Happy New Year!
Searching the forum for VLANs on bridges results in a lot of information and configurations (e.g. link (https://forum.opnsense.org/index.php?topic=29886.msg144322#msg144322), link (https://forum.opnsense.org/index.php?topic=41209.msg202007#msg202007), link (https://forum.opnsense.org/index.php?topic=48601.msg245495#msg245495)) where the bottomline seems to be "bridge over VLANs" and not use (not possible in OPNsense config) VLANs on bridges.
Now I have been reading up on the matter and see that"
- in FreeBSD 14.x man for IF_BRIDGE(4) there is no VLAN support (link (https://man.freebsd.org/cgi/man.cgi?query=if_bridge&apropos=0&sektion=4&manpath=FreeBSD+14.3-RELEASE+and+Ports&arch=default&format=html))
- in FreeBSD 15.x man for IF_BRIDGE(4) there is VLAN support (see quote below, link (https://man.freebsd.org/cgi/man.cgi?query=if_bridge&apropos=0&sektion=4&manpath=FreeBSD+15.0-RELEASE+and+Ports&arch=default&format=html))
Where I am aware that OPNsense is currently based on FreeBSD 14.3 I assume that OPNsense will move to 15.x at some point. this will offer VLAN support on bridges judging by the FreeBSD documentation.
Is this VLAN support on bridges also moving into OPNsense? Couldn't find it on the forum, but when is OPNsense moving to FreeBSD 15.x/16.x?
Arguably, having VLAN support on bridges could make multi-NIC box configurations (such as my trusty Qotom) a little easier with IPTV VLANs, WLAN VLANs, IOT VLANs etc. on top of a multi-NIC LAN_bridge with a single WAN interface. ;-)
From the FreeBSD 15.x man IF_BRIDGE(4)
QuoteVLAN SUPPORT
The if_bridge driver has full support for virtual LANs (VLANs). The
bridge implements independent VLAN learning, i.e. MAC addresses are
learned on a per-VLAN basis, and the same MAC address may be learned on
multiple interfaces on different VLANs. Incoming frames with an 802.1Q
tag will be assigned to the appropriate VLAN.
Traffic sent to or from the host is not assigned to a VLAN by default.
To allow the host to communicate on a VLAN, configure a vlan(4) inter-
face on the bridge and (if necessary) assign IP addresses there.
By default no access control is enabled, so any interface may partici-
pate in any VLAN.
VLAN filtering may be enabled on a bridge using the ifconfig(8)
vlanfilter option. When VLAN filtering is enabled, an interface may
only send and receive frames based on its configured VLAN access list.
The interface's untagged VLAN ID may be configured using the
ifconfig(8) untagged option. If an untagged VLAN ID is configured, in-
coming frames will be assigned to that VLAN, and the interface may re-
ceive outgoing untagged frames in that VLAN.
The tagged VLAN access list may be configured using the tagged, +tagged
and -tagged options to ifconfig(8). An interface may send and receive
tagged frames for any VLAN in its access list.
The bridge will automatically insert or remove 802.1q tags as needed,
based on the interface configuration, when forwarding frames between
interfaces. This tag processing is only done for interfaces with VLAN
filtering enabled.
Quote from: Rene78 on January 01, 2026, 01:28:04 PMSearching the forum for VLANs on bridges results in a lot of information and configurations[...]where the bottomline seems to be "bridge over VLANs" and not use (not possible in OPNsense config) VLANs on bridges.[...]
Are you suggesting that it's not possible to assign a VLAN interface to a bridge? It works fine. I use four bridges with nine VLAN interfaces (interfaces on a 10-port switch, broken out as a port expander) assigned among them.
Currently you can bridge VLAN interfaces but not the other way round.
E.g. with FreeBSD 14:
igc0.1 - VLAN 1 on igc0
igc0.2 - VLAN 2 on igc0
igc1.1 - VLAN 1 on igc1
igc1.2 - VLAN 2 on igc1
bridge1 - members igc0.1, igc1.1
bridge2 - members igc0.2, igc2.2
This works well but is complicated and error prone to set up.
With FreeBSD 15:
bridge0 - members igc0, igc1
bridge0.1 - VLAN 1 on all bridge ports
bridge0.2 - VLAN 2 on all bridge ports
HTH,
Patrick
Quote from: Patrick M. Hausen on January 01, 2026, 03:12:21 PMCurrently you can bridge VLAN interfaces but not the other way round.
E.g. with FreeBSD 14:
igc0.1 - VLAN 1 on igc0
igc0.2 - VLAN 2 on igc0
igc1.1 - VLAN 1 on igc1
igc1.2 - VLAN 2 on igc1
bridge1 - members igc0.1, igc1.1
bridge2 - members igc0.2, igc2.2
This works well but is complicated and error prone to set up.
With FreeBSD 15:
bridge0 - members igc0, igc1
bridge0.1 - VLAN 1 on all bridge ports
bridge0.2 - VLAN 2 on all bridge ports
HTH,
Patrick
Will this also be implemented in OPNsense? Not sure if all FreeBSD options are also implemented in OPNsense
Quote from: Patrick M. Hausen on January 01, 2026, 03:12:21 PMCurrently you can bridge VLAN interfaces but not the other way round.[...]
Ah, I missed the intent. The original VLAN assignment scheme was not a limitation/inconvenience for me. The value added by the new scheme seems limited, as it only provides a more traditional bridge-like configuration with no (apparent) added functionality. Not that I can say much about that, as I treat my firewall like a bridge and my bridges like port expanders, but I could use either method with little modification. (I actually prefer the old method, as some of my equipment is only manageable from VLAN 1, so isolating it would be potentially inconvenient.)