Messages

Hi everyone,

I'd like to summarize my recent experience with VLANs on OPNsense, hoping it might help others.

Scenario:

• I have several VLANs configured: some older (created on 25.x) and some new (created on 26.x).
• The older VLANs work perfectly.
• The new VLANs did not pass any traffic, even with a static IP. I did not use DHCP for testing.
• Firewall rules and routing seem irrelevant: packets didn't reach the OPNsense interface at all.
• Packet captures on the VLAN interface and client NICs showed no traffic, even though pings from LAN to the VLAN gateway responded.
• Tested on both a Proxmox VM and a physical machine.

Actions taken:

• Migrated DHCP from ICS to dnsmasq (already working for about 20 days).
• Transferred firewall rules from the old format to the new one (a few days ago).
• Upgraded OPNsense from 26.1.4 to 26.1.5.
• After each migration and upgrade, I always rebooted, but the new VLANs still didn't work.
• Created a new VLAN: completely non-functional.
• Tried restoring a previous backup (26.1.3): VLAN still not working.
• Restored the latest backup (26.1.5) and rebooted OPNsense: the new VLANs started working.

Observations:

• The issue affects only new VLANs created after the 26.x upgrade.
• Older VLANs continue to work normally on the same NIC.
• No clear logical explanation: it could be some internal state or cache that gets cleared by a full reboot.
• The setup uses unmanaged switches; VLANs are handled by OPNsense/Proxmox/Omada controller.
• The fact that previous reboots didn't solve the issue suggests some anomalous internal condition in OPNsense was interfering with the new VLANs.

If you encounter new VLANs not passing traffic, try doing a full reboot of OPNsense after restoring the latest working configuration.
No changes to firewall rules or switches were necessary.

but when I create a new VLAN:

•     Firewall rules are enabled, like to other VLANs that work.
•     Even when setting a fixed IP on clients (VMs or PCs), I cannot ping the firewall and i cannot have address from DHCP.
•     Packet capture on the VLAN interface does not show any traffic, not even pings from LAN to VLAN.

Maybe post your Firewall Rules then ?

Or simply compare them to one of the LAN/VLANs that work ?

I've verified:

•     Omada APs and an unmanaged switch are configured correctly, tags are passing.

I am not a big fan of this : What happens when you test without the Unmanaged Switch ?

Hi, thanks for the help!
I've already created a "pass any" rule on the vlan20_gst interface just for testing, so there are currently no filters that could block traffic. The rule is:

Interface: vlan20_gst
Type: IPv4
Source: *
Destination: *
Gateway: Failover_GW
Description: Pass any rule

It allows all traffic to any destination via the failover gateway, so it shouldn't be causing the issue.

At the moment, this VLAN isn't used on Omada — due to the problems, I've kept the setup at the bare minimum. I'm using an unmanaged switch between OPNsense and the VM/AP, which I know isn't ideal, but all other existing VLANs (10, 30, 40) work normally. The problem only appears on newly created VLANs after updating to OPNsense 26.x.

Even with a static IP on a VM or a physical machine, I cannot ping the gateway of the new VLAN, and packet captures on the interface show no traffic at all.

In short, this looks like a Layer 2 issue that doesn't seem to depend on firewall rules or DHCP.

[...]I'm asking:[...]

Can't help you there, but two things to look at, if you haven't already: "ifconfig -v" (I just throw in the -v to get optics info) and "netstat -r", to verify all (and I mean all, pedantically) config data.

Hi, thanks for your reply. Here are the details after redoing the VLAN from scratch.

VLAN setup:

• VLAN: vlan0.20
• Parent interface: igc1
• VLAN tag: 20
• OPNsense interface: opt4 assigned to vlan0.20
• IP: 10.10.20.1/24 (static)
• No DHCP configured, testing only with static IP

VM setup (Proxmox and physical machine):

• Connected to a NIC with VLAN tag 20
• IP: 10.10.20.2/24
• Gateway: 10.10.20.1
• DNS: 1.1.1.1
• VLAN-aware bridge enabled (vmbr1) (only for Proxmox VM)

Tests performed:

• Ping from VM to gateway: fails
• tcpdump on VM interface: no traffic observed
• Packet capture on OPNsense VLAN interface: no traffic observed
• Ping from LAN to VLAN gateway: works

Observations:

• DHCP is not involved — this is static IP testing.
• Firewall rules are not a factor — packets do not even reach OPNsense.
• Routing/NAT is irrelevant at this stage — traffic is blocked before Layer 3.
• Other VLANs (e.g., VLAN 10, 30, or 40) work normally on the same physical NIC.
• The issue appears only with new VLANs created after upgrading to OPNsense 26.x.
• Old VLANs created under 25.x continue to function normally.

The problem occurs at Layer 2, likely with VLAN tagging or interaction between OPNsense 26.x and Proxmox or even a physical machine. Everything worked correctly under OPNsense 25.x. The VM or physical machine cannot send packets through the new VLAN, even with a static IP.

Code Select Expand

ifconfig -v
igc0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,HWSTATS,MEXTPG>
    ether 00:d0:b4:03:bf:ae
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    drivername: igc0
igc1: flags=1028943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC,LOWER_UP> metric 0 mtu 1500
    description: vlan1_lan (lan)
    options=4902028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,NETMAP,HWSTATS,MEXTPG>
    ether 00:d0:b4:03:bf:af
    inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    drivername: igc1
igc2: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,HWSTATS,MEXTPG>
    ether 00:d0:b4:03:bf:b0
    media: Ethernet autoselect
    status: no carrier
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    drivername: igc2
igc3: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    description: wan2_lte (opt7)
    options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,HWSTATS,MEXTPG>
    ether 00:d0:b4:03:bf:b1
    inet 192.168.10.2 netmask 0xffffff00 broadcast 192.168.10.255
    media: Ethernet autoselect (100baseTX <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    drivername: igc3
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet 127.0.0.1 netmask 0xff000000
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
    groups: lo
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
    drivername: lo0
enc0: flags=0 metric 0 mtu 1536
    options=0
    groups: enc
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    drivername: enc0
pfsync0: flags=0 metric 0 mtu 1500
    options=0
    maxupd: 128 defer: off version: 1400
    syncok: 1
    groups: pfsync
    drivername: pfsync0
pflog0: flags=0 metric 0 mtu 33152
    options=0
    groups: pflog
    drivername: pflog0
vlan0.10: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    description: vlan10_iot (opt3)
    options=4000000<MEXTPG>
    ether 00:d0:b4:03:bf:af
    inet 10.10.10.1 netmask 0xffffff00 broadcast 10.10.10.255
    groups: vlan
    vlan: 10 vlanproto: 802.1q vlanpcp: 0 parent interface: igc1
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    drivername: vlan0
vlan0.30: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    description: vlan30_dmz (opt2)
    options=4000000<MEXTPG>
    ether 00:d0:b4:03:bf:af
    inet 172.16.10.1 netmask 0xffffff00 broadcast 172.16.10.255
    groups: vlan
    vlan: 30 vlanproto: 802.1q vlanpcp: 0 parent interface: igc1
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    drivername: vlan2
vlan0.40: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    description: vlan40_ipc (opt6)
    options=4000000<MEXTPG>
    ether 00:d0:b4:03:bf:af
    inet 10.10.40.1 netmask 0xffffff00 broadcast 10.10.40.255
    groups: vlan
    vlan: 40 vlanproto: 802.1q vlanpcp: 0 parent interface: igc1
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    drivername: vlan3
vlan0.835: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=4000000<MEXTPG>
    ether 00:d0:b4:03:bf:ae
    groups: vlan
    vlan: 835 vlanproto: 802.1q vlanpcp: 0 parent interface: igc0
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    drivername: vlan4
wg0: flags=10080c1<UP,RUNNING,NOARP,MULTICAST,LOWER_UP> metric 0 mtu 1420
    description: vpn_wg (opt5)
    options=80000<LINKSTATE>
    inet 10.10.30.1 netmask 0xffffff00
    groups: wg wireguard
    nd6 options=9<PERFORMNUD,IFDISABLED>
    drivername: wg0
pppoe0: flags=10088d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1492
    description: wan1_ftth (opt1)
    options=0
    inet xx.xx.xx.xx --> zz.zz.zz.zz netmask 0xffffffff
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    drivername: ng0
vlan0.20: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    description: vlan20_gst (opt4)
    options=4000000<MEXTPG>
    ether 00:d0:b4:03:bf:af
    inet 10.10.20.1 netmask 0xffffff00 broadcast 10.10.20.255
    groups: vlan
    vlan: 20 vlanproto: 802.1q vlanpcp: 0 parent interface: igc1
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    drivername: vlan1



Code Select Expand

netstat -r
Routing tables

Internet:
Destination        Gateway            Flags         Netif Expire
default            static-zzz-zzz-zz- UGS          pppoe0
one.one.one.one    192.168.10.1       UGHS           igc3
10.10.10.0/24      link#9             U          vlan0.10
10.10.10.1         link#5             UHS             lo0
10.10.20.0/24      link#10            U          vlan0.20
10.10.20.1         link#5             UHS             lo0
10.10.30.0/24      link#15            U               wg0
10.10.30.1         link#5             UHS             lo0
10.10.30.2         link#15            UHS             wg0
10.10.30.3         link#15            UHS             wg0
10.10.30.4         link#15            UHS             wg0
10.10.40.0/24      link#12            U          vlan0.40
10.10.40.1         link#5             UHS             lo0
posta              link#5             UHS             lo0
unfiltered.adguard static-zzz-zzz-zz- UGHS         pppoe0
unfiltered.adguard 192.168.10.1       UGHS           igc3
localhost          link#5             UH              lo0
172.16.10.0/24     link#11            U          vlan0.30
172.16.10.1        link#5             UHS             lo0
192.168.0.0/24     link#2             U              igc1
fw                 link#5             UHS             lo0
192.168.10.0/24    link#4             U              igc3
192.168.10.1       link#4             UHS            igc3
192.168.10.2       link#5             UHS             lo0
static-zzz-zzz-zz- link#14            UH           pppoe0

Internet6:
Destination        Gateway            Flags         Netif Expire
localhost          link#5             UHS             lo0
fe80::%lo0/64      link#5             U               lo0
fe80::1%lo0        link#5             UHS             lo0



Hi everyone,

I'm experiencing a really strange issue with OPNsense 26.1.4 (i came from 25.7). I have several VLANs configured, some existing for a long time and working perfectly (both wired and Wi-Fi), but when I create a new VLAN:

• The VLAN interface is created correctly (Interface -> Assignments), with a static IP set (e.g., 10.10.50.1/24).
•     DHCP (dnsmasq) is configured with a proper range.
•     Firewall rules are enabled, like to other VLANs that work.
•     Even when setting a fixed IP on clients (VMs or PCs), I cannot ping the firewall and i cannot have address from DHCP.
•     Packet capture on the VLAN interface does not show any traffic, not even pings from LAN to VLAN.

I've verified:

•     The VLAN parent is the same as other working VLANs.
•     Omada APs and an unmanaged switch are configured correctly, tags are passing.
•     Using an old VLAN (with tag 10 for example) works: DHCP and traffic are received properly.
•     I've tried changing the VLAN tag, deleting and recreating the VLAN, rebooting OPNsense and switches: nothing works.

Main symptom: the new VLAN seems completely "blind" to traffic, even with a fixed IP. Other VLANs work normally.

I'm asking:

•     Has anyone experienced the same behavior on OPNsense 26?
•   Could this be a bug in OPNsense 26's kernel / VLAN stack?

Thanks in advance for any suggestions or similar experiences!

Solved. It's Suricata. I added a second line (LTE/4G) for backup and included it in Suricata for testing. I haven't removed it from the interfaces.

Solved. It's Suricata. I added a second line (LTE/4G) for backup and included it in Suricata for testing. I haven't removed it from the interfaces.

I have the same problem. I wrote at the end of this post.
I had the problem post upgrade from 25.1 thinking an update had gone wrong. So having to leave for vacation, I installed everything from scratch, clean installation, from thumb drive but now that I am on vacation I can't take action. I realized the problem.
I used default partitioning, I did not make any changes. Is this then a problem with 25.7?

I have the same problem.
Fresh setup. Disk full.

Code Select Expand

root@fwl:/var/log # df -h
Filesystem            Size    Used   Avail Capacity  Mounted on
zroot/ROOT/default    1.5G    1.5G      0B   100%    /
devfs                 1.0K      0B    1.0K     0%    /dev
/dev/gpt/efiboot0     260M    1.3M    259M     1%    /boot/efi
zroot/home             96K     96K      0B   100%    /home
zroot/var/mail         96K     96K      0B   100%    /var/mail
zroot                  96K     96K      0B   100%    /zroot
zroot/usr/ports        96K     96K      0B   100%    /usr/ports
zroot/tmp             416K    416K      0B   100%    /tmp
zroot/var/audit        96K     96K      0B   100%    /var/audit
zroot/var/crash        96K     96K      0B   100%    /var/crash
zroot/usr/src          96K     96K      0B   100%    /usr/src
zroot/var/log         105G    105G      0B   100%    /var/log
zroot/var/tmp          96K     96K      0B   100%    /var/tmp
devfs                 1.0K      0B    1.0K     0%    /var/dhcpd/dev
The problem is in /usr folder. The most big folders are:

Code Select Expand

9.0M    /usr/local/share/locale
 10M    /usr/local/share/GeoIP
 16M    /usr/local/opnsense/www
 16M    /usr/local/share/man
 18M    /usr/local/share/icu
 23M    /usr/local/sbin
 25M    /usr/local/bin
 28M    /usr/local/opnsense
 41M    /usr/local/lib/perl5
 45M    /usr/local/etc/suricata
 48M    /usr/local/etc
 65M    /usr/local/share
 99M    /usr/local/include/boost
120M    /usr/local/include
294M    /usr/local/lib/python3.11
459M    /usr/local/lib
772M    /usr/local
I don't have touch the partition schema, I have setup opnsense from official iso and restored previous config backup.

Hi I link to this discussion to ask for clarification.
I have OPNsense virtualized on proxmox with a network card with 2 dedicated ports (1 WAN and one for LAN).
I have created VLANs on my LAN, in the interface settings I have Hardware CRC, Hardware TSO, Hardware LRO checked (so all disabled) and VLAN Hardware Filtering disabled.

In IPS I have Promiscuous mode enabled but I am not clear on the Interfaces part. Do I have to select LAN because the VLANs are on this physical interface? Why not select the interface assigned to the VLAN?

Thanks for the clarification

hai attivo per caso suricata? io avevo lo stesso problema ma fermando e riavviando il servizio la memoria si è svuotata.

Hi, I am adding to this post.
i also have the same problem and i have created the rule following what is stated in this post but the machine still navigates.

i am attaching two screenshots.

Hi guys,
I have a problem for a couple of days.
I can no longer access my pc remotely with anydesk or teamviewer.
The firewall rules have not changed.
I have a rule for remote desktop on non-standard port and it works perfectly, while all other connections with anydesk and teamviewer are rejected by the "Default deny rule", but until two days ago everything worked perfectly.

I have active GeoIP and IDS block with automatic rule update, not IPS because I have pppoe connection.

I enclose a screenshot.
Thank you all for your help.

Thank you for the clarification

hello everyone,
I have a question about the IDS system.

I have activated IDS, not IPS because I am in pppoe, and enabled ET xxxx rules, all with drop mode. I receive alerts for these rules but instead of being blocked they are accepted.

I took a sample of which I enclose screenshots:
rule ET COMPROMISED Known Compromised or Hostile Host Traffic group 218 set in drop mode and in the alert the action is "allowed".

shouldn't it be "blocked"?

thanks to all