Hi everyone,
I'm experiencing a really strange issue with OPNsense 26.1.4 (i came from 25.7). I have several VLANs configured, some existing for a long time and working perfectly (both wired and Wi-Fi), but when I create a new VLAN:
- The VLAN interface is created correctly (Interface -> Assignments), with a static IP set (e.g., 10.10.50.1/24).
- DHCP (dnsmasq) is configured with a proper range.
- Firewall rules are enabled, like to other VLANs that work.
- Even when setting a fixed IP on clients (VMs or PCs), I cannot ping the firewall and i cannot have address from DHCP.
- Packet capture on the VLAN interface does not show any traffic, not even pings from LAN to VLAN.
I've verified:
- The VLAN parent is the same as other working VLANs.
- Omada APs and an unmanaged switch are configured correctly, tags are passing.
- Using an old VLAN (with tag 10 for example) works: DHCP and traffic are received properly.
- I've tried changing the VLAN tag, deleting and recreating the VLAN, rebooting OPNsense and switches: nothing works.
Main symptom: the new VLAN seems completely "blind" to traffic, even with a fixed IP. Other VLANs work normally.
I'm asking:
- Has anyone experienced the same behavior on OPNsense 26?
- Could this be a bug in OPNsense 26's kernel / VLAN stack?
Thanks in advance for any suggestions or similar experiences!
Quote from: abranca on March 27, 2026, 03:42:45 PM[...]I'm asking:[...]
Can't help you there, but two things to look at, if you haven't already: "ifconfig -v" (I just throw in the -v to get optics info) and "netstat -r", to verify all (and I mean all, pedantically) config data.
Quote from: abranca on March 27, 2026, 03:42:45 PMbut when I create a new VLAN:
- Firewall rules are enabled, like to other VLANs that work.
- Even when setting a fixed IP on clients (VMs or PCs), I cannot ping the firewall and i cannot have address from DHCP.
- Packet capture on the VLAN interface does not show any traffic, not even pings from LAN to VLAN.
Maybe post your Firewall Rules then ?
Or simply compare them to one of the LAN/VLANs that work ?
QuoteI've verified:
- Omada APs and an unmanaged switch are configured correctly, tags are passing.
I am not a big fan of this : What happens when you test without the Unmanaged Switch ?
Quote from: pfry on March 27, 2026, 05:21:55 PMQuote from: abranca on March 27, 2026, 03:42:45 PM[...]I'm asking:[...]
Can't help you there, but two things to look at, if you haven't already: "ifconfig -v" (I just throw in the -v to get optics info) and "netstat -r", to verify all (and I mean all, pedantically) config data.
Hi, thanks for your reply. Here are the details after redoing the VLAN from scratch.
VLAN setup:
- VLAN: vlan0.20
- Parent interface: igc1
- VLAN tag: 20
- OPNsense interface: opt4 assigned to vlan0.20
- IP: 10.10.20.1/24 (static)
- No DHCP configured, testing only with static IP
VM setup (Proxmox and physical machine):
- Connected to a NIC with VLAN tag 20
- IP: 10.10.20.2/24
- Gateway: 10.10.20.1
- DNS: 1.1.1.1
- VLAN-aware bridge enabled (vmbr1) (only for Proxmox VM)
Tests performed:
- Ping from VM to gateway: fails
- tcpdump on VM interface: no traffic observed
- Packet capture on OPNsense VLAN interface: no traffic observed
- Ping from LAN to VLAN gateway: works
Observations:
- DHCP is not involved — this is static IP testing.
- Firewall rules are not a factor — packets do not even reach OPNsense.
- Routing/NAT is irrelevant at this stage — traffic is blocked before Layer 3.
- Other VLANs (e.g., VLAN 10, 30, or 40) work normally on the same physical NIC.
- The issue appears only with new VLANs created after upgrading to OPNsense 26.x.
- Old VLANs created under 25.x continue to function normally.
The problem occurs at Layer 2, likely with VLAN tagging or interaction between OPNsense 26.x and Proxmox or even a physical machine. Everything worked correctly under OPNsense 25.x. The VM or physical machine cannot send packets through the new VLAN, even with a static IP.
ifconfig -v
igc0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,HWSTATS,MEXTPG>
ether 00:d0:b4:03:bf:ae
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
drivername: igc0
igc1: flags=1028943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC,LOWER_UP> metric 0 mtu 1500
description: vlan1_lan (lan)
options=4902028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,NETMAP,HWSTATS,MEXTPG>
ether 00:d0:b4:03:bf:af
inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
drivername: igc1
igc2: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,HWSTATS,MEXTPG>
ether 00:d0:b4:03:bf:b0
media: Ethernet autoselect
status: no carrier
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
drivername: igc2
igc3: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: wan2_lte (opt7)
options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,HWSTATS,MEXTPG>
ether 00:d0:b4:03:bf:b1
inet 192.168.10.2 netmask 0xffffff00 broadcast 192.168.10.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
drivername: igc3
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
drivername: lo0
enc0: flags=0 metric 0 mtu 1536
options=0
groups: enc
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
drivername: enc0
pfsync0: flags=0 metric 0 mtu 1500
options=0
maxupd: 128 defer: off version: 1400
syncok: 1
groups: pfsync
drivername: pfsync0
pflog0: flags=0 metric 0 mtu 33152
options=0
groups: pflog
drivername: pflog0
vlan0.10: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: vlan10_iot (opt3)
options=4000000<MEXTPG>
ether 00:d0:b4:03:bf:af
inet 10.10.10.1 netmask 0xffffff00 broadcast 10.10.10.255
groups: vlan
vlan: 10 vlanproto: 802.1q vlanpcp: 0 parent interface: igc1
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
drivername: vlan0
vlan0.30: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: vlan30_dmz (opt2)
options=4000000<MEXTPG>
ether 00:d0:b4:03:bf:af
inet 172.16.10.1 netmask 0xffffff00 broadcast 172.16.10.255
groups: vlan
vlan: 30 vlanproto: 802.1q vlanpcp: 0 parent interface: igc1
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
drivername: vlan2
vlan0.40: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: vlan40_ipc (opt6)
options=4000000<MEXTPG>
ether 00:d0:b4:03:bf:af
inet 10.10.40.1 netmask 0xffffff00 broadcast 10.10.40.255
groups: vlan
vlan: 40 vlanproto: 802.1q vlanpcp: 0 parent interface: igc1
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
drivername: vlan3
vlan0.835: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
options=4000000<MEXTPG>
ether 00:d0:b4:03:bf:ae
groups: vlan
vlan: 835 vlanproto: 802.1q vlanpcp: 0 parent interface: igc0
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
drivername: vlan4
wg0: flags=10080c1<UP,RUNNING,NOARP,MULTICAST,LOWER_UP> metric 0 mtu 1420
description: vpn_wg (opt5)
options=80000<LINKSTATE>
inet 10.10.30.1 netmask 0xffffff00
groups: wg wireguard
nd6 options=9<PERFORMNUD,IFDISABLED>
drivername: wg0
pppoe0: flags=10088d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1492
description: wan1_ftth (opt1)
options=0
inet xx.xx.xx.xx --> zz.zz.zz.zz netmask 0xffffffff
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
drivername: ng0
vlan0.20: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: vlan20_gst (opt4)
options=4000000<MEXTPG>
ether 00:d0:b4:03:bf:af
inet 10.10.20.1 netmask 0xffffff00 broadcast 10.10.20.255
groups: vlan
vlan: 20 vlanproto: 802.1q vlanpcp: 0 parent interface: igc1
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
drivername: vlan1
netstat -r
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default static-zzz-zzz-zz- UGS pppoe0
one.one.one.one 192.168.10.1 UGHS igc3
10.10.10.0/24 link#9 U vlan0.10
10.10.10.1 link#5 UHS lo0
10.10.20.0/24 link#10 U vlan0.20
10.10.20.1 link#5 UHS lo0
10.10.30.0/24 link#15 U wg0
10.10.30.1 link#5 UHS lo0
10.10.30.2 link#15 UHS wg0
10.10.30.3 link#15 UHS wg0
10.10.30.4 link#15 UHS wg0
10.10.40.0/24 link#12 U vlan0.40
10.10.40.1 link#5 UHS lo0
posta link#5 UHS lo0
unfiltered.adguard static-zzz-zzz-zz- UGHS pppoe0
unfiltered.adguard 192.168.10.1 UGHS igc3
localhost link#5 UH lo0
172.16.10.0/24 link#11 U vlan0.30
172.16.10.1 link#5 UHS lo0
192.168.0.0/24 link#2 U igc1
fw link#5 UHS lo0
192.168.10.0/24 link#4 U igc3
192.168.10.1 link#4 UHS igc3
192.168.10.2 link#5 UHS lo0
static-zzz-zzz-zz- link#14 UH pppoe0
Internet6:
Destination Gateway Flags Netif Expire
localhost link#5 UHS lo0
fe80::%lo0/64 link#5 U lo0
fe80::1%lo0 link#5 UHS lo0
Quote from: nero355 on March 27, 2026, 05:40:21 PMQuote from: abranca on March 27, 2026, 03:42:45 PMbut when I create a new VLAN:
- Firewall rules are enabled, like to other VLANs that work.
- Even when setting a fixed IP on clients (VMs or PCs), I cannot ping the firewall and i cannot have address from DHCP.
- Packet capture on the VLAN interface does not show any traffic, not even pings from LAN to VLAN.
Maybe post your Firewall Rules then ?
Or simply compare them to one of the LAN/VLANs that work ?
QuoteI've verified:
- Omada APs and an unmanaged switch are configured correctly, tags are passing.
I am not a big fan of this : What happens when you test without the Unmanaged Switch ?
Hi, thanks for the help!
I've already created a "pass any" rule on the vlan20_gst interface just for testing, so there are currently no filters that could block traffic. The rule is:
Interface: vlan20_gst
Type: IPv4
Source: *
Destination: *
Gateway: Failover_GW
Description: Pass any rule
It allows all traffic to any destination via the failover gateway, so it shouldn't be causing the issue.
At the moment, this VLAN isn't used on Omada — due to the problems, I've kept the setup at the bare minimum. I'm using an unmanaged switch between OPNsense and the VM/AP, which I know isn't ideal, but all other existing VLANs (10, 30, 40) work normally. The problem only appears on newly created VLANs after updating to OPNsense 26.x.
Even with a static IP on a VM or a physical machine, I cannot ping the gateway of the new VLAN, and packet captures on the interface show no traffic at all.
In short, this looks like a Layer 2 issue that doesn't seem to depend on firewall rules or DHCP.
Quote from: abranca on March 28, 2026, 09:06:27 AM[...]Parent interface: igc1[...]
igc1: flags=1028943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC,LOWER_UP> metric 0 mtu 1500
description: vlan1_lan (lan)
[...]
inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
[...]
I do not configure the main interface that I use for VLANs, as it doesn't fly at all when using bridges. I can't say if it's your issue, though - too many differences in our setups.
Hi everyone,
I'd like to summarize my recent experience with VLANs on OPNsense, hoping it might help others.
Scenario:
- I have several VLANs configured: some older (created on 25.x) and some new (created on 26.x).
- The older VLANs work perfectly.
- The new VLANs did not pass any traffic, even with a static IP. I did not use DHCP for testing.
- Firewall rules and routing seem irrelevant: packets didn't reach the OPNsense interface at all.
- Packet captures on the VLAN interface and client NICs showed no traffic, even though pings from LAN to the VLAN gateway responded.
- Tested on both a Proxmox VM and a physical machine.
Actions taken:
- Migrated DHCP from ICS to dnsmasq (already working for about 20 days).
- Transferred firewall rules from the old format to the new one (a few days ago).
- Upgraded OPNsense from 26.1.4 to 26.1.5.
- After each migration and upgrade, I always rebooted, but the new VLANs still didn't work.
- Created a new VLAN: completely non-functional.
- Tried restoring a previous backup (26.1.3): VLAN still not working.
- Restored the latest backup (26.1.5) and rebooted OPNsense: the new VLANs started working.
Observations:
- The issue affects only new VLANs created after the 26.x upgrade.
- Older VLANs continue to work normally on the same NIC.
- No clear logical explanation: it could be some internal state or cache that gets cleared by a full reboot.
- The setup uses unmanaged switches; VLANs are handled by OPNsense/Proxmox/Omada controller.
- The fact that previous reboots didn't solve the issue suggests some anomalous internal condition in OPNsense was interfering with the new VLANs.
If you encounter new VLANs not passing traffic, try doing a full reboot of OPNsense after restoring the latest working configuration.
No changes to firewall rules or switches were necessary.