Quick Description:
I have a DEC740 that I have set up two trunk ports. This setup works fine.
I am trying to add another firewall for an HA setup. It is virtual via Proxmox. I am having issues getting traffic to pass the trunk here.
Details:
Each firewall will have 3 connections, Outside, Inside, and Opt1.
I will use Opt1 here for the rest of the descriptions.
The layout is pretty flat. Outside ---- Firewalls --- L2 Switch
No fancy routing on any of the firewalls, except for Outside.
Opt1 on both firewalls is physically connected to a UniFi Layer 2 switch. (Virtual connected to E0/8, DEC740 connected to e0/9)
Both are using the same port profile that allows vlan 28, 29, 35, and 38. No untagged vlan is defined.
VLAN 28 Example: On the DEC, I have vlan28 (Interfaces, Other, VLAN, named vlan0.2.28 and attached to igb1 interface)
This works IP is set to 192.168.28.2 (And has a carp address of .1)
Beautiful
For the virtual, the interface is defined in proxmox at the host level enp2s0f0np0. I have a bridge (vmbr2) that has vlan aware checked. I attached vmbr2 to the guest, as "net2/vtnet2", VIRTIO, no vlan tag, and I edited the interface to be "trunks=28;29;35;38"
I have vlan28 (Interfaces, Other, VLAN, named vlan0.2.28 and attached to vtnet2 interface)
IP is set to 192.168.28.3, and I have not defined carp yet.
In the firewall ruleset for the interface for vlan 28, I have IP Any Any > Pass defined.
I cannot get arp across the interface. Can anyone tell me what I am missing?
If you need VLANs in OPNsense instead of a virtual interface per VLAN, I recommend PCIe pass through of a dedicated interface for that trunk. Should work splendidly with HA.
Passthrough doesn't work with migration which is a key component of what I am trying to accomplish.
This seems straight forward. I have watched hours and hours of videos on this, it seems like I am missing something really dumb.
I do know that I can stop the trunk at proxmox, and make an interface per vlan. Which I had done many times before.... But this seems like it should work, and has challenged me to a duel.
Edit: Oh wait, does OPNSense have to see native VLAN1 for the trunk to come up? I did try to set native vlan 999, but saw no provision for defining a native vlan on OPNSense. I assumed it didn't matter, but ... WHAT IF... The Native VLAN is static and not able to be changed....
For HA you need identical interface names on both master and backup. Just saying ...
Correct, I have very carefully made sure that both firewalls are mapped opt1 to opt1, opt2 to opt 2 and so on.
I ran into that in the config iteration before this one. HA started mapping vlans all over the place. It was a mess.
No, no - the physical device names must match, too ...
Which is a bit easier with VLANs, because you can name them vlan01, vlan02, ... or whatever. But these names and the assignments to OPT1, ... must be 100% identical.
The interface names are already identical, as they need to be to make the rest of the HA look clean.
The VLAN names will be identical too before I start down HA, because I am OCD like that anyway.
Thanks for the input!
I just want to get this trunk to work. I am very close.
So I am learning about OVS... It appears that OVS is the way to go if one wishes to trunk properly in Proxmox.