Moving from Draytek to OPNsense, trying to understand VLAN with DHCP

Started by waldorf, July 23, 2024, 05:33:24 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 23, 2024, 05:33:24 PM Last Edit: July 23, 2024, 09:40:46 PM by waldorf
Since it is not possible with Draytek routers to have mDNS forwarding, which is required for Chromecast, I decided to give OPNsense a try.

With a Draytek background, at least one aspect is not clear to me. With Draytek you configure a "Network" with a DHCP server and assign a VLAN tag to it. You can assign this VLAN to a physical port as "untagged" as well. 
e.g. tagged to Port2 and untagged to Port3. The DHCP server serves both. 

I try to accomplish the same with OPN sense.
Defined a VLAN 4, assigned it to a logical interface with static IP 192.168.4.1/24 and enabled a DHCP server on this VLAN.

Now I want this VLAN to be also on a physical interface, I read somewhere to use a "bridge". So I created a bridge with both the logical interface from this VLAN as well as the physical port. (did not specify IP address here, since IP address/gateway is already on the logical I/F) I do not get any addresses via DHCP on the physical port. 

It this a correct way to accomplish this or are there other options ?


July 23, 2024, 08:32:42 PM #1
Almost there. OPNsense is not a switch, so there is no concept of untagged ports being part of a certain VLAN. We can emulate that with a bridge as you correctly found out.

So

- create tagged VLAN interface but don't put an IP address on it
- enable and assign the port that should be untagged in that VLAN and also don't assign an IP address
- create bridge interface, put untagged port and VLAN in it as members
- place assignment, IP address configuration, DHCP ... on the bridge interface, not any of the members

The last step is mandatory.

And at the very last set the two tunables as described in the documentation so your firewall operates on the bridge interface and not the members:

https://docs.opnsense.org/manual/how-tos/lan_bridge.html#step-six
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
July 24, 2024, 07:57:46 PM #2
Thanks for you quick response. I did quite some reading and searching, but nothing pointed me
into this direction. I just tried it and it works like a charm  :)

The "switch emulation" is only for occasional testing purpose. The tagged VLAN goes to the actual switch/devices. 
July 24, 2024, 08:23:09 PM #3
FreeBSD handbook on VLANs, bridging, and a general understanding that VLANs in FreeBSD are just tagged sub-interfaces. Same for Linux, btw.  VLAN 4 on igb0 and VLAN 4 on igb1 are not connected by a switching fabric, because there isn't any.

Your Draytek probably has some switching silicon.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions