Messages

1

General Discussion / Re: [Unsolved] VLAN Trunk with VLAN Access Ports on Spare NICs

« on: February 02, 2022, 06:04:20 am »

So I got too focused on VLANs and forgot that I could just bridge any of the VLANs on igb1 to the physical igb2 port.  I didn't need to create a VLAN on igb2 and then bridge it to the VLAN on igb1.  That answers question #2 and works around the issue of untagged traffic on igb2.

For clarification, the untagged traffic on the trunk port, igb1, is from the WAP's management interface.  It looks like some Unifi WAPs do this also.

To catch the untagged traffic, I tried adding an interface to the physical igb1 port.  That did get the traffic labeled with that interface in the firewall logs, so it seemed like it was working.  As soon as I tried bridging it to a VLAN on the same port, though, all the VLAN traffic through that port stopped working.  It looks like that's a FreeBSD limitation, per this thread:
https://forum.opnsense.org/index.php?topic=22660.0

Which links to this issue:
https://redmine.pfsense.org/issues/11139

I haven't been able to find any other ways to get OPNsense to tag/route the untagged traffic from the WAP.

As far as I can tell from all the yelling in this thread, tagging is just not a feature in pfSense.  It's an older thread so that may have changed.
https://forum.netgate.com/topic/114329/vlan-how-do-you-assign-use-the-native-untagged-vlan/3

I also found a more recent unanswered thread similar to this one.
https://forum.opnsense.org/index.php?topic=26100.0

I did find a workaround for question #1, though - the WAP supports giving its management traffic a VLAN tag.  I changed it to match one of my VLANs and it immediately started working.

So, solved!

2

General Discussion / [Solved] VLAN Trunk with VLAN Access Ports on Spare NICs

« on: January 31, 2022, 03:41:29 am »

Hey all,

I'm trying to get a home network set up with three VLANs for trusted devices, IoT devices, and guest devices.  I have an EAP245 WAP that supports VLAN tagging each unique SSID.  All the devices on the WAP are working properly in their respective VLANS, and the firewall rules I've assigned seem to be working properly also.

What I need help with is (I think) getting untagged traffic on igb1 and igb2 flowing into the proper VLANs.

In the firewall logs I can see traffic on the VLAN_Trusted, VLAN_Guest, etc interfaces getting blocked or passed as the rules dictate.  I can also see the igb1 and igb2 interfaces with all traffic getting blocked by the default deny rule.  I haven't tried passing that traffic yet since I'm not sure it will get to the proper VLANs.  If it were making it onto the VLANs, it would be handled by the VLAN interface firewall rules, right?  Or does it need to be passed by the firewall first?

The WAP connected to igb1 seems to leave its own management traffic untagged since I can see it getting blocked under the igb1 interface logs.  I can see traffic from the device on igb2 getting blocked also.

I have VLAN_Trusted (vlan10) bridged across igb1 and igb2.  My intention is for the Trusted SSID from the WAP on igb1 and the device/switch on igb2 to be on the same VLAN.  Eventually when I have the config stable I'll delete the LAN_Mgmt assignment on igb3 and bridge VLAN_IOT (vlan20) across igb1 and igb3.

I think this all boils down to two questions:
1. How do I turn a spare NIC into a VLAN access port so untagged traffic makes it onto the assigned native VLAN?
2. How do I combine (bridge?) a VLAN from the WAP and the VLAN from question 1 together?

I have a network diagram and screenshots of the interface assignment page, VLAN page, and bridge page attached.

Thanks in advance.