I'm running OPNsense with a UniFi managed switch, the parent interface (igc2) is configured as an untagged LAN network (10.2.0.1/24), and multiple VLANs (42, 50, 66, 99) are configured as subinterfaces on the same physical NIC. Each VLAN has its own subnet (e.g., VLAN 42 = 10.2.42.1/24), DHCP is enabled on all networks, and firewall rules are temporarily wide open for testing. The switch uplink to OPNsense is configured as a trunk with LAN as native and the VLANs tagged.
(https://i.postimg.cc/xjvT07dW/Clean-Shot-2026-02-20-at-15-49-29-2x.png)
Inter-VLAN routing works correctly: from a client in VLAN 42 (10.2.42.x), I can ping 10.2.42.1 and also other VLAN gateways like 10.2.50.1. However, I cannot ping nor reach in any way 10.2.0.1 or even any host in the 10.2.0.0/24 network from VLAN 42. From a device physically in 10.2.0.0/24, everything works normally.
When I open the firewall live view and try to ping from 10.2.42.x to 10.2.0.x I don't see anything coming in, so I'm thinking that I've set up something incorrectly on the switch?
Maybe I just shouldn't be mixing LAN and VLANs on the same port, but I'm not sure how to solve that without locking myself out of both OPNSense and Unifi OS Server (I've already tried making LAN a VLAN!), and also I can't assign a VLAN ID to the Default network on Unifi.
Here's my Unifi configuration:
(https://i.postimg.cc/cLVVtx9z/Clean-Shot-2026-02-20-at-15-51-24-2x.png)
Uplink port:
(https://i.postimg.cc/J4FFS7WF/Clean-Shot-2026-02-20-at-15-52-00-2x.png)
Port for VLAN 42 testing:
(https://i.postimg.cc/R05DVPqB/Clean-Shot-2026-02-20-at-15-51-43-2x.png)
Let me know if there is any other info I can provide, I don't know how to solve this one!
I think you need to add Profile and add your port profiler into it(your vlan).
Quote from: SenseX on February 20, 2026, 04:19:15 PMI think you need to add Profile and add your port profiler into it(your vlan).
What do you mean? Where do I add a profile? Can't see an option on OPNSense nor Unifi OS Server 🤔
Under Settings - NETWORK in your Unifi, in the bottom. Global Switch Settings. There you will find Ethernet Port Profiler
Create New - (image 2) Add your VLANS into Tagged VLANs, like Image 2.
Quote from: mercxry on February 20, 2026, 03:57:25 PM[...]Maybe I just shouldn't be mixing LAN and VLANs on the same port[...]
You're right, there. I found that out when I initially fired up OPNsense. The behavior is a bit odd - you should be able to observe it in the live log (assuming you have appropriate logging enabled).
If you don't have additional physical interfaces handy, I'd make the firewall accessible (at least locally) through the WAN port, then use it to configure the tagged port fully. Ideally, of course, you just have lots of physical ports.
Quote from: mercxry on February 20, 2026, 03:57:25 PMMaybe I just shouldn't be mixing LAN and VLANs on the same port
It's not recommended, but IMHO it should work just fine in most cases.
However...
Since I am using OPNsense in combination with a UniFi "Core Switch" that's the old 16-port 150 PoE+/PoE model I suggest you do the following :
On your OPNsense Router :- Keep the Default LAN OPNsense network Untagged directly on the first NIC after the NIC that you are using as WAN.
So if igc0 is WAN then use igc1 just for LAN.
- Then use igc2 for your Main Home Network the same way as LAN : Directly Untagged on the NIC itself.
- Now you have just igc3 left for everything else like IoT and Guest networks.
On this NIC don't use anything Untagged.
However do assign all your remaining VLAN's to this NIC as Tagged.
On your UniFi Switch :- Create a Switch Port Profile with just VLAN 1 as the Native VLAN which will make it Untagged Traffic.
REMOVE any other VLANs on this Switch Port Profile !!
- Assign this Switch Port Profile to the port where you will connect the igc1 NIC of your OPNsense Router.
- Create a Switch Port Profile with just the VLAN that is your Main Home Network as the Native VLAN which will make it Untagged Traffic.
REMOVE any other VLANs on this Switch Port Profile !!
- Assign this Switch Port Profile to the port where you will connect the igc2 NIC of your OPNsense Router.
- Create a Switch Port Profile with all your remaining VLANs as Tagged VLAN which will make them all Tagged VLAN Traffic.
REMOVE the Native VLAN on this Switch Port Profile !!
- Assign this Switch Port Profile to the port where you will connect the igc3 NIC of your OPNsense Router.
And now everything should work without any issues! ;)
(Well... If your networks all have just the basic Firewall Rules Allow Any to Any Traffic via IPv4 and IPv6 ofcourse... Basically the two Allow Rules that are setup for the OPNsense LAN network by default... You know...)