1
23.1 Legacy Series / No connection to OPNSense over tagged VLAN interface
« on: April 03, 2023, 08:00:19 am »
A bit of a strange issue here that I fail to understand.
Client is a MacBook which I mainly use for all kinds of admin stuff.
Client is connected via a switch port that has untagged/native VLAN 10 and tagged VLAN 99 configured.
OPNsense admin web-gui and SSH are configured to listen on all interfaces and of course OPNsense has interfaces configured in VLAN 10 and in VLAN 99. Firewall rules allow the relevant connections.
Client can reach OPNsense on VLAN 10: no problem, web-gui and SSH access working fine.
Client fails to reach OPNsense on VLAN 99: no access to web-gui and SSH.
Client can however reach other devices on VLAN 99 perfectly fine, just not OPNsense, so generally VLAN 99 connectivity seems to be working.
Now I switch the client to a native/untagged VLAN 99 switch port for verifying and connection immediately works fine.
Client can reach OPNsense on VLAN 99: web-gui and SSH access working fine.
In the first scenario with VLAN 10 untagged and VLAN 99 tagged, a packet capture on the OPNsense side sees a lot of TCP retransmissions. It looks like there is some kind of connectivity between the devices (TLS handshake), but something seems to fail.
I have attached an image of the packet capture and the pcap file from the session, if that helps.
The VLAN 99 interface on the client side is a virtual interface on the adapter that also holds the VLAN 10 connection - so both will share the same MAC address. Would that be an issue? I'd think switches can tell that apart and shouldn't have an issue with same MAC addresses in different VLANs and as connections to other devices on VLAN 99 work fine, I'd not think that would be an issue here?
Client is a MacBook which I mainly use for all kinds of admin stuff.
Client is connected via a switch port that has untagged/native VLAN 10 and tagged VLAN 99 configured.
OPNsense admin web-gui and SSH are configured to listen on all interfaces and of course OPNsense has interfaces configured in VLAN 10 and in VLAN 99. Firewall rules allow the relevant connections.
Client can reach OPNsense on VLAN 10: no problem, web-gui and SSH access working fine.
Client fails to reach OPNsense on VLAN 99: no access to web-gui and SSH.
Client can however reach other devices on VLAN 99 perfectly fine, just not OPNsense, so generally VLAN 99 connectivity seems to be working.
Now I switch the client to a native/untagged VLAN 99 switch port for verifying and connection immediately works fine.
Client can reach OPNsense on VLAN 99: web-gui and SSH access working fine.
In the first scenario with VLAN 10 untagged and VLAN 99 tagged, a packet capture on the OPNsense side sees a lot of TCP retransmissions. It looks like there is some kind of connectivity between the devices (TLS handshake), but something seems to fail.
I have attached an image of the packet capture and the pcap file from the session, if that helps.
The VLAN 99 interface on the client side is a virtual interface on the adapter that also holds the VLAN 10 connection - so both will share the same MAC address. Would that be an issue? I'd think switches can tell that apart and shouldn't have an issue with same MAC addresses in different VLANs and as connections to other devices on VLAN 99 work fine, I'd not think that would be an issue here?