I'm new to VLANs and I'm doing some testing in a small lab.
I don't understand how to identify the physical NIC of the LAN with a VLAN ID.
The LAN has address 192.168.10.1 (for the network 192.168.10.0)
I can associate on this a VLAN 192.168.20.0 for the "Home" network and a third VLAN 192.168.30.0 for the guests.
But how do I assign VLAN 10 to the main NIC?
If I want to divide the switch into the 3 VLANs I must also identify the traffic on VLAN 10, but I don't see any option in the LAN configuration.
I didn't configure VLANs during installation; Was it perhaps at that point that I could do it?
Furthermore, reading online I find the suggestion to create a VLAN only for the management of the switches; Does this also apply to managing OPNSense?
I find also the suggestion to create a Native VLAN that is not VLAN 1.
I can't figure out how to do this?
Quote from: DarkCorner on December 10, 2023, 07:13:09 PM
...
But how do I assign VLAN 10 to the main NIC?
You can create VLAN interfaces in OPNsense at: INTERFACES: OTHER TYPES: VLAN
Quote
If I want to divide the switch into the 3 VLANs I must also identify the traffic on VLAN 10, but I don't see any option in the LAN configuration.
After you created the VLAN in the step above, you can assign it as a regular interface in: INTERFACES: ASSIGNMENTS
Quote
I didn't configure VLANs during installation; Was it perhaps at that point that I could do it?
If you already build/designed your network topology and know what to configure this would be usually the best moment. But you can always configure them later, the only caveat is when you need to (re-)assign your OPNsense default LAN network, if you don't plan and configure this exactly as it should you might loose network connectivity to SSH/GUI. So always be sure you can connect to OPNsense while changing stuff (SYSTEM: SETTINGS: ADMINISTRATION)
Quote
Furthermore, reading online I find the suggestion to create a VLAN only for the management of the switches; Does this also apply to managing OPNSense?
Ask 100 network engineers to design a network and you get 100 different designs ;-). Always ask yourself: Why ? Lot of best-practices in network design, but without the answer to the why you shouldn't care about those "statements"...
VLANs are building blocks for a network topology, ie they solve something (primarily restricting broadcast domains) it completely depends on what you're trying to achieve with your design to answer the question if you need none, one or multiple VLANs.
Quote
I find also the suggestion to create a Native VLAN that is not VLAN 1.
I can't figure out how to do this?
VLAN1 is the so called "Default VLAN", every factory fresh/reset switchport is assigned to this default VLAN. Nothing stops you from using just this "Default VLAN", but looking at your previous question, one introduces other VLAN's to segment the network (separating broadcast domains). Using VLAN 1 in this scenario (which applies to 99% of all network designs) means that fresh or not-configured switches/routers/etc are automatically part of this VLAN1 network. It's not only allowing (unwanted) access to the network but can also mess up things like Spanning Tree etc when the (unconfigured) switch assumes some defaults that don't match with the existing network.
To make myself understand better I'll give an example.
Phisical LAN Interface: 192.168.10.1 with DHCP 192.168.10.100 to 192.168.10.200
24 port switch.
Port 1 to 8 for VLAN10, port 9 to 16 for VLAN20, and port 17 to 24 for VLAN30.
Then I create:
VLAN20 associated with LAN: its 192.168.20.1 with DHCP 192.168.20.100 to 192.168.20.200 (for switch ports 9/16)
VLAN30 associated with LAN: its 192.168.30.1 with DHCP 192.168.30.100 to 192.168.30.200 (for 17/24 switch ports)
If I also create VLAN10, always associated with the LAN interface, I cannot assign it the address 192.168.10.1 nor the DHCP from 192.168.10.100 to 192.168.10.200.
So in the switch the first 8 ports will never be used.
The only way seems to me to be to create a VLAN10 with a different network, for example 192.168.40.0 and VLAN address at 192.168.40.1 with DHCP from 192.168.40.100 to 192.168.40.200 (for switch ports 1/8) .
Which however means that the phisical LAN interface will never be used directly, but only via VLANs.
Running all VLANs tagged on the link from OPNsense to the switch is indeed the recommended way.
You can create VLAN 10, then in Interfaces > Assignments assign the logical interface LAN to that.
Quote from: DarkCorner on December 10, 2023, 10:03:44 PM
...
The only way seems to me to be to create a VLAN10 with a different network
You might want to reconfigure your LAN network first to something like 192.168.1.0/24 and after that use 192.168.10.0/24 for VLAN 10. Matching the VLAN ID in the third (or whatever) octet makes your topology easy to understand, although this scales badly in bigger environments, but for a home network this makes perfectly sense.
Quote
Which however means that the phisical LAN interface will never be used directly, but only via VLANs.
Like "Patrick M. Hausen" already confirmed...
Quote from: Patrick M. Hausen on December 10, 2023, 10:07:05 PM
You can create VLAN 10, then in Interfaces > Assignments assign the logical interface LAN to that.
I didn't think it could be done and that it was so easy.
Thank you very much.
From this, then a second question arises.
If the physical interface assumes VLAN 10, then Native VLAN 1 is no longer there.
So do I need to configure the switch to accept a new native LAN?
For example, marking 10 as
Native VLAN and leaving some unused ports on the switch as VLAN1.
I'm doing some testing in a home environment, but eventually I want to bring this setup into a small association that I would like to divide into 4 separate areas.
Avoid native VLANs. Leave it at 1 and just don't use VLAN 1 anywhere.
I'm definitely missing some steps because I'm stuck now.
I reconfigured opnsense from scratch by creating the VLANs at installation time and assigning them to the network cards; then I assigned the DHCP.
Nonetheless, I cannot connect to OPNSense or to the switch.
Most likely, since VLAN 10 is not yet present on the switch (they are still all VLAN1), the switch does not allow the connection from the PC; but the switch doesn't even take the DHCP address since the cable connected to the firewall is also still on a port with VLAN1.
I'm missing an idea of what the correct step-by-step is.
Quote from: DarkCorner on December 11, 2023, 09:11:01 AM
I'm missing an idea of what the correct step-by-step is.
Nobody can help you with that because we do not know your setup.
As a rule of thumb you should first setuo everything to work without VLANs, then work from there. Keep in mind that when you reconfigure one side of a connection, it will get lost until you configure the other side accordingly.
The easiest and safest way to achieve this is by keeping one untagged OOB port on all network devices. You can always connect a laptop to that port in order to configure every other port. If you mess it up, reset the device and start over.
Reset switch. Assign acess ports to either VLAN 10, 20 or 30. Trunk is obviously all three. In short, your suspicion seems right.
VLANs can be challenging in the beginning. You got great tips in this thread already. So this may help in a very general fashion for starting from scratch. It's just the way I go:
Before even going into OPNSense I make sure that:
1. I configure the stuff using a computer connected on a switch trunk port. This way I can change the VLAN ID (Tag) and IP address on the management computer manually without relying on DHCP or switch access port VLAN limitations.
2. All needed VLANs are created on the switch / switches.
3. All switches and the router (OPNSense) are connected on trunks.
After that start configuring the router (OPNSense, this thread).
If everything works, work the way back to the switch / switches and configure / test the access ports (VLAN assignment).
First of all, thanks for the advice.
I did several tests and solved several problems, both on OPNSense and on the switch.
It works now, with only a problem.
I describe the current situation.
(See screenshot)
On the switch (8+1 ports) I left 2 on VLAN 1, because that way I can make changes quickly.
I then created 3 VLANs.
Default 1: (LAN) For managing Switch and OPNSense
101: (LAN-Work) For network use
103: (LAN-CP) For CaptivePortal
109: (LAN-Tech) Available only for technicians' PCs (in the laboratory it is only mine).
On the Switch I have this configuration.
Port 3 is the trunk to the OPNSense NIC.
Port 7 is the trunk to a future Access Point.
Port 9 is not used.
On OPNSense I have these interfaces all associated with the LAN NIC and with these addresses.
NIC LAN 192.168.1.1/29
VLAN01.101 192.168.101/24
VLAN01.103 192.168.103/24
VLAN01.109 192.168.109/24
Now if I insert the cable coming from OPNSense into ports 1 (or 3) and the one from my PC into port 2 (or 4), I can access both OPNSense and the Switch.
The problem is related to port 4, connected to my PC where there are virtual machines.
I also wanted to configure the 4 as a trunk with the 3 VLANs, but I am always assigned the IP of VLAN01.103.
To have the correct IP I have to transform the port into an Untagged one (101 only), but in this way I would not be able to use virtual machines associated with VLANs 103 and 109. On the other hand I only have one cable from the PC to the Switch.
I don't visualise completely especially port 4 but I _think_ you are saying you have a PC that is virtualisation host, and you want VMs to be on different VLANs but with only one cable from the host to the switch.
Well, you can't in this way. A trunk port is one that carries traffic with multiple tags. That is normally to connect switches to switches, switches to routers, routers to routers, etc. End points go into access ports and the switch applies one tag to it, so the end point doesn't have to. So what you describe isn't a problem but the expected behaviour.
What you can do is create virtual nics on the host and apply the VLAN tag on it. Most hypervisors are VLAN aware, but need the NIC on the host to be VLAN capable.
Proxmox as one example has various options: https://pve.proxmox.com/wiki/Network_Configuration . Read from section "VLAN 802.1Q". Since you seem to want a VM to be in more than one VLAN, I'd be tempted to suggest to use _not_ the trunk method described there, to save you having to configure VLAN awareness inside the guest. Instead, enable VLAN awareness on the linux bridge of proxmox, then add multiple virtual nics to the VMs and make each member of a VLAN, if that works for you.
Obviously, life has less flavor if we don't know how to complicate it more than necessary. ;)
For example, I have a Win11 PC and VMWare Workstation but I have to create the virtual switches in Hyper-V.
:-[ >:( :-X
This is now becoming a VMWare problem rather than an OPNSense problem. I will look for a solution in their forums.
Thanks everyone for the help.
P.S.: I have two Proxmox servers gathering dust somewhere. Maybe it's time to restore them.
If Proxmox can do it, ESXi will do it and more. I'm sure you'll get good advice there.
Sorry, but I will have two more questions.
There is a 24 port managed switch and on this I have to create VLANs for LAN, DMZ, Guests, Home and VoIP.
With 5 interfaces, em0 is for WAN and em4 is for WAN2
I still have 3 NICs (em1/2/3)
What do you recommend me to do?
Do I create 5 VLANs distributed across the 3 NICs? For example em1 with LAN and DMZ; em2 with Guests and Home; em3 for VoIP.
Or do I aggregate the 3 NICs into one and associate all 5 VLANs on this one?
The second question is, when I configure a VLAN to an interface, for example VoIP on OPT2=em3, should the OPT2 interface be enabled or disabled?