Hello,
We are a long time user of OPNsense. The time has come I feel for us to be a little more security conscious and start to logically segment the network.
VLANS seem to be the answer. But I am a little confused on the practicalities. It seems its like a magic trick, someone who knows the trick makes it seems simple. YOu can sort of understand it, it makes sense but the practical implementation alludes us.
We can create VLANS in OPNsense. Configure DHCP on the VLAN. But are missing knowledge of the detail. For instance. We have OPNSense with a WAN with a /29 and a LAN /24. The LAN is 10.0.0.0/24 we have firewall rules and port forwards to various servers and all is well.
OPNsense is connected to our main network switch which has a number of servers for Virtualisation, NAS etc. also has security cameras, office PC's, WAP's a wireless link to another building which also has a WAP and security cameras, a link to another building which has 5 WAPS, Security Cameras, Smart TV's, a number of internet connected devices. All on the same /24 network.
Ideally in future world we would want to segment some of these devices.
When configuring a VLAN it asks for the DNS server and gateway. If I put the DNS server address as the OPNSense LAN address it can't see that as it is on a different network.
As a simple example to get started. We have a VLAN capable WAP in the office.
IT would be good to configure 2 networks on it. The default network called Office_Wifi and a Guest network on a different network.
Office_Wifi
Default 10.0.0.0/24
Guest_Wifi 10.0.10.0/24
I can configure the Guest_WiFi network in the WAP with VLAN id of 10 and set it's address as 10.0.10.1
DHCP would come from the OPNSense DHCP service.
So the WAP would have 2 networks. 10.0.0.0/24 and 10.0.10.0/24
At the OPNSense end I can configure a VLAN with an ID of 10 and setup the network as 10.0.10.0/24 But what DNS do I specify and what gateway address? The address of the OPNsense LAN 10.0.0.1 for both?
Then at the network switch I would need to setup VLAN 10 and add the port that the WAP is connected to? Would it need to be set as a trunk port as it could be carrying traffic from either of the 2 wifi domains and networks?
Do I need to configure the port that the OPNSense LAN is connected to as a Trunk port. Do I need to add that port to VLAN 10 also?
As a basic starter, I would love someone to assist with setting up this first VLAN to get the WAP serving the 2 groups; office staff and guests. With connected office staff being able to see the default network 10.0.0.0/24 and Guests being served a DHCP address by OPNsense and only able to access the internet.
Any help is appreciated. And apologies for the ramble just trying to get this stuff out of my head.
Cheers
You need to start on your 'main network switch'. That is where you define the VLAN's and assign them to ports. It sits in the middle of all your traffic flows.
Since both your user groups need access to the internet, your office and guest VLAN's need to be trunked to OPNsense. This gives you the layer-2 separation. On top of that, you set up separate subnets. The IP address of the OPNsense interfaces on each subnet will be the gateway for that subnet, so that they can reach the internet.
DNS and potentially DHCP are separate services. You can provide them on OPNsense, but also on a pi-hole, Windows Server or a multitude of other platforms.
Bart...
P.S. an old but good article on El Reg gives a good intro into the practicalities https://www.theregister.com/2017/06/30/vlans_at_20/
Bart,
Many thanks. I am a little stuck at present.
I have configured OPNsense to have VLAN 10 with the parent interface on the LAN copied the same firewall rules that the LAN has to VLAN 10 and setup DHCP for VLAN10.
On the WAP I have configured 2 networks one on the default VLAN 1 and one on VLAN 10
On the switch I have configured the port the WAP is connected to as belonging to VLAN 10 and the port is marked as a hybrid port. I also configured the switch with an additional address on the VLAN 10 network.
The port connected to the OPNsense LAN is also configured as hybrid.
I can connect to the office_wifi and all is well and I have internet access as well as lan access to the main network and all is well on that network.
If I connect to the Guest network I do not get a DHCP address. However, if I configure a static IP on the connection from my phone. I can connect to the switch on its VLAN 10 address. But I cannot get to the OPNsense VLAN 10 address or the internet.
I am sure I am missing something fundamental but can't see it.
The switch is a HP A5120 fully managed.
Cheers
You haven't made things easy for yourself - that's a layer-2/layer-3 switch ;)
You have the firewall and WAP on hybrid ports, so far so good. If you have a spare port, configure it as an access port on VLAN 10 and plug a laptop into it. Phones over WiFi are a bit limited for troubleshooting.
If you have a toy laptop without ethernet, use a desktop or a USB/Thunderbolt ethernet adapter.
Set a static on the laptop ethernet (e.g. 10.0.10.101) and set the VLAN 10 interface on OPNsense with a static of 10.0.10.254. Confirm you can ping both the laptop and the WAP from OPNsense. If not, add a temporary floating rule for all v4 ICMP anywhere.
Now that your cabled VLAN is working, connect the laptop to the guest WiFi with a static of 10.0.10.102, disconnect its network cable and ping from OPNsense. This confirms your layer-3 connections.
DHCP and DNS are next but see if you can get basic connectivity sorted first.
Bart...
Bart,
Thank you for this.
I can confirm that everything in OPNsense looks good. I can see the VLAN 10 interface it is configured correctly. The DHCP service and DNS services are all set to include the VLAN 10 interface etc.
Worth mentioning is that OPNSense runs in an ESXI VM. The PG connected to the VM on the LAN interface is set to VLAN ID 4095 (meaning all) and works perfectly for the rest of the main network.
I setup a basic VM and gave it an address in the VLAN 10 network 10.0.10.40 with a new PG with VLAN 10 I can ping the OPNSense VLAN 10 LAN from it and it gets DNS services from OPNSense. I can also ping out to the OPNSense LAN network. 10.0.0.0/24 and all devices are accessible! I am sure this should not be possible.
So inside the ESXI VM environment, all seems fine.
I setup 2 laptops configured with a VLAN 10 static addresses 10.0.10.120 and 10.0.10.130 and also setup ports(9 and 10) on the physical switch and set it to Untagged 1,10 and PVID 10 it is not possible to config it as an access port. As soon as you tag it, it changes to a hybrid port.
Port 1 on the switch is configured as untagged 1 (default) and tagged 10 with a PVID of 1 and is automatically made a hybrid port.
port 17 is where the office WAP is connected and that is configured as untagged 1 tagged 10 PVID 1
I can connect to the WAP OFFICE and all is well. All services are accessible and I can talk to anything on the main (default) network and get to the internet.
If I connect to the WAP Guest network I can also get a DNCP address from the VLAN10 network and connect to the internet. But I can also access all of the resources on the OPNSense LAN network 10.0.0.0./24
I try to connect via either laptop I can ping the other and all network resources on both the OPNSense LAN and OPNSense VLAN10 networks. But I cannot ping into the VM 10.0.10.40 from outside of the VM environment even though from the VM I can ping everywhere.
It is working sort of but no network seperation and really I don't know why it is working. If I change the 2 laptop ports to be untagged 1 Tagged 10 PVID 10 I can get nowhere from them.
Also I can connect to both the OPNSense LAN (Main network) and the VLAN 10 network from any pc connected to the switch and ping all resources.
ESXi actually makes things simpler. Add another vNIC to the firewall VM connected to the VLAN 10 port group.
I have OPNsense on VMware with six such interfaces 8)
Quote from: bartjsmit on September 04, 2024, 07:02:47 PM
ESXi actually makes things simpler. Add another vNIC to the firewall VM connected to the VLAN 10 port group.
I have OPNsense on VMware with six such interfaces 8)
Hello Bart,
Did you have any comment on the above? I am still a little baffled as to why it is sort of working.
Setting the PG in ESXI for the main network servers to 4095 was probably a mistake. Once you have set it to anything other than the 0 it has by default you cannot set it back to 0.
Quote from: sparticle on September 05, 2024, 01:44:38 PM
Setting the PG in ESXI for the main network servers to 4095 was probably a mistake.
Back up any VM's you want to keep (Veeam have a good free CE tier) and wipe the host to start fresh. If you have an external datastore, just unregister the VM's and register them after the rebuild.
I do have a default 'VM Network' PG without a VLAN tag which connects to the LAN
Quote from: bartjsmit on September 05, 2024, 09:59:35 PM
Quote from: sparticle on September 05, 2024, 01:44:38 PM
Setting the PG in ESXI for the main network servers to 4095 was probably a mistake.
Back up any VM's you want to keep (Veeam have a good free CE tier) and wipe the host to start fresh. If you have an external datastore, just unregister the VM's and register them after the rebuild.
I do have a default 'VM Network' PG without a VLAN tag which connects to the LAN
I am just trying to get one vlan working. I do not want to break the existing network at this time.
My instinct is it is something to do with the port config on the HP.
Untagged vs tagged and PVID is confusing. I think it means if the traffic is untagged then default to the VLAN equal to PVID.
I suppose the test VM I setup with an address in the VLAN 10 network would be sending untagged traffic to the PG it is connected to which is set as VLAN 10. Is this the same as a physical switch port being set as an access port on VLAN10?
So in theory all traffic from this VM would be tagged as VLAN 10 by the PG. But why then can I ping the OPNsense LAN interface on the default untagged network? Is it also allowing teh default traffic which is untagged? I can't see any way of being more specific there is no option to set untagged vlan number. Just the VLAN number.
In fact from one of the office pc's on the LAN network 10.0.0.0/24 I can ping the test VM on the VLAN10 network!
The PG on VLAN 10 that the test VM is connected to should not be pingable from a pc on the LAN network surely...right? I can ssh into it so it is like both networks are the same.
VLAN's should be consistent throughout your network. Since your hypervisor(s) have an internal virtual switch, they need to have the same VLAN's as on your physical switch(es). You may get away with configuring your vswitch with just the VLAN's used on your VM's, but it's bad practice.
That means that you need to configure the switch to send the VLAN tags to the hypervisor since it is a VLAN-aware device. The same would be true if you run OPNsense on bare metal. You only use untagged traffic on access ports which connect to 'dumb' devices from a VLAN perspective - e.g. laptops running Windows.
To get connectivity on VLAN 10 between a VM (OPNsense or otherwise) you need to trunk VLAN 10 to ESXi and have other devices on VLAN 10 hanging off the switch - either access ports for laptops or trunk ports to WiFi access points.
To avoid having to run a default VLAN with hundreds of devices, you can normally mix tagged and untagged frames on the same port - that will be the hybrid port in HP parlance. That allows a big old LAN network with pockets of a handful devices that need to be separate (guests, DMZ servers, etc.)
If you have a VM on VLAN 10 and only VLAN 10, it should not connect to devices on the LAN, only to devices on VLAN 10.
Bart...
Bart,
Many thanks for your additional insights. I think I need a brain reset on this.
I will digest this and other notes and see if I can work out a way forward. At this stage I can't redo the entire network.
I was hoping it would be simpleish to introduce a number of VLANS to start to learn more.
I think it might be a long journey :)
Cheers
If you are going to muck about with the switch, you may want to do (automated) config backups.
Rancid was my go-to project for this before I joined the Ubiquiti cult. There is an HP Comware plugin:
https://shrubbery.net/rancid/
https://sites.google.com/site/jrbinks/code/rancid/cmwrancid
This seems like a bit of overkill. You don't need to redo your network. This can be migrated fairly seemlessly. In fact, I'm doing such a migration right now for a customer where we have a parallel tagged/untagged setup that needs to go in the long run.
I imagine you have one cable running from the firewall to the main switch at the moment. On that connection there is untagged vlan 1 and your new vlan 10. I have found that this does not work, you can't really mix tagged and untagged traffic with opnsense, neither can you use vlan 1 tagged, it just doesn't seem to work well.
So connect a second interface for the new tagged stuff, you can do the same for the esxi. the new interface should be a pure trunk port, use the old port untagged for vlan 1, you can migrate that later. if it's a cisco, or cisco like, the port should look like this:
interface <name>
switchport mode trunk
description firewall
same on the new port for the esxi. On untagged ports, you would do
interface <name>
switchport mode access
switchport access vlan 10
OR, in case it's the pvid thing
interface <name>
switchport mode general
switchport general allowed vlan add 10 untagged
switchport general pvid 10
OR with the unfortunate WAP, we usually need to do
interface <name>
switchport mode general
switchport general allowed vlan add 10 tagged
switchport general allowed vlan add 1 untagged
switchport general pvid 1
I would advise you to try to migrate away from vlan 1, because it tends to cause trouble.
You do not need to reinstall the esxi, you can reconfigure the network stuff, and you can change the vlans on it. I would even tell you how, but I don't have one anymore, switched to proxmox.
The gist is, you have a vswitch, which connects to the physical port. It doesn't know about vlans. On this, you create networks, which can have a vlan tag, then you don't need to untag on the vm level. You would create one of those for each of your vlans and then connect the vm to it.
Alternatively you can use vlan 4095 for trunking, but I don't imagine you would need that, except if your opnsense itself is virtualized. In that case, do the above, only with virtual connections.
Can't think of anything else right now, hope that helps.
BArt and Bimbar,
Many thanks for this. Yes, I had concluded that part of my issue was the VLAN 1 thing. I have started separating my VMS onto their own PG in ESXI so I can add vlans at some point.
You are right I have a port on the primary network switch that is connected to the OPNSense LAN. That is currently set as Hybrid Untagged 1 Tagged 10 PVID 1
I will persevere for a while and learn some more basics.
Thank you for you help and support.
Cheers
Best make that into 2 ports.
Quote from: bimbar on September 09, 2024, 11:53:26 AM
Best make that into 2 ports.
Make 2 LAN ports in OPNSense?
Or make 2 physical connections to the main network switch?
Cheers
Both, one interface for vlan 1 untagged, and a second one for the vlan trunk (with dedicated cables to the main switch).
I did think I was getting somewhere. But alas not it seems.
I have setup a laptop on a different empty switch Netgear GS724Tv4. This has a fibre uplink to the main HP switch.
I setup a new interface in OPNSense and created a VLAN 50 with DHCP service enabled following this tutorial. https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-vlan-on-opnsense
All seems well at the OPNSense end and I can ping the OPNSense server on the new subnet 10.0.50.254 from the native LAN! Confused by this behaviour also.
At this point there is nothing configed on any switch they are running as a single LAN.
I tried setting Port 2 on the Netgear to PVID 50 VLAN 50, removing the untagged VLAN 1 from port 2 and adding VLAN 50 to the uplink port link to the HP. Then also adding VLAN 50 to the HP TRUNK uplink port and the OPNSense trunk port. So in theory this is what I thought would happen.
Laptop connected to Netgear port 2 all packets are Tagged with VLAN 50 by the switch. They are passed as Tagged to the HPon its TRUNK uplink port which also is in VLAN 50. Then it can get to the OPNsense server via the TRUNK connection to the ESXI which is set to 4095 at the ESXI end so will pass all VLAN traffic. Then the 10.0.50.0/24 subnet and interface will get the traffic and respond with a DHCP lease. The laptop gets an IP and all is well.
That fiction didn't happen. I cannot ping the 10.0.50.0/24 network from the laptop. There are firewall rules on the VLAN50 interface copied from the LAN interface to allow DHCP etc. So it should work exactly like the LAN interface which is the VLAN parent interface. Even if I config a static IP in the VLAN 50 subnet on the laptop I cannot get to the OPNSense server on it's IP 10.0.50.254.
I am still confused on the tagged and untagged configuration. I am obviously missing something fundamental. I have done so much reading on this I probably have some analysis paralysis!
As I understood it. If I want dumb equipment like a laptop to connect via a specific VLAN I need to set the port it is connected to as an access port. If it was a WAP that is VLAN aware it may need to be a TRUNK port with the VLAN tags set for the various wifi networks. But stick to a single laptop trying to connect to OPNsense VLAN 50 and getting network services like DHCP and DNS. Do I set the netgear port as tagged 50? What do I set on the uplink ports between the switches? There is nowhere to set the port as a TRUNK port in the netgear and a ton of less than clear conflicting info on the web. I can either TAG the uplink port into a VLAN or have the port included in the VLAN config as untagged. On the HP end I can set port 1 (OPNSense connection) and port 25 (uplink port) as TRUNK ports and I can again set the TAG for VLAN 1 and 50 or include these ports in both VLAN 1 and 50 untagged.
If I can get just one VLAN working properly I am sure I can use that to learn about intervlan traffic etc. which is something I will need to properly migrate from a single subnet to a fully segregated VLAN based network.
The plan is to have the following.
MANAGEMENT VLAN able to access anything across all VLANS
NETWORK SERVICES VLAN to provide email, NAS, Streaming services etc.
HOUSE AP VLAN(s) for the 6 AP's in the main house with multiple networks for IOT Devices, Adults, Kids, Guests.
OFFICE VLAN(s) 2 AP's with multiple networks for IOT Devices, Employees, Visitors.
OUTSIDE VLAN(s) 5 AP's with multiple networks for IOT Devices, Us, Visitors and Guests.
Multiple of the above would need to be able to communicate with each other for provision of services. e.g. The NETWORK SERVICES and IOT Devices would need to be able to talk to each other to stream content to phones/tv's etc.
But right now this is a dream as I can't even get a single simple VLAN to work. It feels like I am missing a critical piece somewhere that has just not clicked into my consciousness.
Advice, encouragement, and guidance appreciated.
Cheers
I really need some help with this.
I have now a very simple setup.
The main OPNSense config is as it was with the addition of a single VLAN config. I restored the config from a previous point before I started messing with VLANS to ensure I was back at my base config for the network. I followed this guide https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-vlan-on-opnsense and setup the VLAN exactly as the LAN is configured but with a new subnet with the LAN interface as the parent. The new VLAN 50 interface OFFICE has DHCP services configured exactly the same as the LAN interface in the new subnet. e.g. 10.0.50.0/24 with an interface address of 10.0.50.254. I have cloned the firewall any rule from the LAN to the OFFICE net. Everything appears to be setup correctly. As I have an any rule on the LAN I can ping the OFFICE interface from outside the OPNSense server from my PC on the main switch.
On the HP Switch that OPNSense is connected to I have configured VLAN50 and the ACCESS and TRUNK ports to connect to OPNSense and the other switches. See attached image of the setup. This is a very simple setup to get one VLAN working. It doesn't work and I cannot get DHCP from OPNSense or even if I config a static IP in the OFFICE subnet I cannot ping the OPNSense OFFICE interface.
I am completely at a loss as to why this is not working. The VLAN config on the switch looks right. The OPNSense VLAN config looks right I have FW rules and DHCP and DNS services on the OFFICE VLAN.
In words the switch is configured as follows. See image for detail.
Port 1 TRUNK Untagged 1 Tagged 50 PVID 1 (LINK TO OPNSENSE)
Ports 11 and 12 ACCESS Untagged 50 PVID 50 (LAPTOP TEST PORTS)
Port 17 TRUNK Untagged 1 Tagged 50 PVID 1 (WAP with 2 wif networks 1 on the default VLAN and 1 on VLAN 50)
Port 25 TRUNK Untagged 1 Tagged 50 PVID 1 (LINK TO REST OF NETWORK)
This should work but it doesn't, OPNSense shows no packets on the OFFICE interface.
Can anyone please put me out of my misery and help me to get VLANS working.
Just to add I know the switch is working as I can config an admin address in the switch on the VLAN 50 subnet and I can ping it from the Laptop on the VLAN 50 network. So I know the switch ports as working as expected within the switch. I also know the switch VLAN config is working between switches. I can ping the HP on its VLAN50 address from the Netgear connected via a TRUNK to TRUNK connection to the HP oort 25 using the laptop manually configured with a VLAN50 ip.
BUT, I get the destination host unreachable and no route to host if I try to ping the OPNSense VLAN50 interface on 10.0.50.254. No packets are received on the OPNSense OFFICE (VLAN50) interface. Also the WAP on the HP TRUNK port 17 gets no DHCP service either. I can configure a static IP on the wifi connection and connect to the VLAN 50 wifi network but can't get anywhere.
It is like any VLAN subnet on the LAN interface is blocked and I suspect that pinging the VLAN 50 address from the default network is simply getting a response from the parent interface as stats show no packets on the VLAN 50 interface.
What is going on here?
Cheers
Seems fine to me. Probably something simple and stupid, but those are the ones that are hardest to find.
Quote from: bimbar on October 20, 2024, 03:36:32 PM
Seems fine to me. Probably something simple and stupid, but those are the ones that are hardest to find.
Thank you for replying but like what? What simple checkbox or config item can stop all VLANS from working on a parent interface? This is a simple single VLAN config attached to the parent LAN interface. It is like OPNSense is ignoring any VLAN tagging coming into the parent.
Make sure the tag is coming into the parent. Do packet traces on the switch side (mirror port?) and the firewall side; Interfaces: Diagnostics: Packet Capture. Wireshark is your friend.
Try with a different switch. Five port managed switches likely cost less than the time you've spent on this already if you paid yourself minimum wage ;)
I already have two perfectly good managed switches I am working with. As my OPNsense is virtualised in an ESXI VM there seems to be a lot of stuff out there about VLANS not working correctly with 6.7 vswitches and port groups with the VMXNET3 adaptor.
Timed out on this for a while whilst I make some more of that minimum wage ;)
if you are running virtualised you should create all VLANs in ESXi/vSphere and map each to an individual interface in OPNsense. Also E1000 is preferred over VMXNET3.
So you seem to be saying I need to create a PG per VLAN attached to the vswitch. Then in order to use that create a new vnic in the OPNSense VM for each VLAN and attach it to the VLAN PG.
Then in OPNSense create the VLAN and assign it to the new VM vnic?
Quote from: sparticle on October 21, 2024, 01:37:17 PM
So you seem to be saying I need to create a PG per VLAN attached to the vswitch. Then in order to use that create a new vnic in the OPNSense VM for each VLAN and attach it to the VLAN PG.
That is the recommended way, yes.
Quote from: sparticle on October 21, 2024, 01:37:17 PM
Then in OPNSense create the VLAN and assign it to the new VM vnic?
Not a VLAN - from the guest OS' point of view that is just a regular untagged interface. So you assign an interface and the create rules, DHCP, etc. as you would with VLANs. But all the switching fabric things happen in the vSwitch.
Quote
Not a VLAN - from the guest OS' point of view that is just a regular untagged interface. So you assign an interface and the create rules, DHCP, etc. as you would with VLANs. But all the switching fabric things happen in the vSwitch.
AH OK I think I am starting to get it. You are saying that the new VM provided vnic is just another NIC in OPNsense that I can assign to a network I create called Guest for instance with an address and subnet configured for the VLAN like 10.0.50.254/24 then add DHCP DNS etc. to that interface and rules as before. At this point it is just a subnet. I would have connected that vnic to the PG for VLAN 50 in the VM settings in ESXI. All traffic in/out of the Guest NIC in OPNSense would be untagged until it gets to the PG which would tag it as VLAN 50(?), is this correct ? I thought that PG's only allowed tagged VLAN taffic matching the VLAN ID set on the PG config. 0 default or VLANID or 4095 for all?
Currently, the one working VLAN50 is configured in OPNsense as per the guide and assigned to the LAN parent interface as VLAN50. The PG that the OPNSense talks to is set as 4095 and it works. Although I am now questioning that. As I believe setting 4095 on the PG means matches all VLANS.
I need to completely rethink this if your guidance is the right way to do this. As this is the start of a journey and I am keen to get to the destination the right way.
You correct about the virtual NIC.
One might argue that the "best" way to configure all of this would be PCIe passthrough of an entire interface to OPNsense, then configure VLANs there.
You get better performance and can add/remove VLANs without shutting down the VM. Also adding of interfaces might reorder the existing ones, I read on this forum.
All traffic will move through your switch, though.
Quote from: Patrick M. Hausen on October 21, 2024, 03:53:36 PM
You correct about the virtual NIC.
As I wrote multiple thoughts on the vnic which bit of what I wrote is correct?
QuoteAH OK I think I am starting to get it. You are saying that the new VM provided vnic is just another NIC in OPNsense that I can assign to a network I create called Guest for instance with an address and subnet configured for the VLAN like 10.0.50.254/24 then add DHCP DNS etc. to that interface and rules as before. At this point it is just a subnet. I would have connected that vnic to the PG for VLAN 50 in the VM settings in ESXI. All traffic in/out of the Guest NIC in OPNSense would be untagged until it gets to the PG which would tag it as VLAN 50(?), is this correct ?
This?
Yes, that part. OPNsense will not know about VLANs, only logical interfaces, networks, addresses ... the tagging and switching is left to the system that is far better at layer 2.
But with virtual NICs you will always have performance issues *if* you need to reach wire speed, i.e. at least a Gbit/s of throughput. In that case a passthrough NIC is best, IMHO. If your hypervisor host has got an unused NIC or two ...
Interesting. This second method of attaching a new vnic to the OPNSense VM and configuring a new network to provide services for VLAN30 for instance then creating a PG for VLAN30 and attaching the new VM nic to it does not work outside of the ESXI server! Inside (VM to VM) I can spin up another VM and attach it to the same PG and get a DHCP lease in teh correct VLAN30 subnet. Outside on the HP switch if I connect my laptop to a VLAN30 access port VLANID 30 PVID 30 and pass the tagged VLAN30 traffic via the TRUNK port I get no lease and cannot connect to the VLAN30 subnet.
And I thought I might have been getting somewhere......
You need a trunk port carrying all your tagged VLANs/portgroups from ESXi to your switch. This definitely works. How do you think large enterprises with dozens/hundreds of VLANs on VMware do it?
Quote from: Patrick M. Hausen on October 21, 2024, 04:32:29 PM
You need a trunk port carrying all your tagged VLANs/portgroups from ESXi to your switch. This definitely works. How do you think large enterprises with dozens/hundreds of VLANs on VMware do it?
I already have this in place.
Port U T Link Type PVID
GE1/0/9 30 Access 30
GE1/0/11 50 Access 50
GE1/0/1 1 30, 50 Trunk 1
Port 1 is the TRUNK working perfectly on VLAN 50 and I suspect on VLAN 30 but no lease on port 9
And the portgroup is connected to the vSwitch and the vSwitch is connected to the physical trunk ports?
Yes exactly like the VLAN 50 setup on the HP Switch. If I plug into port 11 or 12 I get a correct lease in the VLAN50 network. If I plug into port 9 I get no lease.
Inside ESXI the Vswitch has a PG for the OPNSense LAN connection and another PG for VLAN 30 which has the OPNSense Guest network connected 10.0.30.0/24 providing DHCP and DNS and also a test VM connected. The test VM gets a correct lease in the Guest network VLAN30.
I also configured a new wifi network on VLAN30 and that also cannot provide leases to connected devices.
Confused! The only thing I can think is that the OPNSense LAN PG is operating in VGT mode VLANID4095 and the new PG for VLAN 30 is operating in VST mode VLANID 30.
Any further thoughts?