Messages

OMG - I'm an idiot. All I had to do was reassign the interface(s) to the vlan device(s) and have the ports set correctly on my switch.

So easy and all done. I totally overcomplicated it for myself.

Thanks for the assistance

Hi all - I am making progress and learning a bit about configuring the ports on my unifi switch and working with multiple trunk ports (igc1 and igc2) between opnsense and the unifi switch and wifi AP.

Both igc1 and igc2 are connected to my switch and I have setup the ports/wifi/vlans as follows:

1. igc1 = port 5 on switch - only used for LAN with VLANs blocked Native VLAN=default(1)
2. igc2 = port 6 on switch - only used for VLANs Native VLAN=none with 2 VLANs tagged
3. setup my wifi AP so that LAN are on SSID-1
4. setup my wifi AP so that VLANs are on SSID-2

See pic of my interface assignments below...

I have tested all of this and it is working. So I think now I am no longer mixing tagged and untagged on same port! So this is progress.

However, I'd like to transition LAN (igc1 untagged) to a VLAN (igc2 tagged) - so everything is running tagged through 1 port. I'm still confused how to do this safely and without losing access and keeping the same IP address range etc.

Given where I have got to, can anyone help me with this last bit?




 

Thanks everyone for the info and tips. I do have a few wifi APs (combo of Unifi and asus) and not sure if the asus APs will be able to handle the main network on VLAN=1 but that is another question.

I see now a way forward in the opnsense GUI plus some config of my unifi switch and APs.

I'm going to use one of my spare ports on opnsense and get all the vlans working with this. I think I will create a LAGG to do this. Once all my VLANs working I will disable LAN interface and then change the IP / dhcp subnet on VLAN1.

thanks. Sounds a bit tricky but worth another try.

I did do something similar in my testing using a spare port and created a LAGG but I lost the network and had to plug a monitor into the router and restore a backup from the console.

I'll see if anyone else has any thoughts on this. It's quite tricky to do this while keeping the LAN working. I think the trick could be to get it working on a new vlan then switch over once I have the vlan working correctly.

a little more info that might explain why everything is working...

I have a unifi managed switch that is connected to opnsense. This is configured with a native vlan/network that is tagging lan traffic with vlanid=1

So does this mean that as far as opnsense is aware, everything is tagged correctly?

Hi all,

I recently read this opnsense guide https://docs.opnsense.org/manual/how-tos/vlan_and_lagg.html

And have realised that my setup is not 100% aligned/correct as I am mixing untagged (lan) and tagged (vlan) traffic

My setup is simple for a home network. I am really happy with opnsense and how everything is working. Current setup on a dedicated 4 port minipc:

wan - port0 (dhcp)
lan - port1 (static with dhcp via ISC)
vlan2 - lan as parent (static with dhcp via ISC)
vlan3 - lan as parent (static with dhcp via ISC)


I do not have a lagg and not sure I need one - i see it is optional in the guide linked above.

So what I was hoping to do is the following but transitioning is tricky as I think I will lose connectivity as soon as I disable the lan interface.


1. create a new vlan for my main network (to replace the lan) but I know that i can't give this vlan the same ip as lan yet!
2. remove lan interface so that port1 is unassigned
3. link vlan1 to port1 and set ip and dhcp config to the same as lan (now removed)
4. link vlan2 and vlan3 to unassigned port1

This can't be done using the gui but maybe using the console?

Any assistance appreciated!

Given that everything seems to be fine currently and I rarely use my vlans - is it worth doing this at all?

Will do. Sorry for hijacking and thanks for your answers :-)

Sorry to jump on this thread. I can't really help the OP with their issue but I have a similar setup and do not seem to have an issue - but I would like to optimise my setup.

I'm quite new to opnsense and vlans generally but was hoping to understand a bit more about the issue mixing untagged and tagged traffic.

I have lan interface - setup with ip and dhcp for my main network (untagged / not a vlan). In addition, I have 2 tagged vlans. See pic below.

According to the docs/best practice - do I understand correctly that mixing untagged lan with tagged vlans is potentially an issue? And is the solution to move my lan network to a vlan with the parent interface without a network/ip etc?

I use the following online resource for icons for my home server 'home page' but it still has the old opnsense branding.

https://github.com/homarr-labs/dashboard-icons

Is it easy for me to get the new icons so they can update the project?

This is your interface for the VLAN so you generally need to give it at static IP on a different subnet to LAN.

Have a look at your LAN interface setup and do something similar but use a different subnet. e.g.

LAN Interface: 192.168.1.1/24
VLAN1 Interface: 192.168.2.1/24

Then you use services such as ISC DHCP to setup dhcp on this interface...

Hi all

This was all working but not any longer and I haven't made any changes to my config. I am using duckdns, Let's Encrypt and DNS-01 challenge

I can successfully renew the cert if I remove the alt name (so mydomain.duckdns.org renews fine).

If I add back the alt name (opnsense.mydomain.duckdns.org) then the renewal fails.

Has something changed with letsencrypt and support for alt names?

Any assistance or advice appreciated.

Thanks for this info. I will give it a try and report back...

My understanding of what this can/should enable is a bit more flexibility around internal IP redirection so i can point *.rpi.mydns.duckdns.org to 192.168.1.3 and *.mpc.mydns.duckdns.org to 192.168.1.5 (for example)


I have adguard in my config so I think the setup for me is adguard (port 53) --> unbound (port 5335) --> BIND (port 8053)

Can you explain a little more about exactly how/what you did using BIND please @paul_

I am not sure what to start...

This is an interesting thread and I am trying to do something similar. Keen to see what is possible and how...

I currently have a reverse proxy running on 2 servers (that host end-user services) on my LAN (homelab) and use duckdns with wildcard for two domains make it all work.

I'd like to be able to get it all to work using just one reverse proxy but I haven't found a way (yet)

Right. Thanks for the clarification. Will delete my useless FW rules now. haha

I have now switched my docker hosts to use TLS authentication so I have some protection/security in place now.