Messages

If Caddy(Main) and Caddy(Sub) are in a trusted network, you can reverse_proxy between these Caddies without using TLS.

TLS is only important on the way through untrusted networks, e.g. from Client on the Internet to your Caddy(Main).

Caddy(Main) will hold all certificates and terminate tls. The other Caddies would not need to issue any certificates.

So you do not really need an ACME Server or a ACME Challenge redirection. Just use Plaintext.

I understand. Perhaps a better qualification of one of my use-case is in order.

• Telegraf, Influx and Grafana stacks are employed for telemetry. Latter two are web-based interfaces which require explicit certificate configuration in order to use http(s). Telegraf client configurations need root_ca for http(s) and host-specific keys if TLS verification option is enabled.
• Now, first-order question I asked myself was: Do I really need to protect telemetry information from telegram clients to influx db server? Not really : is the honest answer. That said, telemetry information reveals plenty about topology. So, having telemetry data streamed using TLS protection does carry benefits
• The certs (for external domain) will now reside on Caddy(master). With ACME server enabled on Caddy, I can have certbot request the necessary certs and auto-provision (e.g. during cert renewal) certs onto appropriate roles

Reference telegraf client information required:

Code Select Expand

  ## Optional TLS Config for use on HTTP connections.
  # tls_ca = "/etc/telegraf/ca.pem"
  # tls_cert = "/etc/telegraf/cert.pem"
  # tls_key = "/etc/telegraf/key.pem"
  ## Use TLS but skip chain & host verification
  # insecure_skip_verify = false

Similar information is required for influx and Grafana.

Regarding the build:

https://caddyserver.com/docs/command-line#caddy-add-package

You can use this to add any package you want from the command line. It will not be persistent though. If the opnsense repo pushes an update at some point you must do it again.

Thank you for the reference. I understand.

The crowdsec usage I referred to earlier is as follows:

Code Select Expand


--> Global block of Caddyfile (info generated using cscli bouncer add
{
crowdsec {
api_url http://<Opnsense_fw>:8080
api_key <valid_key>
ticker_interval 15s
}
}

--> In the site-block of clients
{
route {
# crowdsec based filtering
crowdsec
                ... whatever logic is necessary ...
        }

}


Currently the plugin is rather finished and very specific or overly complicated things will most likely not be added to prevent feature creep.

Thank you for sharing the plugin status and roadmap. I only asked about crowdsec modules (which can be used like above) because a log-based integration of crowdsec is already implemented on your plugin for Opnsense. Addition of the few extra parameters required may increase the hardening posture.[/list]

You could use the HTTP01 challenge redirection on the Caddy Server of OPNsense to the cascaded other Caddy Servers.

I see. I was under the impression that the challenges on cascades servers would work because they get their certs (and therefore a hierarchy) from cascade master. Meaning, Caddy opnsense has, for a given external site, a valid cert. If acme challenge is sent to an internal (hosting an internal site) caddy instance, then the request would not have the same valid verification chain on client-side? Please grant me follow-ups in case I get stuck.


An other unrelated questions for your guidance:
GitHub code for this plugin indicates a custom caddy build (with DNS providers, L4 etc) is being used (120 standard modules, 80 or so optional modules). Would there be steps on how to add modules of interest eg crowdsec? I have used xcaddy in the past to generate custom images on Linux but not on freebsd. I can update this post with a working caddy config where crowdsec together with rate L5-7 rate limiters can take L4-7 information (not just L3 - which is what I think present crowdsec integration provides) to block unwanted behaviors.

[acme_server, tls_internal]

@Cedrik, First off, thank you so very much for creating this (and other) wonder plugins for OPNsense. You make our lives so convenient.

I've read through plugin configuration documentation and through this thread. But, an answer didn't jump out. So, I hope you could excuse me for bothering you with a little issue of mine. TLDR: If os-caddy plugin acts as an ACME server for a site, then a) what would be the ACME url? b) will the location of root ca be /var/db/caddy/data/caddy/certificates/local/<site>?

Presently, I use caddy cascaded in my internal network with a made-up domain name TLS'ed by Caddy. I did so prior to having an externally valid domain name - which I now do. Previously working caddy setup at a high-level was:

Code Select Expand

Caddy master instance (say on internal1.domain)
 {
   acme_server
   tls_internal
  }

Caddy slaves instances (say on internal2.domain)
 https://internal2.domain{
   tls {
     ca https://<internal1.domain>/acme/local/directory
     ca_root <path_to_caddy_master_ca>.pem
   }
  }

Caddy slaves instances (say on internal3.domain)
 https://internal3.domain{
   tls {
     ca https://<internal1.domain>/acme/local/directory
     ca_root <path_to_caddy_master_ca>.pem
   }
  }
... and so on


Now, with os-caddy on Opnsense being available, I'd like to rid of Caddy master on <instance1.domain> and utilize Opnsense caddy plug-in instead. GUI doesn't provide an option to declare acme_server, tls_internal. But inclusion of *.conf on a per-site basis is allowed. So, I added it like so: (reverse proxied external domain to internal2.domain running caddy slave1)

Code Select Expand

# Reverse Proxy Domain: "104d6421-2b1f-407e-af83-f087021ee1b1"
valid.domain {
log {
output file /var/log/caddy/access/104d6421-2b1f-407e-af83-f087021ee1b1.log {
roll_keep_for 10d
}
}
acme_server
tls internal


@08831d42-ad4c-40dc-a7d5-53af52ac6490_validdomain {
not client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
}
handle @08831d42-ad4c-40dc-a7d5-53af52ac6490_validdomain {
abort
}

handle {
reverse_proxy internal2.domain {
                     transport http {
tls_insecure_skip_verify
}
     header_up Host {http.reverse_proxy.upstream.hostport}
  }
}
}

Then Caddy slaves instances's (internal2.domain) config is changed as:

Code Select Expand

https://internal2.domain{
   tls {
     ca https://<external.domain>/acme/local/directory
     ca_root <path_to_caddy_master_ca copied from /var/db/caddy/data/caddy/certificates/local/internal1.domain>.crt
   }
  }


Unbound resolves external.domain to Opsense's address (192.168.0.1) via host overrides. This is to prevent local request for external domain being handled and served locally without having to go out into the interwebs.

Because Opnsense webGUI is running on 8443, I also tried https://<192.168.0.1>:8443/acme/local/directory but to no avail. ACME server's url appears invalid. I'm unsure how to proceed. Your guidance would be much appreciated.

There should be nothing in need of change or reconfiguration on the FreeBSD side. Are you sure the ports on the new switch are configured for LACP?

Thank you @Patrick. S2 has the same port-channel configuration as S1. Switch-side configuration can be found below. Initial post is updated w/ it as well.

Code Select Expand


interface port-channel9
  switchport mode trunk
  mtu 9216

interface Ethernet1/9/1
  switchport mode trunk
  mtu 9216
  channel-group 9 mode active

interface Ethernet1/9/2
  switchport mode trunk
  mtu 9216
  channel-group 9 mode active


For Cisco NX-OS series switches, mode active engages LACP protocol negotiation from the switch.

[Start status of lagg0]

Hello everyone,
Decisio DEC4040 with 2x25G SFP28 ports (ice0,1) are in a lagg (lagg0) with a switch (S1). Various VLAN subnets and derivative interfaces rules etc depend on lagg0. This lagg is the "main" LAN connection. 100G breakout DAC is used. I need to move the 2 physical connections to a different switch (S2) in the short-term and later in the medium-term split the connections across two switches (S2,3) which are in a vPC configuration. For the short-term move, I have tried the following steps neither of which have yielded a successful outcome:

• Move the 100G cable from S1 to S2. LACP isn't re-established. "No carrier" status is shown on OpnSense
• Move the 100G cable from S1 to S2 after "ifconfig lagg0 down". LACP isn't re-established. "No carrier" status is shown on OpnSense
• Move the 100G cable from S1 to S2 after bringing down all involved interfaces (lagg0,ice0,ice1).LACP isn't re-established. "No carrier" status is shown on OpnSense
• Put new 100G QSFP on S2 + 2x25G SFP28 on DEC4040 and connected with MTP-to-LC breakout cable. Repeat combination of the above steps wrt ifconfig up/down. LACP isn't re-established. "No carrier" status is shown on OpnSense

Start status of lagg0

Code Select Expand


ifconfig -v ice0
ice0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 9000
options=4800028<VLAN_MTU,JUMBO_MTU,HWSTATS,MEXTPG>
ether f4:90:ea:00:9f:72
inet6 fe80::f690:eaff:fe00:a206%ice0 prefixlen 64 scopeid 0x5
media: Ethernet autoselect (25G-AUI <full-duplex>)
status: active
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
drivername: ice0
plugged: SFP/SFP+/SFP28 25GBASE-CR CA-25G-S (Copper pigtail)
vendor: CISCO-LEONI PN: L45593-D278-B30 SN: LCC2506GADX-CH3 DATE: 2021-02-10
root@MorikCage:~ # ifconfig -v lagg0
lagg0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 9000
description: main_LAGG (opt1)
options=4800028<VLAN_MTU,JUMBO_MTU,HWSTATS,MEXTPG>
ether f4:90:ea:00:9f:72
hwaddr 00:00:00:00:00:00
inet 192.168.98.1 netmask 0xffffff00 broadcast 192.168.98.255
inet6 fe80::f690:eaff:fe00:9f72%lagg0 prefixlen 64 scopeid 0xd
laggproto lacp lagghash l2,l3,l4
lagg options:
flags=0<>
flowid_shift: 16
lagg statistics:
active ports: 2
flapping: 0
lag id: [(8000,F4-90-EA-00-9F-72,09A8,0000,0000),
(8000,E8-0A-B9-75-49-87,0001,0000,0000)]
laggport: ice0 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING> state=3d<ACTIVITY,AGGREGATION,SYNC,COLLECTING,DISTRIBUTING>
[(8000,F4-90-EA-00-9F-72,09A8,8000,0005),
(8000,E8-0A-B9-75-49-87,0001,8000,01C3)]
laggport: ice1 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING> state=3d<ACTIVITY,AGGREGATION,SYNC,COLLECTING,DISTRIBUTING>
[(8000,F4-90-EA-00-9F-72,09A8,8000,0006),
(8000,E8-0A-B9-75-49-87,0001,8000,01C4)]
groups: lagg FG_ALL_VLANs FG_CRITICAL_LAN
media: Ethernet autoselect
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
drivername: lagg0


S1 (and S2) configs

Code Select Expand


interface port-channel9
  switchport mode trunk
  mtu 9216

interface Ethernet1/9/1
  switchport mode trunk
  mtu 9216
  channel-group 9 mode active

interface Ethernet1/9/2
  switchport mode trunk
  mtu 9216
  channel-group 9 mode active


End status in each of the above cases for when moving lagg0 was

Code Select Expand


ifconfig -vv lagg0
lagg0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 9000
description: main_LAGG (opt1)
options=4800028<VLAN_MTU,JUMBO_MTU,HWSTATS,MEXTPG>
ether f4:90:ea:00:9f:72
hwaddr 00:00:00:00:00:00
inet 192.168.98.1 netmask 0xffffff00 broadcast 192.168.98.255
inet6 fe80::f690:eaff:fe00:9f72%lagg0 prefixlen 64 scopeid 0xd
laggproto lacp lagghash l2,l3,l4
lagg options:
flags=0<>
flowid_shift: 16
lagg statistics:
active ports: 0
flapping: 0
lag id: [(0000,00-00-00-00-00-00,0000,0000,0000),
(0000,00-00-00-00-00-00,0000,0000,0000)]
laggport: ice0 flags=0<> state=41<ACTIVITY,DEFAULTED>
[(8000,F4-90-EA-00-9F-72,8005,8000,0005),
(FFFF,00-00-00-00-00-00,0000,FFFF,0000)]
laggport: ice1 flags=0<> state=41<ACTIVITY,DEFAULTED>
[(8000,F4-90-EA-00-9F-72,8006,8000,0006),
(FFFF,00-00-00-00-00-00,0000,FFFF,0000)]
groups: lagg FG_ALL_VLANs FG_CRITICAL_LAN
media: Ethernet autoselect
status: no carrier
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
drivername: lagg0


I think I may be missing something basic here. When changing lagg endpoints, does FreeBSD require removal and re-addition of the physical interfaces? Or perhaps some another subtlety I may be overlooking?

[gateway]

I have a similar setup. I too didn't see a need to execute the 'policy-based routing' section. Although, I have yet to thoroughly test the failover.

One question I did have on the following:

a question or check of my setup. i recently added a backup internet connection.

the only other adjustments i had to make were:

• any port forwards, i had to add both WAN interfaces to the forward definitions.
• forwarding 80/443 to public for caddy reverse proxy, so had to duplicate that rule on each WAN interface

in rule configuration there's a gateway option whose tooltip says eave as 'default' to use the system routing table. Or choose a gateway to utilize policy based routing. . So, in theory, additional rules definition shouldn't be required?

[OPNsense 24.10.1-amd64]

Hello,
Running ISC DHCPv4 on OPNsense 24.10.1-amd64 (business edition). KEA DHCPv4 server seems stable enough to considering moving over. For ISC, Opnsense GUI provided only 2 values for DNS servers per subnet. However, one could use Additional Options-->6 followed by hex string to add >2 DNS alternatives. I have 4 configured (adguard+pihole running on VMs + on Pi2 - for when server reboots are required).

Code Select Expand

c0:a8:64:24:c0:a8:64:22:c0:a8:64:23:c0:a8:64:24

I'd like to maintain this setup in KEA. Their https://downloads.isc.org/isc/kea/2.6.1/doc/html/arm/dhcp4-srv.html indicates that multiple values are possible. But, because I haven't migrated to KEA yet, I can't tell whether such multiple (more than 2) values in DNS options will be supported. Any guidance would be much appreciated.

Furthemore, in order to provide Ruckus/Cisco Wi-APs with controller information, i use Option 43 like so

Code Select Expand

type=string "hex 060c3139322e3136382e302e3431"

But, in the GUI, i'm unable to find a way to provide such additional custom options which survive reboot?

Hello all,
I'm sure many of you have implemented bsmithio's project https://github.com/bsmithio/OPNsense-Dashboard/tree/master for obtaining and rendering OPNSense telemetry data via TIG stack (Telegraf, InfluxDBv2, Grafana).

A recent change in OPNSense's filterlog data caused the filterlog processing in graylog to break. I forked (https://github.com/morikplay/OPNsense-Dashboard) the aforementioned project and fixed it for IPv4 packets (+ few enhancements). Not having enabled IPv6 in my home network, I am unable to complete the changes for others to potentially benefit from. I did look at this link https://github.com/opnsense/ports/blob/master/opnsense/filterlog/files/description.txt Franco sent in the one of the forum threads. But, I'd appreciate a few (5-10) sample filterlog traces for ipv6 packets with UDP, TCP and ICMP each, please. This will help me verify implementation and give back to the open-source community.

[What]

In need of the experts' advise once again.

What: os-crowdsec installed and works like a charm w/ local SQLite db. When switching it out to an (external) postgresql on the local network, all hell breaks loose.

System Info:

• Opnsense 24.4_8-amd64
• FreeBSD 13.2-RELEASE-p11
• os-sec 1.07

postgresql config in crowdsec config.yaml

Code Select Expand


db_config:
  type: pgx
  user: <user>
  password: <pwd>
  host: <host_ip>
  port: <host_port>
  db_name: crowdsec
  sslmode: prefer
  max_open_conns: 100
  decision_bulk_size: 2000
  flush:
    max_items: 10000
    max_age: 90d


Issue crowdsec service does not start after the change to config.yaml. It can't seem to connect to postgresql database. Database is verified to be up, and credentials work when using psql locally on db server and also remotely via another ubuntu machine.

Code Select Expand


[fbfdf7e6-bc7e-4543-b7bc-d7fadff59603] Script action stderr returned "b'{"level":"error","msg":"error while performing request: dial tcp <ip>:8080: i/o timeout; 4 retries left","time":"2024-06-19T01:39:21-07:00"}\n{"level":"error","msg":"error while performing request: dial tcp <ip>:8080: i/o timeout; 3 retries l'"


I have the same issue as well. Using caddy instead of nginx. Were you able to solve it? If so, how?

i gather that you're using aliases+pf rules to lock down traffic to the furthest extent possible on what reads like an iot vlan. if the devices only have access to manually-whitelisted endpoints and your vacuum wants to reach a mystery machine hosted on AWS for which you can't make a threat assessment, why not just allow access to any & all AWS ranges? the list is published & updated¹ but you'll either need to parse the json (e.g. with jq ) or find a reliable source of these same data in a format consumable by opnsense...i'm sure such a thing exists. you might also use that step to remove any ranges not associated with EC2 (your hostname resolves to an elastic load balancer host and all IPs it distributes, in your case, are EC2).

Thank you for the very well thought of response, and the pointers. To balance "convenience" viz-a-viz security but more importantly the wife-factor, for now, I ended up changing the firewall rule to allow

Code Select Expand

*:8083. I'm unfamiliar w/ jq but will look into parsing json via jq for integration w/ opnsense. 

add'l point... pihole-FTL shares enough code base with dnsmasq to describe it as being functionally similar, and as such it will parse and leverage config files in /etc/dnsmasq.d/. from a workflow perspective these options are considered before its forwarding mechanism (to resolvers defined via pihole UI) kicks in. ootb, nothing that can meet your desire for pf rules unless you leveraged it to generate a locally-hosted reference for alias lookup via url on opnsense (e.g. alias = http://192.168.69.69/this_shit_sucks).

I must apologize but i'm unable to understand the proposed solution here. Make some change to pihole which then influences firewall rule execution at opnsense? Please do elaborate at your convenience.

add'l point 2...if you insist upon addressing it with opnsense you should still be able to make it happen by:

• change dnsmasq listen port to something besides unbound's port 53, e.g. 53053
• add override for roborock.com at opnsense > domain overrides, specifying 127.0.0.1@53053 as authoritative nameserver
• figure out what cli voodoo is required to add/modify dnsmasq configs on opnsense (making sure they persist)
• cross fingers, pray to the networking gods regularly, and research alternatives in the interim

Ha ha. I'm considering replacing the aging pihole w/ adguard on Opnsense itself. So, introducing dnsmasq and the complications associated w/ changing network infrastructure (e.g. I have a shit time getting Active Directory to work in this setup as such) is not my preferred route at this point. But, beggars can't be choosers.

add'l point 3...subjectively, trying to do *more* with dns on opnsense vs. moving it elsewhere has led to more problems than solutions for me (e.g. host blocking via unbound DNSBL on opnsense will give you heartburn, not exploring the adguard community plugin is an exercise in sanity preservation, i could go on). i'm sure circumstances such as migrating to unbound as default, changing ddns clients, etc don't help matters much but i'm not in the business of making excuses for time wasted.

You don't recommend adguard plug-in on Opnsense? If not, what about clients-->adguard (e.g. as a vm) --> opnsense unbound --> interwebs? Opnsense blocklists are brilliant but troubleshooting why a particular website is getting blocked is worse (to me) than pulling my own tooth. I see folks recommending adguard on Opnsense to ease off this troubleshooting?

@firewall 100% agree. The only real solution to a problem like this is to isolate that damn device. If you are in the lucky situation to have WiFi infrastructure that can do multiple SSIDs mapped to VLANs, then give that vacuum its own VLAN and permit access to the whole Internet but not anything local. Case closed in my opinion.

Thank you for the suggestion. I did consider the possibility of introducing a VLAN dedicated for just one machine. For pre- 802.11ax devices (STAs), that'd imply a different BSSID for this VLAN i.e. it'll be a separate WLAN network. Which implies wastage  from an OA&M perspective (management) but more channel bandwidth wastage. Starting 802.11ax, the feature for MBSSID can be used; but most IoT devices don't support it.

folks, please allow me to apologize for the long delay in response. I had a family emergency to attend. Please allow me some time to look through the responses and revert with questions. Thank you for your continued support.

[how to enable dnsmasq with unbound just for those domains?]

Hello experts,
I have the following setup:
Internet<--DoT-->Unbound(also maintains DHCP mappings)<--(normal_DNS)-->Pihole<--(normal_DNS)-->clients
clients are configured w/ Pihole addresses. Pihole is configured with Unbound as upstream DNS. Unbound is configured with DNS over TLS for WAN resolution.

Recently, I purchased a roborock S8 vacuum cleaner. Created a firewall rule to allow VLAN_x traffic to certain FQDN (

Code Select Expand

mqtt-us.roborock.com)over 8883 port. It worked great for a day. App stopped working the next day. A quick dig revealed the issue. Destination IP addresses had changed. So, I manually updated the address in firewall rule. Great. Day#2 same issue. Same solution. Day#3 same issue. So on and so forth. A more elegant solution was required.

Code Select Expand


$ dig mqtt-us.roborock.com

; <<>> DiG 9.10.6 <<>> mqtt-us.roborock.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46538
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;mqtt-us.roborock.com. IN A

;; ANSWER SECTION:
mqtt-us.roborock.com. 583 IN CNAME mqtt-slb-1st-1913472363.us-east-1.elb.amazonaws.com.
mqtt-slb-1st-1913472363.us-east-1.elb.amazonaws.com. 60 IN A 44.209.56.31
mqtt-slb-1st-1913472363.us-east-1.elb.amazonaws.com. 60 IN A 52.7.27.196
mqtt-slb-1st-1913472363.us-east-1.elb.amazonaws.com. 60 IN A 54.235.188.250

;; Query time: 355 msec
;; SERVER: a.b.c.d#53
;; WHEN: Tue Nov 28 11:11:30 PST 2023
;; MSG SIZE  rcvd: 159


Their servers are hosted in AWS fronted via application loadbalancers. Therefore, A/AAAA addresses keep changing (not just rotating).

The answer to this problem seems to lie in https://forum.opnsense.org/index.php?topic=27650.0 thread. Meaning, use dnsmasq to resolve a wildcard / specific_domain, store result in an alias which is used in Opnsense firewall rule. Details of which points to https://github.com/opnsense/core/issues/4145. Great! I'd like to try it. But, my issue: how to enable dnsmasq with unbound just for those domains?

It took a long time to make end-to-end DNS flows in the home setup functional. How does one go about enabling dnsmasq to work together w/ unbound with minimal changes? Because unbound is running on 53, at minimum, i'll assume i can't run dnsmasq on the same port? If case be, how to configure dnsmasq and only have it respond to wildcard queries, from unbound, related to

Code Select Expand

mqtt*.roborock.com? google gods aren't showing mercy.

Help please.

In trying to configure new hardware (capable of 2x25G), I'm running into issues wrt importing configuration from old hardware. Specifically interested in link aggregation (IEEE 802.3ad, 802.1ax). Link aggregation is strictly an OSI Layer-2 concept. I have LACP appropriately configured on the switch side. But, in order to employ LAGG, opnsense seems to require enabling the LAGG interface; doing so requires it be given an IP address. So, this is a bit puzzling to me. Any particular reason for why opnsense designers and/or FreeBSD folks chose such an approach?

I have over 30 VLANs, 300+ devices, and a rather large number of firewall rules currently serving non-LAGG'ed interfaces. Trying to find the right way to design the opnsense rule system. A penny for your thoughts?

vlan3: IP range IPR1 (Main LAN)
Vlan2: IPR2 (opt2)
vlan100: IPR3 (opt3)
etc
IP Ranges are non-overlapping.
FW Rules are based on above lans; not directly on interfaces - to allow future portability.
Switch has default gw set on IP1 in IPR1.

Now to create a lag, opnsense adds the following to config.xml

Code Select Expand

<lagg>igb0, igb2, igb3 ... </lagg>

To enable LAGG, an IP address range seems mandatory.

Code Select Expand

<lan><if>lagg0</if><enable>1</enable></lagg>

I'd rather not change my existing VLAN setup else my fw rules will be wonky.

Would there be a way to directly achieve this via config.xml? Conceptually, if assign a new IP range to lagg0, will the range have to cover IP ranges of all VLANs? If so, then I won't be able to have granular per VLAN rules (which are per IP range based off vlan ids. If I select a new IP range then how will it carry traffic belonging to IP addresses not part of its range on trunk interface towards switch?