Messages

No, you set it to the same parent you are using for the other VLANs, then switch the assignment of LAN from e.g. igc0 to e.g. vlan01. You will lose connectivity in that moment. Then reconfigure the switch and connectivity should return.

So after locking myself out of my OPN device trying to mess around with VLAN settings to get this to work and needing to factory reset OPN,.. I just want to confirm that this is what I need?



And then on the switch, I just need to make ether1 (which is what is connected to OPN) set to admit-only-vlan-tagged?

I didn't think RouterOS would be this difficult to work with. Seems like other managed switches are a lot easier to set up

No, you set it to the same parent you are using for the other VLANs, then switch the assignment of LAN from e.g. igc0 to e.g. vlan01. You will lose connectivity in that moment. Then reconfigure the switch and connectivity should return.

Ahh dang, I just tried doing that and now I can't connect back, even after reconfiguring the switch to send vlan tagged only to ether1 or to admit all

Need to get access back to OPN and try again

You need to create a tagged VLAN for LAN and assign it in OPNsense before you change the switch side to tagged only.

Hmm, other guides I've seen online haven't talked about that before. Do I just set the parent of that VLAN (id 1) to WAN then? Like in this screenshot?

The only soft requirement is to remember that for freeBSD which OPN is based on, mixing tagged and untagged traffic in the same interface is strongly recommended to avoid. Soft because the weird behaviours might not get exposed depending on the setup.
I'd like to swap them :) my switch for yours :) --joking--. I wanted to play with L3 stuff where my setup is limited.
Just see if you can find a way to have one port as trunk with all traffic tagged to OPN and the access ports on the switch as untagged. That is what the switchOS gives and how it will work with OPN without weirdness.

I appreciate the help! Thank you!

I thought this newer MikroTik would be fun to play with and a way of making sure I don't need to buy another managed switch in the future, but seems hard :) .

I am attempting to do what you're describing and every time I try to set the trunk port to admin only VLAN tagged, I lose all connections to OPN. Going to keep trying to play around with it and will report here what config ends up working. Here is what I have right now:

Code Select Expand

/interface bridge
add admin-mac=xxxxx auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface list
add name=BASE
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether1 #adding frame-types=admit-only-vlan-tagged cuts connection to OPN
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether2
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether3
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether4 pvid=20
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether5
/interface bridge vlan
add bridge=bridge comment=UNTRUSTED tagged=ether1,ether2,bridge vlan-ids=20
add bridge=bridge comment=GUEST tagged=ether1,ether2,bridge vlan-ids=10
/ip dhcp-client
add interface=bridge
/ip route
add distance=1 gateway=192.168.2.1 # my OPN IP
/system clock
set time-zone-name=America/Chicago
/system note
set show-at-login=no

So I just plugged the AP into the feed that normally feeds MikroTik and all my SSIDs are working now. Seems the issue is on MikroTik switch specifically. Guessing it may have to do with that vlan untagged stuff then... Been stuck on this for a few days now. Going to try and mess around with it more. If anyone has anymore suggestions, I'd greatly appreciate that

My MikroTik is a CRS304-4XG and it's on RouterOS 7.16.2

So I tried following the MikroTik guide doing the Router on a Stick configuration: https://forum.mikrotik.com/viewtopic.php?t=143620#p706997

but I run into the same issues plus once I set the port that's connected to OPNSense to `admit-only-vlan-tagged`, I completely lose connection to the internet. Even on the physical ports and on the wifi for the default that currently works.. I tried asking for help on the MikroTik forum but they have not been as helpful as here

I wish I could use SwitchOS, I spent a lot of time trying to get the Router OS settings working but I have a CRS304-4XG which doesn't support SwitchOS yet... I am going to try and play around with the MikroTik settings some more, which is really frustrating as it is being a newbie to this whole world

Hello,

I have been setting up my new OPNSense setup and I have been running into issues with my Access Point not being able to pass in the DHCP server down to the SSIDs. I have been following multiple guides and the VLAN set up seems standard within OPNSense so I don't think I am missing any settings there... I am able to get the expected IP addresses on my MikroTik switch but when I connect my Unifi Access Point, I am not able to get an ip address for any of my other SSIDs other than the one assigned to the default (1).

I have the check box ticked for "Enable DHCP server on the UNTRUSTED/GUEST interface" and separate IP ranges for each network... I can verify these settings work through the physical ports on my MikroTik

Here's my setup:

ATT Gateway (IP Passthrough) -> MikroTik managed switch -> Unifi Access Point


Should be simple, right? But the access point has been frustrating me. I even bought a new one and I am still running into this issue...


Here's my MikroTik /export:

Code Select Expand

/interface bridge
add admin-mac=xxxxxxxxx auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether4 pvid=20
add bridge=bridge comment=defconf interface=ether5
/interface bridge vlan
add bridge=bridge comment=UNTRUSTED tagged=ether1,ether2,bridge vlan-ids=20
add bridge=bridge comment=GUEST tagged=ether1,ether2,bridge vlan-ids=10
/ip dhcp-client
add interface=bridge
/ip route
add distance=1 gateway=192.168.2.1 #OPNSense IP
/system clock
set time-zone-name=America/Chicago
/system note
set show-at-login=no
I have attached screenshots of my Access Point settings for VLAN as well.

Is there anything else that needs to be set on the MikroTik or on OPNSense itself? I am able to attach to the correct VLANs physically on my MikroTik... Just not through the Access Point...

I appreciate the help! That was the issue. Thank you!

hmm okay, I am able to connect with the physically connected PC now. All I did was unplug the ATT Gateway and then I was able to get the IP, did not move the connection from the computer. So when would I be able to connect the uplink then to avoid the issue after?

Hello,

I am currently setting up OPNsense for the first time and I am having issues connecting to it through a physical ethernet connection. I currently have OPNSense installed on an Intel N100. My internet is provided through an ATT Gateway which has WIFI disabled and ip passthrough to the mac address of the OPNSense device

I have my ATT Gateway connected to the WAN interface and my computer connected to the LAN interface. The lights on the gateway and OPNsense port are both on. The lights on the computer port and OPNSense port are both on as well. But I am not able to connect to 198.168.1.1 or to the hostname. When I try to run ipconfig on my Windows computer with no other connections to it, I get no connections on anything. When I try to run similar command on my Macbook, I get no connections either.

I enabled wifi on my gateway so I could check to see if my device is being detected and I notice this in the device list:

MAC Address   XXXXXXXXXXX
IPv4 Address / Name   192.168.1.1 / OPNsense
Last Activity   Fri Jan 3 15:36:27 2025
Status   on
Allocation   static
Connection Type    Ethernet LAN-1
Connection Speed    2500Mbps fullduplex
Mesh Client   No

I am able to connect to the OPNSense device when connected to the wifi of the ATT gateway by going to 198.168.1.1 but not on the computer connected through a physical ethernet connection. I verified that the ethernet connection works fine by directly connecting to the gateway and I am able to get an ip address + internet. I am also not able to connect through ethernet on the device where wifi worked when I only allow connections from ethernet

When I enable ssh on OPNSense through the wifi connected device, I can ssh and see these configs:

*** OPNsense.localdomain: OPNsense 24.7.11_2 (amd64) ***

 LAN (igc0)      -> v4: 192.168.1.1/24
 WAN (igc1)      ->

 HTTPS: sha256 xxxxxx
               xxxxxx
 SSH:   SHA256 xxxxxx(ECDSA)
 SSH:   SHA256 xxxxxx (ED25519)
 SSH:   SHA256 xxxxxx (RSA)

  0) Logout                              7) Ping host
  1) Assign interfaces                   8) Shell
  2) Set interface IP address            9) pfTop
  3) Reset the root password            10) Firewall log
  4) Reset to factory defaults          11) Reload all services
  5) Power off system                   12) Update from console
  6) Reboot system                      13) Restore a backup


So when I try to switch the ethernet connection from my gateway to the second port to try and fit to the WAN, I still cannot connect to the OPNSense device from the hard wired device AND I cannot connect to the device from my wifi (at the domain or 192.168.1.1 or the IP address listed under the ATT Gateway for the device). All the expected lights are on, the two ports on the OPNSense device, port on the ATT Gateway and port on the physically connected PC. I even updated the IP Passthrough from ATT Gateway to point to the OPNSense device but still have issues connecting.

Here is what I see in my ATT Gateway under devices:

MAC Address   xxxxxxx
IPv4 Address / Name   192.168.1.67 / OPNsense
Last Activity   Fri Jan 3 15:44:57 2025
Status   on
Allocation   dhcp
Connection Type    Ethernet LAN-1
Connection Speed    2500Mbps fullduplex
Mesh Client   No
IPv6 Address   xxxxxxxxx
Type   slaac
Valid Lifetime   3600s
Preferred Lifetime   3600s
IPv6 Address   fe80::62be:b4ff:fe1c:66f1
Type   slaac
Valid Lifetime   forever
Preferred Lifetime   forever

I still run into the same issue even when I reset OPNSense to factory defaults.