the three client networks on VLANs.
In order to get the firewall rules working on the bridge, you also have to set tuneables (https://docs.opnsense.org/manual/how-tos/lan_bridge.html). As usual with VLANs, they lack the default "allow all" rule that the LAN interface has per default.
This would be easier if you just had to define the VLANs and connect them via a trunk port to a manageable switch, which in turn has the Netgear AP on another trunk port.
Quote from: bartjsmit on November 06, 2023, 10:27:19 PM
can you try renumbering your VLAN's? E.g. 100, 200, 300
VLAN 1 is interpreted as the default by a lot of network kit
Yes, and probably with the meaning "untagged" as well, so this is not really VLAN 1 as OpnSense (correctly) understands it.
I've tried something like that and always found recomendations for not bridging ports on OPNSense.... For keep all devices of the same VLAN(s) on the same port on OPNSense device.
I solved my problems with a cheap TP-Link TL-SG108E Managed Switch... It has 8x1Gbps Ports... I connected 2 ports beteween Swithch and the OPNSense router by Link Agregation LAGG and the AP's on the switch.
you could also try to migrate your OPNSense to a VM on proxmox and follow this guide:
https://www.youtube.com/watch?v=t7qt1wlS9uA
Quote from: dsduarte on November 07, 2023, 04:27:36 AM
I've [...] always found recomendations for not bridging ports on OPNSense....
The bridging code in FreeBSD has been completely rewritten sponsored by the FreeBSD foundation in 2020. So that recommendation is pretty outdated by now.
https://freebsdfoundation.org/blog/500-if_bridge-performance-improvement/
Bridges work fine. Keep in mind that the default setting for STP is "off", so don't create loops or make sure to enable STP on all bridge ports.