Vlan01: untagged or tagged

[Tjh3]

When I first ventured into vlans, obviously I didn't know much and was experimenting (I still am very new). I just created vlan03 for my iot stuff. It's worked fine so far. My question is, the switch and my WiFi AP expects vlan01 to be tagged as such but In opnsense, there is no vlan01. The port on the switch to opnsense just tags untagged incoming as vlan01, IE opnsense is on a hybrid access/trunk port. Two questions:

1. Should I change this. Is there any good reason to do so?
2. Regardless of the above answer, what's the best way if I wanted to anyway? The vlan01 IP addresses are already assigned to the parent interface, so I can't just put them on vlan01 and turn it on, so I'd have to connect via serial and then disable the DHCP on parent then turn on vlan01? Or assign another temp address etc.
3. Is there an easy way to copy all nat and firewall rules over from parent?

[Monviech (Cedrik)]

Create the tagged vlan first, assign it in interfaces, enable it, dont give it an IP yet.

You can export the configuration, then use notepad++ or some other txt editor to find all instances of your LAN interface name "lan" or "opt1".
 - Just make sure to replace only exact matches
- you can see that name in interfaces: assignements

Replace them all to the new opt name of your tagged vlan.

Then import the config, but choose firewall rules, and then Network Address Translation.

Then afterwards you can change the IP to the vlan interface and remove it from the lan interface, then apply.

[Maurice]

1. Yes. Using mixed tagged / untagged is not recommended because of FreeBSD limitations.
2. Create the VLAN, then switch the 'LAN' assignment from the parent to the new VLAN.
3. No need. Rules are bound to the lan / wan / optx names, not to the actual interfaces / VLANs.

Cheers
Maurice

[Tjh3]

1. Yes. Using mixed tagged / untagged is not recommended because of FreeBSD limitations.
2. Create the VLAN, then switch the 'LAN' assignment from the parent to the new VLAN.
3. No need. Rules are bound to the lan / wan / optx names, not to the actual interfaces / VLANs.

Cheers
Maurice

well i tried that, and vlan01 went completely down. THankfully i was able to restore previous config using console cable. That sounded like a good idea but there's clearly a step missing?

[Maurice]

Did you reconfigure the switch port OPNsense is connected to? It needs to tag VLAN 1.

[Tjh3]

The port to the router is configured as such: allows tagged (vlan01 and vlan03)&untagged traffic. and whatever this means:

Default VLAN ID [(Specified as vlan01)] must be specified for access ports since it will be used to tag ingress traffic and untag egress traffic for the certain port.

which should work, as it is working without the vlan01 tagging. (note: mikrotik switch)

[Maurice]

The switch has to tag all egress traffic on the port OPNsense is connected to, including VLAN 1. Untagged traffic will be ignored by OPNsense, that's why you lost connectivity. Remember, the point of this is not mixing tagged and untagged traffic on the same port.

Configuring the switch port as a trunk should allow you to do this. If not, you'll have to change the default VLAN.

[Patrick M. Hausen]

Whoever permitted untagged frames on a trunk port in the 802.1q standard deserves to be shot ...

[cookiemonster]

@Tjh3 are you sure your trunk is carrying both tagged and untagged?
I am using a mikrotik at home and I think my setup is like yours but trunk is only carrying tagged traffic.
From their documentation I am using the "Trunk and Access Ports" setup. It's a CSS326.
This is my setup and works flawlessly:
OPN: Interfaces > Other types > VLAN. Parent LAN; VLAN Tag 200
Then setup this interface with Ip address.

Then on the switch my trunk port is:
VLAN tab.
Trunk port VLAN mode is enabled, VLAN receive "any", Default VLAN ID "1", Force VLAN ID is disabled

Access ports VLAN mode is enabled, VLAN receive "any", Default VLAN ID "200", Force VLAN ID is disabled

VLANs tab.
VLAN ID = 200, Name "name I gave it", Port Isolation enabled, Learning enabled, Mirror disabled, IGMP Snooping enabled, members: trunk and access ports.

The way I read their documentation, this has my trunk port with both tagged 200 for the traffic from the access ones and tagged 1 for the traffic from all other access ports that have no tag set; but I am uncertain if this is a correct setup. Never had a problem but all the traffic is coming via this route.

[Tjh3]

so my mikrotik is setup like this:
Vlan Tab:
Trunk (to opnsense): Vlan Mode=Enable, Vlan Recv=Any, Default VLAN ID=1, Force Vlan ID=disable. Member of vlans: 1,3
Access (to computer): Vlan Mode=Enable, Vlan Recv=Any, Default VLAN ID=1, Force Vlan ID=disable [the computer should be on vlan1 as well]., member of vlans: 1 only.

I followed their guide for this, and there seems to be no other way to actually label something as a "Trunk port" just make sure it's a member of all the relevant vlans.

Right now the trunk works, it carries both tagged vlan03 traffic and untagged traffic (that is intended for Subnet01).

The problem is, i think, this line from CRS's docs:  Default VLAN ID must be specified for access ports since it will be used to tag ingress traffic and untag egress traffic for the certain port.

How does the Switch know which is an access port and which is a trunk port? Is it just untagging "all egress traffic" for PVID (i.e. vlan1) for that port? there doesn't seem to be a way to tell the switch "this is a trunk port don't untag egress traffic". or shd i just assign a random PVID so it only untags that VLAN ID and leaves the vlan ID 1 alone?

[cookiemonster]

so my mikrotik is setup like this:
Vlan Tab:
Trunk (to opnsense): Vlan Mode=Enable, Vlan Recv=Any, Default VLAN ID=1, Force Vlan ID=disable. Member of vlans: 1,3
Access (to computer): Vlan Mode=Enable, Vlan Recv=Any, Default VLAN ID=1, Force Vlan ID=disable [the computer should be on vlan1 as well]., member of vlans: 1 only.

I followed their guide for this, and there seems to be no other way to actually label something as a "Trunk port" just make sure it's a member of all the relevant vlans.

Right now the trunk works, it carries both tagged vlan03 traffic and untagged traffic (that is intended for Subnet01).

The problem is, i think, this line from CRS's docs:  Default VLAN ID must be specified for access ports since it will be used to tag ingress traffic and untag egress traffic for the certain port.

How does the Switch know which is an access port and which is a trunk port? Is it just untagging "all egress traffic" for PVID (i.e. vlan1) for that port? there doesn't seem to be a way to tell the switch "this is a trunk port don't untag egress traffic". or shd i just assign a random PVID so it only untags that VLAN ID and leaves the vlan ID 1 alone?

That's my take too, that there seems to be no other way to actually label something as a "Trunk port" just make sure it's a member of all the relevant vlans.
And Indeed your question on how the switch knows and what it does on the uplink port is to me unclear from the documentation and whether it is tagging all or untagging all. I have always wondered and meant to ask. I have posted the question on the mikrotik forum.
p.s. I did a packet capture and I see no trace of VLAN info in the Ether header, all show Type 0x800 so I am leaning on thinking all traffic is stripped of tags. We'll see.

[cookiemonster]

After a few interactions with users of Mikrotik, now I seem to have some clarity. That clarity seems to say I've been doing it wrong by using mixed tagged and untagged packets on the OPN interface. Never had a problem and I'm a bit unclear on the OPN side before I embark on correcting it.
I posted this crude diagram of my setup.

My question:
I'm physically linking the CSS via Eth2 to my router. There on this router I have a VLAN 200 setup with the parent interface "LAN".
On the CSS I have the device on the port Eth9 and based on your explanation, port accepts untagged frames. Also on a workstation on Eth5 for instance, will have frames accepted and will tag default VID.
[quote from earlier answer]
    In your particular case this would mean that ether2 will not allow any untagged frame on egress (because it's set to allow only tagged frames on ingress) and thus traffic from ether9 won't flow through ether2. However, traffic fro mether9 could egress through ether1, ether3, ether4 and ether5 because they are set to pass untagged frames and their default VLAN ID is set to 1.
[\quote from earlier answer]

My next question:
From Eth9 through Eth1, Eth3 ..." part makes sense as cross-access-ports behaviour. From here is where I get lost, apologies i.e. trunking.
How do I then setup a trunk port in CSS, that is one that will carry both traffic originating and destined for both Eth8 that is in a VLAN and say port Eth5 that is not?

Their answer:
Terminology slightly varies between vendors. Generally there are 3 types of ports (when it comes to VLANs) and in MT dialect they are called:

    access port
    Port which only accepts untagged frames on ingress and only transmits untagged frames on egress. It has set "default VLAN ID" or PVID which defines which VLAN this port belongs to.
    trunk port
    Port which only allows tagged frames on ingress and egress. It can be member of one or more VLAN, membership is configured in some sort of list or table (e.g. "members" portion of first screenshot in your post #5 above).
    hybrid port
    (some vendors call it "trunk with native VLAN")
    Port which accepts bot tagged and untagged frames on ingress, also transmirs both tagged and untagged frames on egress. It has "default VLAN ID" or PVID set. It is also member of one or more VLANs.


So if your main router is configured to work with untagged frames (parent device) and with tagged frames (vlan interface gor VLAN 200, configured off parent interface), this would mean it works as hybrid interface and ether2 on CSS needs to be configured as hybrid as well.

Note: when frame leaves switch untagged, it looses all information about which VLAN it belonged before egressing switch. You can thus use different ID for marking untagged frames on connected switches (in other words: you don't have to care about how main router works with untagged frames internally when configuring CSS).
So to avoid ambiguity about VID 1 (which is often treated in a special way in their configuration by many vendors), you could use different VLAN ID for your main LAN. You would then set default VLAN ID to that value (e.g. 666) on all access ports intended to link LAN devices and on ether2 (untagged part of hybrid port towards main router). You would also explicitly set all access and hybrid ports as members of that VLAN. For the VoIP VLAN (VLAN 200) access ports you'd set default VLAN ID to 200 and set all those ports as members of said VLAN. You'd also set ether2 as member of VLAN 200 but since its default VLAN ID is different, this then makes switch to use ether2 as tagged port for that VLAN.

So I have been sending both tagged and untagged up my "trunk" port. It's unfortunate the documentation does not make this clearer and instead shows the trunk as all tagged.

So it seems I need to tag a forced default VID on all other (non VLAN) traffic and set it up as hybrid.
I'll have to make time to set and test.
Hope it helps Tjh3.

[bimbar]

Trunk ports generally have a so called native VLAN, which is an untagged vlan on this port. In default configurations, that usually is vlan 1, so that's an additional reason not ever to use vlan 1. Or you might set the native vlan to something else than 1, if you really do want to use vlan 1.
Additionally, mikrotik switches, while being cheap, sometimes only run routeros, which is a pita to configure switches in. Personally I switched all of my MT switches to SwOS, which can be configures fairly well.

[cookiemonster]

thanks for the input bimbar. Indeed this is a MT switch CSS326 that can only run SwOS.
Trouble here is that although their documentation seem to show this setup as sending all traffic tagged when there are a mixture of tagged access ports and untagged ones, the trunk might actually be sending a mixture. As you state and from their forum, unless I misunderstand it (quite possible), there's a need to use a default tag.
That said, I'm scratching my head. I reviewed the current -suppossedly incorrect- setup, and I still can't see any tags on a packet capture at OPN, including both parent and child interfaces.
How do you configure your trunk to OPN from MT please?

[cookiemonster]

Now with some settings changed as per suggestions on the switch I can see tags. Both tagged and untagged traffic.
Before there were no tags at all I could see. That was the way it was until now.

This has been so far a bit frustrating. I can't seem to find a way to get all traffic from the switch to be tagged, only the mixture, despite the explanations from MT users.
I'm debating whether to leave it mixed (discouraged) or as before, no tags.