Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: Whaley on August 24, 2025, 10:40:28 PM

Title: How to configure VLANs over Bridges
Post by: Whaley on August 24, 2025, 10:40:28 PM
I cannot find much about it:

https://docs.opnsense.org/manual/how-tos/vlan_and_lagg.html

Gemini says we need to create the VLAN and add it to be part of the bridge but when you define the VLAN's physical interface that is the bridge as well, won't that be a problem :S

So basically here is my setup, I'm using the Opensense appliance as a regular switch with splitting some ports into 2 separate networks by using 2 bridges.

This works just fine I can even define NAT rules so the 2 segments can reach each other and vice versa.


Quotebridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
   inet 10.1.0.1 netmask 0xffffff00 broadcast 10.1.0.255
   nd6 options=1<PERFORMNUD>
   groups: bridge
   member: em7 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
           ifmaxaddr 0 port 8 priority 128 path cost 2000000
   member: em5 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
           ifmaxaddr 0 port 6 priority 128 path cost 55
   member: em4 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
           ifmaxaddr 0 port 5 priority 128 path cost 55
   member: em3 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
           ifmaxaddr 0 port 4 priority 128 path cost 55
   member: em2 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
           ifmaxaddr 0 port 3 priority 128 path cost 55

bridge1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
   inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
   nd6 options=1<PERFORMNUD>
   groups: bridge
   maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
   member: em6 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
           ifmaxaddr 0 port 7 priority 128 path cost 55


I would like to add an external manageable switch to this configuration to extend this 2 VLANs in another room.

This is not obvious how to configure it on OpenSense, also no idea how to define a specific TRUNK port which will transport my VLANs to the switch.

Title: Re: How to configure VLANs over Bridges
Post by: pfry on August 24, 2025, 11:31:39 PM
Quote from: Whaley on August 24, 2025, 10:40:28 PM[...]won't that be a problem[...]

Yep. Either leave the main unconfigured or unassigned. Ideally you'll configure your switch (or other device) to send only tagged packets on that port.

Quote[...]
This is not obvious how to configure it on OpenSense, also no idea how to define a specific TRUNK port which will transport my VLANs to the switch.

Nothing to it, it's just like your other interfaces:

Code Select
root@fw:/home/user # ifconfig bridge1
bridge1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        description: TRUST (lan)
        options=0
        ether 58:9c:fc:10:ff:c9
        inet 10.101.11.1 netmask 0xffffff00 broadcast 10.101.11.255
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: vlan0.109 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 19 priority 128 path cost 2000
        member: vlan0.107 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 17 priority 128 path cost 2000
        member: vlan0.105 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 15 priority 128 path cost 2000
        member: re0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 6 priority 128 path cost 800
        groups: bridge
        nd6 options=9<PERFORMNUD,IFDISABLED>
root@fw:/home/user #

(I have three more bridges as well.) Nothing defines a trunk port on OPNsense other than configuring VLANs on it.
Title: Re: How to configure VLANs over Bridges
Post by: Whaley on August 25, 2025, 10:43:28 AM
So then I do something horribly wrong here with these:

Code Select
bridge0_vlan10: flags=8003<UP,BROADCAST,MULTICAST> metric 0 mtu 1500
ether 00:00:00:00:00:00
inet6 fe80::200:24ff:fecf:ed84%bridge0_vlan10 prefixlen 64 tentative scopeid 0xd
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
vlan: 0 vlanpcp: 0 parent interface: <none>
groups: vlan
bridge1_vlan20: flags=8003<UP,BROADCAST,MULTICAST> metric 0 mtu 1500
ether 00:00:00:00:00:00
inet6 fe80::200:24ff:fecf:ed84%bridge1_vlan20 prefixlen 64 tentative scopeid 0xe
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
vlan: 0 vlanpcp: 0 parent interface: <none>
groups: vlan

When you define the VLAN what do you set as parent interface? You must chose something.
Title: Re: How to configure VLANs over Bridges
Post by: Whaley on August 25, 2025, 10:53:38 AM
So basically you suggest the same thing what Gemini said, that you create those vlans somehow, enslave them under the bridges and it should work, the bridge has the ip address.

So my question is then how will you make your TRUNK port be part of both bridges?

A port is only allowed to be part of one bridge.

Here is something I tried but it is also not good for the same reason:

1) I created two VLANs using the TRUNK PORT (em7) as parent

2) I activated them but do not specify any IP

3) I can add this as part of one of the bridges (one network)

4) Cannot be added to the other bridge

Quotebridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
   inet 10.1.0.1 netmask 0xffffff00 broadcast 10.1.0.255
   nd6 options=1<PERFORMNUD>
   groups: bridge
   id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
   maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
   root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
   member: em7_vlan20 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
           ifmaxaddr 0 port 14 priority 128 path cost 2000000
   member: em7_vlan10 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
           ifmaxaddr 0 port 13 priority 128 path cost 2000000
Text only | Text with Images