Hello,
Im using opnsense in my homelab and a little while back i upgraded from version 24.7.12_2 to the newest version of 25.1.something. back then one of my vlans didnt work, so i restored a backup and moved on. Now i updated to the newest version (25.1.4_1) again, but the vlan still doesnt work, to be precise after a system reboot it seems to not allow any traffic to pass unless i manually disable and re enable the interface, then it goes back to normal, i can ping opnsense and the vlan gateway but not the machine on the vlan. the interface is a vlan with LAN as parent, weirdly all other vlans work perfectly, even after a reboot. Ive tried removing the interface and the vlan and reconfiguring them but this did not help.
id greatly appreciate your input!
Quote from: butterfly0600 on April 06, 2025, 02:02:01 PMi can ping opnsense and the vlan gateway
From where are you pinging?
Quote from: butterfly0600 on April 06, 2025, 02:02:01 PMbut not the machine on the vlan
Quote from: butterfly0600 on April 06, 2025, 02:02:01 PMit seems to not allow any traffic to pass
What does the live log say?
How exactly is your VLAN configured?
Is your LAN interface as well assigned and an IP e.h is untagged?
It wouldn't hurt to attach screenshots of relevant configuration pages. Interfaces assignments, interface settings.
Sorry for the lack of details, here goes.
im pinging through tailscale which pings from 10.108.1.100 to 10.108.1.1(opnsense), 10.108.50.1(vlan gateway), 10.108.50.10(service)
nothing comes up in live log really, i cant see anything related to the specific ip's
setup is as follows, LAN interface connected to WAN ofc, and a number of vlans with LAN as parent
Quote from: Seimus on April 06, 2025, 05:52:44 PMIs your LAN interface as well assigned and an IP e.h is untagged?
im not quite sure what you mean with this, could you elaborate?
Quote from: butterfly0600 on April 07, 2025, 11:51:02 AMim not quite sure what you mean with this, could you elaborate?
I means exactly what it says, Is your Parent port (LAN) assigned and does it have an IP.
Per your pictures yes it has, meaning you are mixing Tagged and Untagged VLANs. This is not supported by the vendor >
https://docs.opnsense.org/manual/how-tos/vlan_and_lagg.html
QuoteAttention
Do not mix tagged and untagged VLANs on the trunk connecting the OPNsense Appliance and the Managed Switch. Side effects include leaking Router Advertisements, DHCP, CARP and other broadcasts between tagged and untagged VLANs. This depends on the brand of the deployed switch, so avoiding untagged frames for trunk ports is the safest method. Additionally, the interface statistics of the untagged VLAN would show all traffic, which can be confusing.
Quote from: butterfly0600 on April 07, 2025, 11:51:02 AMnothing comes up in live log really, i cant see anything related to the specific ip's
What are your rules on the Interface/VLAN you have problem with?
The live log will show rule to be hit only in case the logging of the rule per rule is enabled.
Quote from: butterfly0600 on April 07, 2025, 11:51:02 AMLAN interface connected to WAN ofc
What do you mean by this?
Regards,
S.
ah yes, i am indeed using lan, the interface only has one rule which is allowing all traffic out to the internet
so in the previous version things were just working by chance? how would i go about fixing things? im unsure how to proceed.
Quote from: Seimus on April 07, 2025, 12:00:22 PMQuote from: butterfly0600 on April 07, 2025, 11:51:02 AMLAN interface connected to WAN ofc
What do you mean by this?
forget it haha, was just me weirdly wording things
Please show us that rule, make a pic?
Does the host that can not ping have proper IP/MASK from the proper Range as the GW it can not ping to?
Is something between that particular host and your OPNsense GW?
The Untagged and Tagged mixture works as well now as it did before. The problem is it can cause some weird behavior. Its not 100% sure that's causing you the problem. But its a good start to fix and follow Vendor guidance. So either migrate that LAN to another VLAN, or to a different port.
Rule of thumb = Parent port of VLANs should not have any IP assigned and should not be even assigned in the system (there are exclusions to this), e.g should not be a L3 carrier.
Regards,
S.
It would help if the OP was a little explicit about how the vlan "does not work".
Screenshots were added but no clear indication of which VLAN is causing trouble...
There are mentions of attempting inter-vlan communication from LAN to VLAN50, but it's not even clear what the outcome was.
Personally, I'd start by establishing that the hosts in VLAN50 have basic connectivity.
We don't have crystal balls. We only know what is indicated in the thread.
this is the rule, and it is the mediaserver interface that is encountering issues, it is configured in the exact same way as storage, testing and all the others, yet it is the only one encountering issues.
the host that i cant ping has the proper ip, thats the thing, it worked before the update, and i checked but there seems nothing wrong with ip allocation, going into console on the device reveals it has the intended (10.108.50.10) ip, and there is nothing else between there no.
and yes services on vlan 50 are unreachable, they have no access to the internet after a reboot of the system with the newest firmware, before this it worked, and no configurations were changed. if i disable and re enable the interface of vlan 50 (mediaserver) it works again
Couple remarks on this FW rule:
* Logging is not enabled. If you want to troubleshoot, this would be useful (e.g. live view).
* Give a description to the rule while you're at it. It will appear in the logs.
* Functionally equivalent but more resilient to updates, I'd use 'MediaServer net' instead of the explicit CIDR.
That should indeed take care of all traffic initiated from that VLAN (but is irrelevant to LAN -> MediaServer comm).
After a reboot (while the VLAN is malfunctioning), I would start looking at the FW logs live view for that interface to see if anything goes through.
That's assuming relevant FW are set to log (the above one for traffic from MediaServer), out rule.
Ping VLAN GW, Ping internet, DNS, ...
I also have to ask if any secondary security package is running (IDS/IPS, crowdsec, Zenarmor, ...).
Sorry to jump on this thread. I can't really help the OP with their issue but I have a similar setup and do not seem to have an issue - but I would like to optimise my setup.
I'm quite new to opnsense and vlans generally but was hoping to understand a bit more about the issue mixing untagged and tagged traffic.
I have lan interface - setup with ip and dhcp for my main network (untagged / not a vlan). In addition, I have 2 tagged vlans. See pic below.
According to the docs/best practice - do I understand correctly that mixing untagged lan with tagged vlans is potentially an issue? And is the solution to move my lan network to a vlan with the parent interface without a network/ip etc?
Quote from: jata on April 08, 2025, 11:41:16 PMSorry to jump on this thread. I can't really help the OP with their issue but I have a similar setup and do not seem to have an issue - but I would like to optimise my setup.
Please do not hijack a topic, most specific when this one is for Tshoot. Open a new one.
And the answer to your question is yes and yes, follow the docs.
Regards,
S.
Will do. Sorry for hijacking and thanks for your answers :-)