Ive decided to separate clients in my network by making vlans because i have decoder maded by Shenzhen SDMC Technology CO.,Ltd.
i got vlan named "television" put static lease in dhcp setup by mac address. Ive set to on this options:
-If this is checked, only the clients defined below will get DHCP leases from this server.
-By default, the same MAC can get multiple leases if the requests are sent using different UIDs. To avoid this behavior, check this box and client UIDs will be ignored.
Ive set rules in firewall for television vlan to separate networks: IPv4 * * * ! LAN net , mama net * * *
So decoder is jailed.
But this decoder breaking into my LAN net leasing address from LAN net dhcp even with same options set for lan net. Iptv decoder mac address is not on the LAN net list.
I dont know what to do with this. This is weird behavior. Same thing happened with my wi-fi access point . It "leaks" into my LAN net where my main pc is connected.
Leases for iptv decoder are doubled:
LAN 192.168.1.107 xx:xx:xx:xx:xx:xx Shenzhen SDMC Technology CO.,Ltd.2025/04/29 04:45:54 2025/04/29 06:45:54 active dynamic
telewizja 192.168.2.2 xx:xx:xx:xx:xx:xx Shenzhen SDMC Technology CO.,Ltd. telewizja active static
Im using OPNsense 25.4-amd64
Sorry, my bad, bad googling. I found solution. Go to ISC DHCPv4>>[LAN]>>MAC Address Control>>Use this option: Enter a list of partial MAC addresses to deny access, comma-separated, no spaces, such as 00:00:00,01:E5:FF . Ive set blacklist of mac for lan and any vlan that i have. This should be easier than copying each mac from any unwanted device for any subnet/lan/vlan. This should be clickable solution. Selecition from leases : "select this device to acces only vlan1". To many devices to many macs and setting this in any vlan.
Are you sure you really understood the concept of VLANs? What you seem to describe is different subnets on the same interface and forcing a specific device to obtain an IP from a predefined subnet range.
VLANs are a different beast: They separate out logical networks on the same physical interface by adding VLAN tags. Usually, you would strip those tags and specify only one VLAN to use on a switch port, such that a device connected to that port will only see that specific VLAN/subnet, thereby assuring that it cannot "break out" of it. Only devices connected to "trunk" ports can actually see all the VLAN tags and decide for themselves which ones to use. That would typically be used for OpnSense, APs carrying multiple SSIDs or VM hosts having VM on different VLANs.
I got different subnets on different VLANS . I got static leases set on iscdhcp servers assigned to vlan devices (set by mac) . And my clients leaking from my vlans to the lan. I got vlan tags set. But devices uses not that dhcp server what i want. They taking ips from LAN net even when they have static leases set on VLAN. I dont know how to assign clients to VLANS in another way. Probably im doing something wrong.
You need a managed switch for that. The switch has a tagged connection to OPNsense with, say, VLAN 10 and VLAN 20. Then you assign switch ports to the VLANs untagged and static. E.g. Ports 1-5 VLAN 10, ports 6-10 VLAN 20. Now you plug the clients into the ports matching the VLANs they belong to according to your policy.
You cannot run VLANs without a managed VLAN capable switch. If you have physical wired clients that you need to separate.
Blocked Access to LAN net by blacklisting macs. So i have few subnets, different on each vlan. I created firewall rules. And devices not seeing each other. They are not reached even by ping. Currently i have no managed switch. But i will buy it. No videos on youtube said that i need manageable switch. EVERYONE just say haw to create vlans so i created them :D
You may think they are not seeing one another. They do. Just assign one of them an IP from the other "VLAN" and you will see it. If by "blacklisting MACs" you mean in DHCP, your are out of luck. If you really block them via specific firewall rules, you are still out of luck once you fake another MAC on your client.
Ok so they are separated now by firewall rules and subnets but not by vlans. Ok i understand now, Theh can swtich betwteen vlans only when device spoofs mac. Im buying managed swtich now.
Im network newbie :D .
Quote from: Siarap on April 29, 2025, 07:39:11 PMTheh can swtich betwteen vlans only when device spoofs mac.
No, they can switch your non-VLANs when they configure their IP address statically instead of relying on DHCP.
Quote from: Siarap on April 29, 2025, 07:39:11 PMIm network newbie :D .
VLANs are advanced enterprise technology. Probably the YT video authors assumed a managed switch a given.
Don't go cheap on that switch you intend to buy. I'd recommend a Mikrotik product with Switch OS.
Thanks a lot for explanation.
From an isolation perspective, you have 2 main options:
* Physical. Interface assigned to a physical device (network port and all wiring and networking equipment attached to it).
* Logical. Interface assigned to a VLAN device (created on OPN, plus the logical wiring and logical networking equipment attached to it).
You essentially overlay logical networks within the physical network. Traffic on logical networks is tagged.
The configuration of the logical network is done by declaring which tags are allowed on every switch port within the physical network.
If you don't define VLAN devices in OPN, you're not using VLANs.
Edit: you obviously need managed switches for the wired hosts.
You also need VLAN aware APs for Wi-Fi hosts (Or a physical AP per VLAN with Wi-Fi hosts).
Two more things to complete this:
1. If you assign the ports statically, someone with physical access to the switch could use a privileged port (i.e. a trunk port or one with a higher confidence VLAN). Using a standard called 802.1x, you can choose the VLAN on the port dynamically by using an LDAP directory which maps MACs to VLANs. That has the advantage that you could plug in your device into any port of a 802.1x-capable switch and it will automatically be assigned its predefined VLAN. Only some manageable switches can use 802.1x.
2. Because you can also fake MACs, that MAC-based 802.1x port security can also be circumvented. The only safe way to identify a specific device is by using certificate-based 802.1x, which is mostly used in enterprise environments. It can only work securely on devices which can do certificate-based 802.1x and if you can also control those devices not to leak their certificates, thus needing a tightly controlled client infrastructure. Any non-802.1x-capable devices are then confined to VLANs with less credibility, like IoT, printer or guest VLANs.
Ah, that's how it is supposed to work. Thanks!
I had looked a bit at 802.1x support in my gear (Omada) and was underwhelmed/confused.
Fortunately, since physical access is not a concern for me, I didn't dig further.
I get managed switch. Ive set properly tagged 802.1q vlans assigned to ports on switch. Tagged ports. Im still geting dual leases fron LAN net + VLAN net dhcp for each vlaned device. What im doing wrong?
Did you follow this guide (https://docs.opnsense.org/manual/how-tos/vlan_and_lagg.html)?
Did you heed all advices given therein, including the one not to mix tagged and untagged VLANs?
Ok now ive set it properly. Vlan devices have proper leases. BUT now no internet on vlans. Ive created rule for allow all at vlan side. Its not dns fault i cannot even ping 1.1.1.1. Any advice?
Read some info somewhere on the internet that opnsense allows only vlans with tag number 10 to access internet by default. I dont know what to do. I got vlan tags: 10,20,30,40 on different vlans. Same configuration everywhere excluding vlan interfaces names. Only vlan tagged with 10 has no problem with internet access. Other tags have no access to the internet.
Please show your rules.
I use this set on my test VLAN:
Screenshot 2025-04-12 133549 OPN Test rules.png
RFC1918_networks is an alias that contains the private network IP ranges.
You don't have to add them. At least the ones you use.
Edited my previous post. Read it. I got firewall rules on any vlan thats allow acces to everything. Only vlan with tag 10 has access to the internet.
Little update: Connected pc to vlan tag 10 network. No internet access at all. Same time my hap ac2 mikrotik router has access in parallel from same sybnet. I dont know what is hapenning here. Mtu errors or something?
BIG update 2 : Maybe its operating system dependent. Mikrotik, and windows 11 machine has access to the internet over the vlan. Same vlan same settings. Two pcs with debian, and mx linux, and android based iptv decoder have no access to the internet. Something is wrong with os or its opnsense?
That's not a very efficient way to communicate...
Anyway, all interfaces added after LAN only get the auto-generated rules, which don't allow much (essentially just DHCP and out traffic).
If a machine on the VLAN gets IP via DHCP, it's a good sign it the switches are setup properly.
Past that, rules are needed.
IP ranges can NOT overlap with any other interfaces. You can share your 'Interfaces > Overview' for us to check if you want.
Either you share your rules (something might be obvious) or share screenshots of the FW live view filtered to the VLAN.
We don't have crystal balls as to what is going on...
Its os/device dependent. Updated previous post. One configuration on opnsense. Switching beetween networks by swtich device. Linux has no access over vlan but windows and access point have.
My reply still applies. I do not have enough information.
Its not rule fault. This is my firewall rule for vlan: IPv4 * * * * * * *
One device has connection (win 11) but other not connecting even when leasing ip from same vlan (linux). Same rule same vlan. Same ip pool.
EDIT: I must add that opnsense has something broken with displaying dhcp leases. Invisible device has access to the internet. Visible one has no access. Sometime leases refresh very long (over 30 minutes or more).
EDIT2: Tried on my pc with dual boot windows 11/fedora linux. On win 11 network works. Rebooted into fedora and no connectionto the internet. SAME settings on swtich/opnsense, even same machine. Why is this happening to me? hahaha :D
EDIT#: Read some info on internet. This errors with vlans are network-manager for linux (gui) fault. Replacing network-manager may help. But i just build my network in another way, and stop using linux on my machine.
Most machines you connect should be blissfully unaware they are in a VLAN.
While you can in theory tag network all the way, it can be a little tricky.
And many devices just don't have that capability.
VM hosts are an obvious exception if they deal with guests belonging to multiple VLANs.
But most devices/machines should be hooked to a switch port configured as an access port (VLAN ID untagged, PVID = VLAN ID, all other VLANs not members).
Anyone can provide info how to connect debian/debian based distro to the internet trough vlan?
Quote from: Siarap on May 03, 2025, 03:41:18 AMIts os/device dependent. Updated previous post. One configuration on opnsense. Switching beetween networks by swtich device. Linux has no access over vlan but windows and access point have.
Quote from: Siarap on May 03, 2025, 01:38:29 PMAnyone can provide info how to connect debian/debian based distro to the internet trough vlan?
You must still be getting something wrong here. If you do it as designed (tm), then you would connect any normal network client to a port assigned to a VLAN.
This means that if you assign a switch port to VLAN X, only those packets arriving on VLAN X will be sent out over the port, stripping it of the VLAN tag on egress. On ingress, only untagged packets will be used and tagged with VLAN X - but by the switch, not the client. Thus, it is not up to the client to decide which VLANs it receives or sends - it sees untagged packets only and it can only send such packets.
That in turn means: Had you correctly configured your ports, it MUST work independent on what OS the client machines are using. That is what @EricPerl meant by "bissfully unaware". Period.
The only exceptions are machines that are connected to "trunk" ports, which do not filter any VLAN tags on either egress or ingress. In such cases, the connected machine can decide for itself with VLANs it sends and receives packets on. This would normally be true only for:
- VM hosts (because they probably host VMs on different VLANs)
- OpnSense or other routers (because they need to feed all the VLANs)
- Uplink ports connection VLAN-aware switches with one another
- Access points (because they associate SSIDs with VLANs)
So, your second question does not apply for normal Debian clients, because they do not need any VLAN config. If you wanted to do this anyway, it depends on the type of configuration (/etc/network/interfaces vs. /etc/netplan/...) and is explained here (https://wiki.debian.org/NetworkConfiguration).
Any random networked device can be made to use a VLAN, even when you can't configure the VLAN (or most aspects of networking) on the device itself.
That's done via the switch config for wired devices, by connecting to the proper SSID for Wi-Fi devices.
The added benefit is that you don't need to trust the device, which is critical for most IoT devices.
Whatever works for untrusted devices works just fine for your PCs, whatever OS they run, because it does not matter. They don't know they are in a VLAN.
Ive set properly everything. I get tagged vlan assigned to port 8 on my managed switch. Only this port connects to the assigned vlan and devices on other ports have different vlans / connect to LAN net. I get address pool from dhcp assigned to vlan device. Windows 11 and mikrotik device has connection in this way. My linux machines cannot connect, they just only pull ip adresses from vlan dhcp. It may be mtu problem? On my windows machine i get lower mss value on tests site when im connecting via vlan its normal situation and indicates that im connecting via tagged vlan.
As per default, only the LAN interface has an "allow any to any" rule. For any addtional interface (including VLANs), you have to manually create a rule.
I realize there could be a language barrier (English not being the primary language of any of the people on this thread) but this is quite confusing.
MachineX1 connected to a port configured as an access port for VLAN X (VLAN X untagged on egress, PVID=VLAN X for ingress) should absolutely receive an IP for the DHCP pool associated with the interface assigned to VLAN X.
Quotethey just only pull ip adresses from vlan dhcp
is expected.
Yes. My english is limited. Its not my native language. I know its expected. Read on reddit that one person had identical problem as mine. Problem was solved by setting untagged vlan. How to set untagged vlan on opnsense?
Maybe it would help if you clarify what your "problem" exactly is. You said that the Linux machine connected to port 8 gets the expected DHCP IPs.
By looking at the client you can try: Is that true? Is the network mask correct and the gateway is within that subnet (and identical to the VLAN interface IP of the OpnSense)? Is the DNS server IP the same? Can you resolve DNS names? Can you ping OpnSense's VLAN IP? Can you ping 8.8.8.8?
What are your OpnSense interface settings?
Please show the IPs and ranges - since they are RFC1918, none of this information is confidential. Do not assume everything is correct as it obviously isn't.
Quote from: Siarap on May 03, 2025, 10:56:40 PMYes. My english is limited. Its not my native language. I know its expected. Read on reddit that one person had identical problem as mine. Problem was solved by setting untagged vlan. How to set untagged vlan on opnsense?
Port configuration is done on the switches (or controllers for the switches). Allowed tags on trunk ports, untagging & tagging on access ports.
Tagging in OPN is done at the interface level.
* Interface assigned to physical device => untagged
* Interface assigned to VLAN device => tagged
On the wire used by OPN, the traffic is usually a mix of tagged frames (based on the vlan devices parented to that physical device).
Untagged traffic should not be mixed (recommended, although it may work).
Im digging deeper. Its hardware/os related.
-Windows on my 5 year old computer connects to the internet trough everything i just can imagine (realtek network card).
-Fedora and debian on same pc connects to the internet only trough untagged vlan and LAN net. But vlan works on 5 year old pc with linux (unfortunatelly untaged).
-On pc about 10 years or more old there is no connection over anything related to vlan.
UPDATE: Windows 11 connects you with everything you want trough whatever you want. Linux sucks. Connected 11 years old pc with 14 years old network card and it works trough tagged vlan. Linux has problem with that with default setup. I dont know how to connect debian trough tagged vlan.
So much wrong there:
1. It is not OS/hardware-related at all.
2. Linux does not suck. It can handle VLANs, I gave you the pointers on how to do it if need be.
3. That being said, you should not use VLANs on any client, because that is not how this is supposed to work. We explained that multiple times.
I give up here.
Quote from: meyergru on May 04, 2025, 09:48:47 AMSo much wrong there:
1. It is not OS/hardware-related at all.
2. Linux does not suck. It can handle VLANs, I gave you the pointers on how to do it if need be.
3. That being said, you should not use VLANs on any client, because that is not how this is supposed to work. We explained that multiple times.
I give up here.
Im not configuring vlans on clients. Configuring this on opnsense, and managed switch. Linux connects only trough untagged vlan. Windows connects trough everything (even tagged). That was said.
I can say that problem is solved. Achived subnets separation with vlans on linux but on non tagged vlans. :-)
Untrusted clients should never use tagged VLANs, only untagged switch ports. That's the point.