Messages

Many thanks.

Your workaround worked using Archive Manager. I also managed to extract it using 7z on the command line. But not via Gui.

Cheers

Yes checked the shasum. This was via my Ubuntu 24.04 desktop.

Cheers

Tried downloading the latest DVD ISO from a few mirrors. Once downloaded I cannot get it to extract the ISO.

See attached image.

Does anyone else have this issue?

Cheers

Any further thoughts?

Yes exactly like the VLAN 50 setup on the HP Switch. If I plug into port 11 or 12 I get a correct lease in the VLAN50 network. If I plug into port 9 I get no lease. 

Inside ESXI the Vswitch has a PG for the OPNSense LAN connection and another PG for VLAN 30 which has the OPNSense Guest network connected 10.0.30.0/24 providing DHCP and DNS and also a test VM connected. The test VM gets a correct lease in the Guest network VLAN30.

I also configured a new wifi network on VLAN30 and that also cannot provide leases to connected devices.

Confused! The only thing I can think is that the OPNSense LAN PG is operating in VGT mode VLANID4095 and the new PG for VLAN 30 is operating in VST mode VLANID 30.

You need a trunk port carrying all your tagged VLANs/portgroups from ESXi to your switch. This definitely works. How do you think large enterprises with dozens/hundreds of VLANs on VMware do it?

I already have this in place.

Port           U   T          Link Type   PVID   
GE1/0/9           30      Access   30       
GE1/0/11           50      Access   50       
GE1/0/1   1   30, 50   Trunk   1

Port 1 is the TRUNK working perfectly on VLAN 50 and I suspect on VLAN 30 but no lease on port 9

Interesting. This second method of attaching a new vnic to the OPNSense VM and configuring a new network to provide services for VLAN30 for instance then creating a PG for VLAN30 and attaching the new VM nic to it does not work outside of the ESXI server! Inside (VM to VM) I can spin up another VM and attach it to the same PG and get a DHCP lease in teh correct VLAN30 subnet. Outside on the HP switch if I connect my laptop to a VLAN30 access port VLANID 30 PVID 30 and pass the tagged VLAN30 traffic via the TRUNK port I get no lease and cannot connect to the VLAN30 subnet.

And I thought I might have been getting somewhere......

You correct about the virtual NIC.

As I wrote multiple thoughts on the vnic which bit of what I wrote is correct?

AH OK I think I am starting to get it. You are saying that the new VM provided vnic is just another NIC in OPNsense that I can assign to a network I create called Guest for instance with an address and subnet configured for the VLAN like 10.0.50.254/24 then add DHCP DNS etc. to that interface and rules as before. At this point it is just a subnet. I would have connected that vnic to the PG for VLAN 50 in the VM settings in ESXI. All traffic in/out of the Guest NIC in OPNSense would be untagged until it gets to the PG which would tag it as VLAN 50(?),  is this correct ?

This?

Not a VLAN - from the guest OS' point of view that is just a regular untagged interface. So you assign an interface and the create rules, DHCP, etc. as you would with VLANs. But all the switching fabric things happen in the vSwitch.

AH OK I think I am starting to get it. You are saying that the new VM provided vnic is just another NIC in OPNsense that I can assign to a network I create called Guest for instance with an address and subnet configured for the VLAN like 10.0.50.254/24 then add DHCP DNS etc. to that interface and rules as before. At this point it is just a subnet. I would have connected that vnic to the PG for VLAN 50 in the VM settings in ESXI. All traffic in/out of the Guest NIC in OPNSense would be untagged until it gets to the PG which would tag it as VLAN 50(?),  is this correct ? I thought that PG's only allowed tagged VLAN taffic matching the VLAN ID set on the PG config. 0 default or VLANID or 4095 for all?

Currently, the one working VLAN50 is configured in OPNsense as per the guide and assigned to the LAN parent interface as VLAN50. The PG that the OPNSense talks to is set as 4095 and it works. Although I am now questioning that. As I believe setting 4095 on the PG means matches all VLANS.

I need to completely rethink this if your guidance is the right way to do this. As this is the start of a journey and I am keen to get to the destination the right way.

So you seem to be saying I need to create a PG per VLAN attached to the vswitch. Then in order to use that create a new vnic in the OPNSense VM for each VLAN and attach it to the VLAN PG.

Then in OPNSense create the VLAN and assign it to the new VM vnic?

Many thanks to all for replying. As this is part of migrating from a single flat network that has many services running I need to be able to be comfortable with the configuration and operation of VLANS on both the devices and network infrastructure.

Current status is that I upgraded my OPNSense to the latest 4.1 and started from scratch with a clean config. Recreated my old LAN and rules etc.

Then setup one VLAN exactly as before. I now have one VLAN working across both switches and can get appropriate DHCP DNS etc. services. Reading a lot on the ESXI side there have been challenges with more than one VLAN. I had to set the PG VLAN ID in ESXI that the OPNSense LAN NIC sits on to 4095 to allow the tagged VLAN packets in and out.

There is no granularity on the PG config to set untags or tags. It is either 0 (default) or a specific VLAN tag or 4095 (all).

I already have two perfectly good managed switches I am working with. As my OPNsense is virtualised in an ESXI VM there seems to be a lot of stuff out there about VLANS not working correctly with 6.7 vswitches and port groups with the VMXNET3 adaptor.

Timed out on this for a while whilst I make some more of that minimum wage ;)

Hi. I am certainly not expert but from this it seems your interface to OPN is mixed with tagged and untagged traffic. I have it from good authority that that is not the supported configuration.
The trunk i.e. the port with all the VLANs in it coming into OPN should be set to tagged traffic only.
So, on the switch is tagged on trunk to OPN, the rest of ports as access.

That said maybe that's how you have it setup and I just don't understand your switch's nomenclature.

Are you saying that the trunk port cannot carry the default VLAN 1 untagged?

Currently PORT1 the trunk port to OPNSense has VLAN1 (default) untagged and VLAN50 Tagged. I can't see anyway of setting VLAN1 as tagged on the TRUNK port! The default VLAN1 is always untagged AFAIK.

Many thanks for taking the time to reply.

Cheers

Seems fine to me. Probably something simple and stupid, but those are the ones that are hardest to find.

Thank you for replying but like what? What simple checkbox or config item can stop all VLANS from working on a parent interface? This is a simple single VLAN config attached to the parent LAN interface. It is like OPNSense is ignoring any VLAN tagging coming into the parent.

I really need some help with this.

I have now a very simple setup.

The main OPNSense config is as it was with the addition of a single VLAN config. I restored the config from a previous point before I started messing with VLANS to ensure I was back at my base config for the network. I followed this guide https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-vlan-on-opnsense and setup the VLAN exactly as the LAN is configured but with a new subnet with the LAN interface as the parent. The new VLAN 50 interface OFFICE has DHCP services configured exactly the same as the LAN interface in the new subnet. e.g. 10.0.50.0/24 with an interface address of 10.0.50.254. I have cloned the firewall any rule from the LAN to the OFFICE net. Everything appears to be setup correctly. As I have an any rule on the LAN I can ping the OFFICE interface from outside the OPNSense server from my PC on the main switch.

On the HP Switch that OPNSense is connected to I have configured VLAN50 and the ACCESS and TRUNK ports to connect to OPNSense and the other switches. See attached image of the setup. This is a very simple setup to get one VLAN working. It doesn't work and I cannot get DHCP from OPNSense or even if I config a static IP in the OFFICE subnet I cannot ping the OPNSense OFFICE interface.

I am completely at a loss as to why this is not working. The VLAN config on the switch looks right. The OPNSense VLAN config looks right I have FW rules and DHCP and DNS services on the OFFICE VLAN.

In words the switch is configured as follows. See image for detail.

Port 1 TRUNK Untagged 1 Tagged 50 PVID 1 (LINK TO OPNSENSE)
Ports 11 and 12 ACCESS Untagged 50 PVID 50 (LAPTOP TEST PORTS)
Port 17 TRUNK Untagged 1 Tagged 50 PVID 1 (WAP with 2 wif networks 1 on the default VLAN and 1 on VLAN 50)
Port 25 TRUNK Untagged 1 Tagged 50 PVID 1 (LINK TO REST OF NETWORK)

This should work but it doesn't, OPNSense shows no packets on the OFFICE interface.

Can anyone please put me out of my misery and help me to get VLANS working.

Just to add I know the switch is working as I can config an admin address in the switch on the VLAN 50 subnet and I can ping it from the Laptop on the VLAN 50 network. So I know the switch ports as working as expected within the switch. I also know the switch VLAN config is working between switches. I can ping the HP on its VLAN50 address from the Netgear connected via a TRUNK to TRUNK connection to the HP oort 25 using the laptop manually configured with a VLAN50 ip.

BUT, I get the destination host unreachable and no route to host if I try to ping the OPNSense VLAN50 interface on 10.0.50.254. No packets are received on the OPNSense OFFICE (VLAN50) interface. Also the WAP on the HP TRUNK port 17 gets no DHCP service either. I can configure a static IP on the wifi connection and connect to the VLAN 50 wifi network but can't get anywhere.

It is like any VLAN subnet on the LAN interface is blocked and I suspect that pinging the VLAN 50 address from the default network is simply getting a response from the parent interface as stats show no packets on the VLAN 50 interface.

What is going on here?

Cheers