Hi everyone,
I'm experiencing a really strange issue with OPNsense 26.1.4 (i came from 25.7). I have several VLANs configured, some existing for a long time and working perfectly (both wired and Wi-Fi), but when I create a new VLAN:
- The VLAN interface is created correctly (Interface -> Assignments), with a static IP set (e.g., 10.10.50.1/24).
- DHCP (dnsmasq) is configured with a proper range.
- Firewall rules are enabled, like to other VLANs that work.
- Even when setting a fixed IP on clients (VMs or PCs), I cannot ping the firewall and i cannot have address from DHCP.
- Packet capture on the VLAN interface does not show any traffic, not even pings from LAN to VLAN.
I've verified:
- The VLAN parent is the same as other working VLANs.
- Omada APs and an unmanaged switch are configured correctly, tags are passing.
- Using an old VLAN (with tag 10 for example) works: DHCP and traffic are received properly.
- I've tried changing the VLAN tag, deleting and recreating the VLAN, rebooting OPNsense and switches: nothing works.
Main symptom: the new VLAN seems completely "blind" to traffic, even with a fixed IP. Other VLANs work normally.
I'm asking:
- Has anyone experienced the same behavior on OPNsense 26?
- Could this be a bug in OPNsense 26's kernel / VLAN stack?
Thanks in advance for any suggestions or similar experiences!
Quote from: abranca on March 27, 2026, 03:42:45 PM[...]I'm asking:[...]
Can't help you there, but two things to look at, if you haven't already: "ifconfig -v" (I just throw in the -v to get optics info) and "netstat -r", to verify all (and I mean all, pedantically) config data.
Quote from: abranca on March 27, 2026, 03:42:45 PMbut when I create a new VLAN:
- Firewall rules are enabled, like to other VLANs that work.
- Even when setting a fixed IP on clients (VMs or PCs), I cannot ping the firewall and i cannot have address from DHCP.
- Packet capture on the VLAN interface does not show any traffic, not even pings from LAN to VLAN.
Maybe post your Firewall Rules then ?
Or simply compare them to one of the LAN/VLANs that work ?
QuoteI've verified:
- Omada APs and an unmanaged switch are configured correctly, tags are passing.
I am not a big fan of this : What happens when you test without the Unmanaged Switch ?
Quote from: pfry on March 27, 2026, 05:21:55 PMQuote from: abranca on March 27, 2026, 03:42:45 PM[...]I'm asking:[...]
Can't help you there, but two things to look at, if you haven't already: "ifconfig -v" (I just throw in the -v to get optics info) and "netstat -r", to verify all (and I mean all, pedantically) config data.
Hi, thanks for your reply. Here are the details after redoing the VLAN from scratch.
VLAN setup:
- VLAN: vlan0.20
- Parent interface: igc1
- VLAN tag: 20
- OPNsense interface: opt4 assigned to vlan0.20
- IP: 10.10.20.1/24 (static)
- No DHCP configured, testing only with static IP
VM setup (Proxmox and physical machine):
- Connected to a NIC with VLAN tag 20
- IP: 10.10.20.2/24
- Gateway: 10.10.20.1
- DNS: 1.1.1.1
- VLAN-aware bridge enabled (vmbr1) (only for Proxmox VM)
Tests performed:
- Ping from VM to gateway: fails
- tcpdump on VM interface: no traffic observed
- Packet capture on OPNsense VLAN interface: no traffic observed
- Ping from LAN to VLAN gateway: works
Observations:
- DHCP is not involved — this is static IP testing.
- Firewall rules are not a factor — packets do not even reach OPNsense.
- Routing/NAT is irrelevant at this stage — traffic is blocked before Layer 3.
- Other VLANs (e.g., VLAN 10, 30, or 40) work normally on the same physical NIC.
- The issue appears only with new VLANs created after upgrading to OPNsense 26.x.
- Old VLANs created under 25.x continue to function normally.
The problem occurs at Layer 2, likely with VLAN tagging or interaction between OPNsense 26.x and Proxmox or even a physical machine. Everything worked correctly under OPNsense 25.x. The VM or physical machine cannot send packets through the new VLAN, even with a static IP.
ifconfig -v
igc0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,HWSTATS,MEXTPG>
ether 00:d0:b4:03:bf:ae
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
drivername: igc0
igc1: flags=1028943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC,LOWER_UP> metric 0 mtu 1500
description: vlan1_lan (lan)
options=4902028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,NETMAP,HWSTATS,MEXTPG>
ether 00:d0:b4:03:bf:af
inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
drivername: igc1
igc2: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,HWSTATS,MEXTPG>
ether 00:d0:b4:03:bf:b0
media: Ethernet autoselect
status: no carrier
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
drivername: igc2
igc3: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: wan2_lte (opt7)
options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,HWSTATS,MEXTPG>
ether 00:d0:b4:03:bf:b1
inet 192.168.10.2 netmask 0xffffff00 broadcast 192.168.10.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
drivername: igc3
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
drivername: lo0
enc0: flags=0 metric 0 mtu 1536
options=0
groups: enc
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
drivername: enc0
pfsync0: flags=0 metric 0 mtu 1500
options=0
maxupd: 128 defer: off version: 1400
syncok: 1
groups: pfsync
drivername: pfsync0
pflog0: flags=0 metric 0 mtu 33152
options=0
groups: pflog
drivername: pflog0
vlan0.10: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: vlan10_iot (opt3)
options=4000000<MEXTPG>
ether 00:d0:b4:03:bf:af
inet 10.10.10.1 netmask 0xffffff00 broadcast 10.10.10.255
groups: vlan
vlan: 10 vlanproto: 802.1q vlanpcp: 0 parent interface: igc1
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
drivername: vlan0
vlan0.30: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: vlan30_dmz (opt2)
options=4000000<MEXTPG>
ether 00:d0:b4:03:bf:af
inet 172.16.10.1 netmask 0xffffff00 broadcast 172.16.10.255
groups: vlan
vlan: 30 vlanproto: 802.1q vlanpcp: 0 parent interface: igc1
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
drivername: vlan2
vlan0.40: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: vlan40_ipc (opt6)
options=4000000<MEXTPG>
ether 00:d0:b4:03:bf:af
inet 10.10.40.1 netmask 0xffffff00 broadcast 10.10.40.255
groups: vlan
vlan: 40 vlanproto: 802.1q vlanpcp: 0 parent interface: igc1
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
drivername: vlan3
vlan0.835: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
options=4000000<MEXTPG>
ether 00:d0:b4:03:bf:ae
groups: vlan
vlan: 835 vlanproto: 802.1q vlanpcp: 0 parent interface: igc0
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
drivername: vlan4
wg0: flags=10080c1<UP,RUNNING,NOARP,MULTICAST,LOWER_UP> metric 0 mtu 1420
description: vpn_wg (opt5)
options=80000<LINKSTATE>
inet 10.10.30.1 netmask 0xffffff00
groups: wg wireguard
nd6 options=9<PERFORMNUD,IFDISABLED>
drivername: wg0
pppoe0: flags=10088d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1492
description: wan1_ftth (opt1)
options=0
inet xx.xx.xx.xx --> zz.zz.zz.zz netmask 0xffffffff
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
drivername: ng0
vlan0.20: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: vlan20_gst (opt4)
options=4000000<MEXTPG>
ether 00:d0:b4:03:bf:af
inet 10.10.20.1 netmask 0xffffff00 broadcast 10.10.20.255
groups: vlan
vlan: 20 vlanproto: 802.1q vlanpcp: 0 parent interface: igc1
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
drivername: vlan1
netstat -r
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default static-zzz-zzz-zz- UGS pppoe0
one.one.one.one 192.168.10.1 UGHS igc3
10.10.10.0/24 link#9 U vlan0.10
10.10.10.1 link#5 UHS lo0
10.10.20.0/24 link#10 U vlan0.20
10.10.20.1 link#5 UHS lo0
10.10.30.0/24 link#15 U wg0
10.10.30.1 link#5 UHS lo0
10.10.30.2 link#15 UHS wg0
10.10.30.3 link#15 UHS wg0
10.10.30.4 link#15 UHS wg0
10.10.40.0/24 link#12 U vlan0.40
10.10.40.1 link#5 UHS lo0
posta link#5 UHS lo0
unfiltered.adguard static-zzz-zzz-zz- UGHS pppoe0
unfiltered.adguard 192.168.10.1 UGHS igc3
localhost link#5 UH lo0
172.16.10.0/24 link#11 U vlan0.30
172.16.10.1 link#5 UHS lo0
192.168.0.0/24 link#2 U igc1
fw link#5 UHS lo0
192.168.10.0/24 link#4 U igc3
192.168.10.1 link#4 UHS igc3
192.168.10.2 link#5 UHS lo0
static-zzz-zzz-zz- link#14 UH pppoe0
Internet6:
Destination Gateway Flags Netif Expire
localhost link#5 UHS lo0
fe80::%lo0/64 link#5 U lo0
fe80::1%lo0 link#5 UHS lo0
Quote from: nero355 on March 27, 2026, 05:40:21 PMQuote from: abranca on March 27, 2026, 03:42:45 PMbut when I create a new VLAN:
- Firewall rules are enabled, like to other VLANs that work.
- Even when setting a fixed IP on clients (VMs or PCs), I cannot ping the firewall and i cannot have address from DHCP.
- Packet capture on the VLAN interface does not show any traffic, not even pings from LAN to VLAN.
Maybe post your Firewall Rules then ?
Or simply compare them to one of the LAN/VLANs that work ?
QuoteI've verified:
- Omada APs and an unmanaged switch are configured correctly, tags are passing.
I am not a big fan of this : What happens when you test without the Unmanaged Switch ?
Hi, thanks for the help!
I've already created a "pass any" rule on the vlan20_gst interface just for testing, so there are currently no filters that could block traffic. The rule is:
Interface: vlan20_gst
Type: IPv4
Source: *
Destination: *
Gateway: Failover_GW
Description: Pass any rule
It allows all traffic to any destination via the failover gateway, so it shouldn't be causing the issue.
At the moment, this VLAN isn't used on Omada — due to the problems, I've kept the setup at the bare minimum. I'm using an unmanaged switch between OPNsense and the VM/AP, which I know isn't ideal, but all other existing VLANs (10, 30, 40) work normally. The problem only appears on newly created VLANs after updating to OPNsense 26.x.
Even with a static IP on a VM or a physical machine, I cannot ping the gateway of the new VLAN, and packet captures on the interface show no traffic at all.
In short, this looks like a Layer 2 issue that doesn't seem to depend on firewall rules or DHCP.
Quote from: abranca on Today at 09:06:27 AM[...]Parent interface: igc1[...]
igc1: flags=1028943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC,LOWER_UP> metric 0 mtu 1500
description: vlan1_lan (lan)
[...]
inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
[...]
I do not configure the main interface that I use for VLANs, as it doesn't fly at all when using bridges. I can't say if it's your issue, though - too many differences in our setups.