Hello everyone.
I've spent quite some time searching on this forum and other sources ways to properly structure the equipment and systems I'll explain below, but I haven't been able to get it working. I'm convinced that some minor detail is missing, but it's preventing it from functioning correctly. This situation is frustrating.
That's why I'm asking for your help because I don't know what else to try.
We have a laptop with a single NIC, running Proxmox, with OPNsense as main router, in addition to other systems (Home Assistant, OpenMediaVault, and others on standby). The IoT devices at home have grown (now I got 23) and there are two Chinese IP cameras, so I wanted to isolate them from the rest of the network. I wanted to add a guest network too.
At this moment, the system is working like the first picture.
I obviously don't understand how it works (which is embarrassing), because if I set port 1 of the switch to UNTAGGED (as I believe it should be), there's no internet access.
The only thing I can think of is that the tags are being lost through Proxmox, and everything is truly untagged. The connection to the ISP works because it's via PPPoE. Is that correct?
What I'm trying to achieve is something like the second.
But it doesn't work.
HELP!!!!!
What? Is the pppoe on vtnet0 or vtnet1?
Can you post the Proxmox network and the switch configuration?
Thanks a lot for the replay.
I've added two pictures with the switch config and here the PROXMOX network config.
pppoe1 is on vnet0 in the config witch is working now.
On the new version (the one that doesn't work) I create one new vnet for every VLAN:
LAN: vnet0
WAN: vnet1
Guests: vnet2
IoT: vnet3
The name vnet0.24 is assigned by the system. When you try to create a new VLAN, a message says that the name has to begin with vlan0
I am running into the same problem as you, but I just read an article where it talks about creating a Linux bridge, assigning an IP, and that becomes the LAN side. My problem with that is that my network has a few vlans, so how do I get those in the OPNsense config also?
It seems there's not much activity here.
I've also read and watched quite a few articles on the subject, but nothing that I know how to make work in my case.
Quote from: elreyquerabio on December 16, 2025, 04:34:57 PMIt seems there's not much activity here.
Sadly you didn't provide the requested information. So it's hard to help.
Quote from: spetrillo on December 14, 2025, 06:20:56 PMI am running into the same problem as you, but I just read an article where it talks about creating a Linux bridge, assigning an IP, and that becomes the LAN side. My problem with that is that my network has a few vlans, so how do I get those in the OPNsense config also?
If you run OPNsense virtualized you can do the whole VLAN termination on the hypervisor, Proxmox in your case. So you don't need to create any VLAN inside OPNsense, just add a virtual interface to it for each.
Or you do the VLAN termination inside OPNsense. Both is possible.
In both cases you need to enable VLAN awareness on the Proxmox bridges.
I would prefer to use OPNsense for VLAN termination, so Proxmox is just another server in the server VLAN.
Right now I have these VLANs:
A) VLAN 2: this is my WAN interface and any network devices for mgmt purposes.
B) VLAN 3: this is my server VLAN.
C) VLAN 10: this is my wireless VLAN.
D) VLAN 12: this is my guest wireless VLAN.
E) VLAN 20: this is my streaming VLAN.
Ideally I want setup VLANs on OPNsense, as part of the VM install. I can pass to the OPNsense VLAN a Linux bridge that is VLAN aware and then carve up the needed VLAN interfaces within OPNsense. Does all of this make sense? I am going to build my Proxmox config and OPNsense VM config and will detail them here.
Thanks,
Steve
Quote from: viragomann on December 16, 2025, 07:35:43 PMQuote from: elreyquerabio on December 16, 2025, 04:34:57 PMIt seems there's not much activity here.
Sadly you didn't provide the requested information. So it's hard to help.
Quote from: viragomann on December 16, 2025, 07:35:43 PMQuote from: elreyquerabio on December 16, 2025, 04:34:57 PMIt seems there's not much activity here.
Sadly you didn't provide the requested information. So it's hard to help.
I provided all the info days ago.
Quote from: spetrillo on December 16, 2025, 10:21:27 PMI would prefer to use OPNsense for VLAN termination, so Proxmox is just another server in the server VLAN.
Right now I have these VLANs:
A) VLAN 2: this is my WAN interface and any network devices for mgmt purposes.
B) VLAN 3: this is my server VLAN.
C) VLAN 10: this is my wireless VLAN.
D) VLAN 12: this is my guest wireless VLAN.
E) VLAN 20: this is my streaming VLAN.
Ideally I want setup VLANs on OPNsense, as part of the VM install. I can pass to the OPNsense VLAN a Linux bridge that is VLAN aware and then carve up the needed VLAN interfaces within OPNsense. Does all of this make sense? I am going to build my Proxmox config and OPNsense VM config and will detail them here.
Thanks,
Steve
I'll appreciate that info because I can't reach any suitable exit to what I need.
Thanks in advance.
Quote from: viragomann on December 16, 2025, 07:41:22 PMQuote from: spetrillo on December 14, 2025, 06:20:56 PMI am running into the same problem as you, but I just read an article where it talks about creating a Linux bridge, assigning an IP, and that becomes the LAN side. My problem with that is that my network has a few vlans, so how do I get those in the OPNsense config also?
If you run OPNsense virtualized you can do the whole VLAN termination on the hypervisor, Proxmox in your case. So you don't need to create any VLAN inside OPNsense, just add a virtual interface to it for each.
Or you do the VLAN termination inside OPNsense. Both is possible.
In both cases you need to enable VLAN awareness on the Proxmox bridges.
I see! So, it would be enough to assign the corresponding VLANs to the interfaces created on the host and forget about that in the OPNsense section. Makes sense! I'll definitely test it tomorrow!
Thanks.
So here is the Proxmox network config and the OPNsense VM config. Once the VM starts and goes through the install process I will say Yes to the Configure VLANs section and then define my VLANs against the virtual bridges that were setup in Proxmox. Do you agree with this config?
And here is the config from OPNsense...
If you agree everything so far my next question is a matter of access. How do I get access to the OPNsense GUI? Do I just connect a cable from PC to the port that has the LAN interface(vtnet0_vlan2) and set an IP for the PC to be in the subnet as the LAN interface? Is it as simple as that?
If you don't have a VLAN-capable switch to terminate the VLANs, but connect a PC directly to Proxmox, you have to configure the proper VLAN (2) on it's network interface to access OPNsense.
I can add a VLAN capable switch but I figured a direct connect would be the simplest way to configure this firewall, before I put in on the main network.
Ok it worked as advertised. I was able to get to the OPNsense GUI and configure. More testing to do. I am going to add a network switch to the mix.
Ok I have a managed 1 gig switch I am using. The config is as follows:
1) PC connected to port 5, with the port set to vlan 2 untagged. I have also set the vlan to 2 on the PC NIC.
2) Server connected to port 6, with the port set to vlan 2/3/20 tagged.
3) Server connected to port 7, with the port set to vlan 10/12 tagged.
VLAN 2 is my LAN interface on OPNsense. I hard coded my PC NIC to 192.168.1.10/26. When I try to ping 192.168.1.1 I get nothing. I then re-configured the PC NIC and removed the vlan from the NIC. I try to ping 192.168.1.1 again and get nothing. Ok what am I doing wrong here?
If the port on the switch is VLAN 2 untagged, don't set a VLAN on the PC.
Still does not work...
My PC's port is set to both vlan 1 and vlan 2 untagged. Do I need to delete the vlan 1 reference from the switch port or just set the PVID to 2?
PVID 2 and no additional VLAN.
And away we go!
Got a connection to the GUI. DHCP gave me an IP, so I know that is working.
Right now I use vlan 1 as my mgmt vlan. In this new build I am moving it to vlan 2 and vlan 1 will no longer be used.
Now to see if I can get to the Proxmox GUI on vlan 3.
Ok so I was not able to get to the Proxmox GUI. Going to reboot and see if that helps.
Id like to think I am good...but sometimes you just gotta walk away from the problem and then come back to it later...which is what I did. I found that the Linux vlan for the Proxmox GUI IP was incorrect in my brave new vlan world. Modified it, rebooted, and yes the GUI is available. At this point its time to deploy the new firewall. If I can do this tomorrow morning I will try to get to it. I will need to reboot all devices using vlan 1, which is not many.
It's ALIVE!!!
I am live on the new firewall, with the new vlan structure. I am still working out a few wireless vlan kinks but nothing too onerous. Speaking of wireless I went to begin building my new Unifi VM. I had a problem getting IP from my dnsmasq DHCP server but figured out that since I turned off VLAN 1 I had to reset default to VLAN 2, including normal PVIDs. All good!
I finally got it!
Following viragomann's instructions led to the solution.
There are still some details to add.
1. Add the listening interfaces to the DNS (in my case, DNSMASQ).
2. Add the listening interfaces to AdGuard (which isn't trivial). You either have to modify AdGuardHome.yaml, or delete it and start over.
Now I'll add blocking rules between VLANs so it behaves the way I want.
I've added a new photo with the final settings into the first post, so newbies like me don't have to waste so much time.
THANKS EVERYONE!
Best, always have the services listen on all interfaces ("0.0.0.0"). This is by far the most stable configuration and the reason why in the UI the wording is "All (recommended)".
Firewall rules will take care of nobody accessing your services from the WAN side. No need to limit listen interfaces at all.
But...
"Interface IPs used to respond to queries from clients. If no interfaces are selected, Dnsmasq will listen on all available IPv4 and IPv6 addresses by default. However, DHCP related firewall rules will only be added for explicitly selected interfaces, never for all interfaces."
I would not enable DHCP on all interfaces, only DNS. Is this a single setting in DNSmasq? I'm using Kea and Unbound and so I can leave Unbound at the default and get a stable socket on 0.0.0.0.
Why not enable DHCP in all interfaces?
Yes, there is a single option in DNSmasq section. I already read that Kea is, perhaps, the best option. I'll check once I finish setting what is working now.
Apprecite!
Quote from: elreyquerabio on December 19, 2025, 02:20:22 PMWhy not enable DHCP in all interfaces?
Because of the automatic rules :-)
I think it's rather nice to have them where DHCP is active.