Hello all! I have this weird issue with VLANs on a pair of DEC3852 in HA mode running OPNsense 24.10 Business Edition. These are only a few months. The scenarios:
I create a new VLAN and configure it, but it doesn't seem to work. Other devices on the VLAN just created can't reach the firewall, and only the firewall. As soon as I create another VLAN, this one starts working. Of course the new one doesn't.
I create a new VLAN and configure it, but it doesn't seem to work. I delete one of the older VLANs, and this one starts working. But then another that was working now stops talking.
I can see all VLANs are configured using ifconfig. And I see nothing interesting in dmesg.
I am really puzzled. I come from running pfSense in Netgate hardware for 10 years, and never seen this. Have a pfsense CE firewall connected to the same switches and it just works.
Any ideas? Thanks!
After more testing: The VLANs operational status survives reboots. So, whatever VLAN is not working it will still not be working after a reboot. Looked at the configuration file at /conf for a smoking gun, and the interfaces all look alike. 🤨 Can it be driver related?
The symptoms of "not working" are not particularly clear, in particular this:
QuoteOther devices on the VLAN just created can't reach the firewall, and only the firewall.
My understanding is that HA with a pair is a hack (no quorum).
Have you tried without (in case sync is introducing some weirdness)?
Funny thing, yesterday was a bit desperate since I have a deadline, and entered persistent CARP mode. And could see the backup firewall was actually handling right the VLAN I couldn't get working. On a whim, decided to reinstall and restore from backup. And lucky me, now everything is working.
I still suspect I will have issues again when I create a new VLAN. But this is very much in the future, and maybe a new version of OPNsense will fix it. One problem at a time, right?
Quote from: EricPerl on February 02, 2025, 09:24:11 PMThe symptoms of "not working" are not particularly clear, in particular this:
QuoteOther devices on the VLAN just created can't reach the firewall, and only the firewall.
My understanding is that HA with a pair is a hack (no quorum).
Have you tried without (in case sync is introducing some weirdness)?
Hej Eric. Not working means not receiving an IP from the DHCP server on that interface. Or, if I set a static IP address, not reaching the firewall with a ping (and yes, the rule for ICMP is there).
Yes, I am aware HA is not perfect. You really need to know how to navigate the potential pitfalls. IPsec will only transfer after DPD kicks in, for example. But it does the job acceptably well. For me it is mostly to be able to apply updates with minimal disruption, and handle hardware breakdown. As I mentioned in my OP, was a pfSense customer before, and was hit by the Intel Atom C2000 issue. It allowed me to keep business going, and replace the hardware at my convenience.