Hey everyone, been pulling my hair out most of the day now. This is driving me nuts!
I have a 4 port Protectli Vault. igc0=WAN, igc1=LAN and the other 2 (igc3 & igc4) are assigned interfaces.
I can not get a vlan to work on the LAN port but will work on either of the other 2 interfaces.
The VLAN interface will not give out an IP address from DHCP but I can ping it from the LAN IP.
If I setup vlans on either of the other 2 interfaces, they give out IP's, ping and have full access to internal and external networks with proper rules applied.
Testing with a WiFi AP that supports vlan and with my Proxmox server.
Your LAN DHCP will not give out IPs for any of your VLANs indeed. Unfortunately no relevant info here.
I have DHCP configured for the vlan.
Maybe post relevant screenshots then.
By "I can ping it from the LAN IP", do you mean you can ping 192.168.100.1 from some host on your LAN? or...?
I don't see anything obviously wrong from your screenshots. Is there a switch between OPNsense and the DHCP clients / WiFi AP? Could you temporarily connect the AP directly to igc1 and see if it works?
You could also try `tcpdump -nnei igc1 vlan` to see if there's any tagged traffic arriving there (while attempting DHCP)
Are you trying to use the LAN interface untagged and put a tagged VLAN on that port at the same time? Don't. Do not mix tagged and untagged interfaces on a single port in FreeBSD. Unsuspected and hard to debug failure modes are prone to happen.
Quote from: Patrick M. Hausen on August 25, 2024, 12:46:39 PM
Are you trying to use the LAN interface untagged and put a tagged VLAN on that port at the same time? Don't. Do not mix tagged and untagged interfaces on a single port in FreeBSD. Unsuspected and hard to debug failure modes are prone to happen.
Examples? Unresolved bug references? I'm doing this. It works well, and is a useful configuration for a home setting.
DHCP on the parent interface might interfere with the child VLANs. Bridging is impossible. Stuff like that. It's a general recommendation for FreeBSD to run either untagged or only tagged VLANs.
How would DHCP interfere? I don't need bridging.
Need specifics here - otherwise it sounds like FUD. Is this general recommendation officially documented somewhere?
Clients on VLANs being served by the DHCP server on the parent interface has been observed. I do not know if this has been fixed, since.
Having managed data centers for almost 30 years I have developed the habit of never using the "native VLAN" on a trunk port. Always set it to something unused throughout the layer 2 domain like 999 or something.
Trunk ports are trunk ports and access ports are access ports. Statically set by an administrator. Never allow the configuration of a switch port to be changed by whatever is plugged in. Same for LACP. Always static.
I haven't had any issues with DHCP between my tagged and untagged networks.
I wouldn't do it in a corporate setting, but there's nothing wrong with it as far as 802.1Q goes, and it's very useful in a typical home scenario, where most people want to implement Guest and IoT WiFi networks, along with a few "wired" devices (like desktop PCs) on a LAN without needing managed switches.
See for example: https://forum.opnsense.org/index.php?topic=42452.msg209934#msg209934