I've been trying to get some VLANs working. The VLAN setup in question is bridged with two tagged interfaces (eno1.vlan1222 and eno2.vlan1222 for example, members of bridge br2, both tagged 1222). The bridge is assigned interface say VLAN1222_INF with a static IP 10.252.0.1/16.
Some of the issues I've been having is getting traffic working thru the VLAN. For example, if I try to ping (or nslookup, or etc.) 1.1.1.1 or 10.252.0.1 on eno1 or eno2 thru their VLAN interfaces, I see on the firewall a request and reply logged and pass (see attached image), however the interfaces do not receive anything
However, what I'm more specifically asking about, is that the firewall capture is reported on the LAN interface, which is an untagged bridge with IP 10.0.0.1/9, the source and destination IPs aren't even in the subnet. Because of this, rules I've been making to get VLANs working have been floating on all interfaces (sometimes traffic is reported on the VLAN interface, typically broadcast).
Why is the traffic showing up on the LAN interface and not the VLAN? Is there some fix for this, like some tunable to configure? Could this be a hint to the underlying issue why packets aren't being received by the VLAN members (perhaps it's routing thru the LAN interface, though the routing tables show 10.252.0.0/16->VLAN1222_INF)?
I assume that these "eno" interfaces are on some Linux box that's separate from whatever you're running opnsense on? Is there a switch in between? I'm not sure what's the purpose of your bridge, but it sounds convoluted - maybe you could get VLANs working without the bridge first, then maybe add it to the mix again later (if it really has some purpose).
+1 on the above. Bridging sucks.
Otherwise, as I vaguely recall getting the "expected" behaviour required flipping these defaults:
net.link.bridge.pfil_member: 1
net.link.bridge.pfil_bridge: 0
the other way round, and that is even without the VLANs in picture (say, bridging LAN and WLAN, or two physical ports.)