Hi guys,
I'm kinda familiar with the concept of VLANs and wanted to dive into this for my home setup.
I have two OPNsense on two small, low-power 4-port NUCs, working in high availability and quite smoothly for more than a year. My home lan is 192.168.0.0/21 and I intend to have my guest network via VLAN in something like 192.168.100.0/24.
So I read the OPNsense tutorial (https://docs.opnsense.org/manual/how-tos/vlan_and_lagg.html) and created another device/VLAN in OPNsense, set VLAN to 10, attached it to the 4th LAN port that is otherwise unused. (1 is LAN, 2 is CARP, 3 is internet)
I assigned the VLAN-device in "assignments" (not much else to do there, right?)
I also set the IP address of that device to 192.168.100.1/24 and all other settings similar to my current LAN interface (i.e. not configured anything).
I also, for troubleshooting purposes, added a firewall rule that allows anything inbound and outbound of that guest VLAN.
That was about it in the OPNsense.
Then I went to my Zyxel switch, a GS1900-24E (which I plan to upgrade to 48 ports, but not yet sure which brand), and I kinda tried everything, but nothing worked.
I attached my notebook to port 19, and the OPNsense VLAN port to port 2 on the Zyxel.
- I added my notebook (port 19) to PVID 10, untagged, accept all, no ingress check, no vlan trunk. As far as I understood, that is meant to be used by computers who don't tag packets
- I did not add the OPNsense (port 2) to a PVID
- I set VLAN1 to "forbidden" on the two ports
- I set VLAN10 to "untagged" on ports 2 and 19
So what I now see in Wireshark is that the Zyxel sends some tree spanning protocol or something on VLAN10 to my notebook. So I know that incoming, the port uses VLAN tags.
I do not see any other traffic in Wireshark, so I am in fact isolated. I cannot even tell if outgoing traffic of the notebook will be tagged as VLAN10 (and not sure if that mattered).
When I manually set my IP to 192.168.100.2 on my notebook, I cannot ping 192.168.100.1.
All other, ordinary devices in 192.168.0.0/21 can ping that OPNsense VLAN interface IP 192.168.100.1.
I fumbled around a lot with the forbidden/tagged/untagged stuff and learnt a few things about VLANs and so, but I must admit I'm really a beginner who wants to learn something new here.
I would be really grateful if someone could provide some advice what I might be doing wrong here :-/
Thanks a lot in advance <3
On the OPN side, the recommendation is to not mix tagged and untagged on the same physical interface.
Let's assume it's called eth4. No interface should be assigned to that device.
The vlan device is parented to eth4. A VLAN interface is assigned to the vlan device.
For each VLAN parented to that physical interface, traffic is going to be tagged accordingly.
That means that your switch needs to allow TAGGED traffic for all VLANs on link (trunk).
Now for access ports for that VLAN (to connect a client associated with that VLAN), traffic needs to be untagged for that VLAN, and PVID needs to be the VLAN ID (tags traffic entering on that port).
Hi Eric,
Thanks for the explanation. I think that is exactly what I had set up:
Eth4 is only used by vlan 10 (and in the future hopefully vlan 20). No other traffic there.
My zyxel lists "trunk port" under the pvid category, so I set it to pvid 1 for opnsense and set it to trunk.
The notebook port will be set to pvid 10.
As for vlans, I will set the opnsense port to "forbidden" for vlan 1, and "tagged" for vlan 10.
And the notebook will be "forbidden" for vlan 1 and "untagged" for vlan 10. Right?
I'm trying to be as explicit as I can while I'm trying to understand all these concepts and who is tagging and accepting what ;-)
I will try again with these settings tomorrow evening...
I'm not going to look at Zyxel's doc to try to understand their semantics...
On port 2 (connected to OPN), the PVID should probably be set to some random otherwise unused value (e.g. 999).
There should be no untagged traffic on that port so it's fine for whatever shows up to get lost.
VLAN 10 needs to be allowed tagged (different from your OP) on that port.
If forbidden is your switch's way to indicate which tags should be dropped, have at it. That's called "not a member" sometimes. Others just drop whatever is not allowed tagged or native/default untagged.
You probably can't forbid the default/native VLAN ID.
Thanks for your help.
I'm wondering if there is anything I can do to break down the issue into smaller tasks, like... Can I perform a simple test if it works on the opnsense side? Attach my notebook directly to opnsense Eth4, and submit a ping on vlan 10 to test if the opnsense would even respond there? Maybe ping/icmp is blocked for some reason and the switch has been working all the time, but I made a mistake in opnsense?
If you connect the notebook directly to OPNsense, you'll have to configure it to handle the tagged VLAN, which is likely to cause you even more confusion.
Are you still having issues after configuring the OPNsense switch port to tag VLAN 10? Or maybe you haven't had a chance to try that yet?
I have the same Zyxel switch, and even thou I would slap Zyxel for their router products, they make very good switches.
From what I read you have misconfiguration on the TRUNK port from the switch to the OPNsense
PVID
is basically an access port, for devices that dont sent TAG frames
You can controller as well what kind of Frames are allowed
Tagged -allows only tagged frames
UnTagged - allows only untagged frames
All - doesn't care
When you set an Access port, Under VLAN > Port config
- Set the PVID the Switch should TAGG the ingress Frame
When you set an TRUNK port, Per VLAN you have several options under VLAN > VLAN port
Excluded - will join this VLAN group once it receives GVRP information (GARP).
Forbidden - will prohibit this port from joining this VLAN group.
Tagged -allows only tagged frames
UnTagged - allows only untagged frames
Here per VLAN you set which port is a member of VLAN, if multiple VLANs are on the same port, it will became TRUNK. Basicaly here towards OPNsense or any other switch that should be TRUNK set the VLAN to Tagged and rest of the VLAN for the same port as Forbidden to manually prune them.
Also check as well the this, Zyxel shows the basics.
https://www.youtube.com/watch?v=mmuuyZyaEBI
https://mysupport.zyxel.com/hc/en-us/articles/360008607580--Switch-How-to-configure-VLAN-on-GS1900-xx-switches-firmware-2-40-and-newer
Regards,
S.