hello,
i'm trying to setup my opnsense with a dlink DSG-1210-16 switch.
On the switch i setup :
- VLAN 4 (untagged port : 1 , 2 and 13 ,14,15,16)
- VLAN 1 (untagged port : 1 , 2 and 13 ,14,15,16)
- VLAN 5 (untagged port : 1 , 2 and 13 ,14,15,16)
- VLAN 666 (untagged port : 1 , 2 , 3 to 12)
Note : PVID 666 for all port , 666 is the admin VLAN this switch
On the opnsense i stup :
- LAGG0 with fw P5 & P6 , no hash
- and VLAN 4,1,5,666 on top of lagg0 which became zone and interface with ip addr.
I put an ip add to DGS switch 192.168.44.44 (192.168.44.0/24 switch admin zone)
i cant ping the switch from my admin station which uner another zone (192.168.11.0/24)
Do you any tips for my config ?
If you did not have a typo in what your wrote, that cannot work: how would you punch VLANs 4,1 and 5 through untagged all at the same time to the same port(s) 1,2,13,14,15 and 16?
If there was any traffic on those VLANs, all would get mixed up as untagged on those ports.
If you intended to use those ports as "trunk" ports, you would need to set them up for all of these VLANs as being tagged, not untagged.
Also, you did not say how you configured ports 5 and 6 on the switch side as LAGG. It gets a little complicated if you want to have VLANs over a LAGG on the switch side, too, and you most surely want that.
So: Do not use LAGGs, they probably do not do what you expect, anyway, see this, #21 (https://forum.opnsense.org/index.php?topic=42985).
hello , meyergru
you are right.
i remove LAGG (on both side, in order to simplify the configuration)
Then i setup the switch as follow (port 1 of the switch is connected to my opnsense firewall port 6) :
- VLAN 4 (tagged port : 1 and 13 ,14,15,16)
- VLAN 1 (tagged port : 1 and 13 ,14,15,16)
- VLAN 5 (tagged port : 1 and 13 ,14,15,16)
- VLAN 666 (untagged port : 2 to 12) tagged port : 1 and 13 to 16
On opnsense i create 4 VLAN (with the good id and all using firewall port 6 hardware nic) , then assign to interface , then setup an ip add to this pseudo interface.
BUT perhaps i'm missing something on opnsense ?
Note : PVID 666 for all port , 666 is the admin VLAN on this switch (by default it was id 1) , and for me PVID is a strange concept , on switch , what does it really means ?
But i always cant ping my switch on 192.168.44.44 from 192.168.11.0/24 (where i have my admin workstation)
Did you create firewall rules to allow inter-VLAN traffic? Per default, there only is an "allow to any" rule for the initial LAN.
Also, does the VLAN 666 interface on OpnSense have an IPv4 with CIDR 192.168.44.1/24?
what , what ... !!! ???
Quote from: meyergru on Today at 11:37:12 AMDid you create firewall rules to allow inter-VLAN traffic? Per default, there only is an "allow to any" rule for the initial LAN.
Also, does the VLAN 666 interface on OpnSense have an IPv4 with CIDR 192.168.44.1/24?
inter-VLAN traffic? how do you makes this possible ? , where is the VLAN management ? Is it VXLAN ? (on opnsense)
yes all my VLAN / interface avec an ip address
You need firewall rules on each of the VLAN interfaces permitting the traffic you want to allow. Without any rule everything is denied by default.
There is no VLAN management. Look at the firewall rules for the respective interfaces. Per default, only the first LAN (which is probably still untagged) has a rule "allow to any", look it up.
Any new interface that you create initially has no rules at all, effectively blocking it from accessing anything because of the implicit "deny all" rule, which means no internet access, too.
If you want all VLANs to be able to access the internet and all other VLANs, you first create "allow any" rules for each of them.
If you then want to block access to other VLANs, you would likely create an RFC1918 alias and block RFC1918 acces before the "allow any" rule, such as to block access to any other local VLAN.
You will probably want to allow access on your main LAN, so you omit the block RFC1918 rule there.
Also note that is is best practice not to have tagged and untagged traffic on the same OpnSense interface. If you can, do not use the untagged (parent) interface for your VLANs, use only the latter.
Quote from: Patrick M. Hausen on Today at 11:47:18 AMYou need firewall rules on each of the VLAN interfaces permitting the traffic you want to allow. Without any rule everything is denied by default.
My admin station have a rules any any any ...
And on my VLAN666 (admin , where the switch is hosted) , there is also an any any rules ....
And liveView does not show block, reject packet.
Then do a packet trace on the interfaces involved to watch what happens.
Or, even better:
Show all of your interface definitions and all of your firewall rules for those interfaces, plus the "floating" rules. Which IP is the one for your admin workstation, to which switch port is it connected? What IP does your switch have (you said its admin VLAN is 666)?
You can add screendumps only if you use "reply", not "quick reply". Do not use an image hosting service, but the forum itself. If the number of attachments does not suffice, use multiple posts.
Quote from: Patrick M. Hausen on Today at 12:07:39 PMThen do a packet trace on the interfaces involved to watch what happens.
When trying to ping my switch (192.168.44.44 , from my ip 192.168.32.15) , i'm having this result :
ethertype 802.1Q (0x8100), length 110: vlan 666, p 7, ethertype IPv4 (0x0800), (tos 0xc0, ttl 1, id 0, offset 0, flags [none], proto IGMP (2), length 92)
192.168.44.44 > 239.255.255.100: igmp v1 report 239.255.255.100 [len 72]
(and i got tis for the 4 VLAN , 5 ,1 , 4, you see for 666)
First you should see an ICMP echo request coming in on the port that your PC is connected to. IGMP is completely unrelated "noise".
Then check if that echo request goes out the management VLAN, if it doesn't we can try to find out why.
Then if the switch sends back an echo reply.
Etc.
Quote from: Patrick M. Hausen on Today at 01:10:56 PMFirst you should see an ICMP echo request coming in on the port that your PC is connected to. IGMP is completely unrelated "noise".
Then check if that echo request goes out the management VLAN, if it doesn't we can try to find out why.
Then if the switch sends back an echo reply.
Etc.
hi,
unfortunately no icmp message. Only MAC multicast trafic , and just once. for each vlan.
On the port to which your PC is connected the ICMP echo must be visible. Try tcpdump in an SSH session if the UI does not catch it.
You said you connected your OpnSense to port 6 of the switch, yet you did not say how you configured tha VLANs for that port on the switch - maybe it is not connected to tagged VLANs, because it only has untagged configuration? It does not suffice to configure the VLANs on the OpnSense side only.
SHAME ON ME.
I already have a test VPN with wiregard ... and with the IP of the VLAN !!!!
Sorry for watsing your time. and thank you for your kindness.