VLAN not working on LAN but works on any other physical interface

[Daves_nt_here]

Hey everyone, been pulling my hair out most of the day now. This is driving me nuts!

I have a 4 port Protectli Vault. igc0=WAN, igc1=LAN and the other 2 (igc3 & igc4) are assigned interfaces.

I can not get a vlan to work on the LAN port but will work on either of the other 2 interfaces.
The VLAN interface will not give out an IP address from DHCP but I can ping it from the LAN IP.
If I setup vlans on either of the other 2 interfaces, they give out IP's, ping and have full access to internal and external networks with proper rules applied.

Testing with a WiFi AP that supports vlan and with my Proxmox server.

[doktornotor]

Your LAN DHCP will not give out IPs for any of your VLANs indeed. Unfortunately no relevant info here.

[Daves_nt_here]

I have DHCP configured for the vlan.

[doktornotor]

Maybe post relevant screenshots then.

[dseven]

By "I can ping it from the LAN IP", do you mean you can ping 192.168.100.1 from some host on your LAN? or...?

I don't see anything obviously wrong from your screenshots. Is there a switch between OPNsense and the DHCP clients / WiFi AP? Could you temporarily connect the AP directly to igc1 and see if it works?

You could also try `tcpdump -nnei igc1 vlan` to see if there's any tagged traffic arriving there (while attempting DHCP)

[Patrick M. Hausen]

Are you trying to use the LAN interface untagged and put a tagged VLAN on that port at the same time? Don't. Do not mix tagged and untagged interfaces on a single port in FreeBSD. Unsuspected and hard to debug failure modes are prone to happen.

[dseven]

Are you trying to use the LAN interface untagged and put a tagged VLAN on that port at the same time? Don't. Do not mix tagged and untagged interfaces on a single port in FreeBSD. Unsuspected and hard to debug failure modes are prone to happen.

Examples? Unresolved bug references? I'm doing this. It works well, and is a useful configuration for a home setting.

[Patrick M. Hausen]

DHCP on the parent interface might interfere with the child VLANs. Bridging is impossible. Stuff like that. It's a general recommendation for FreeBSD to run either untagged or only tagged VLANs.

[dseven]

How would DHCP interfere? I don't need bridging.

Need specifics here - otherwise it sounds like FUD. Is this general recommendation officially documented somewhere?

[Patrick M. Hausen]

Clients on VLANs being served by the DHCP server on the parent interface has been observed. I do not know if this has been fixed, since.

Having managed data centers for almost 30 years I have developed the habit of never using the "native VLAN" on a trunk port. Always set it to something unused throughout the layer 2 domain like 999 or something.

Trunk ports are trunk ports and access ports are access ports. Statically set by an administrator. Never allow the configuration of a switch port to be changed by whatever is plugged in. Same for LACP. Always static.

[dseven]

I haven't had any issues with DHCP between my tagged and untagged networks.

I wouldn't do it in a corporate setting, but there's nothing wrong with it as far as 802.1Q goes, and it's very useful in a typical home scenario, where most people want to implement Guest and IoT WiFi networks, along with a few "wired" devices (like desktop PCs) on a LAN without needing managed switches.

[Patrick M. Hausen]

See for example: https://forum.opnsense.org/index.php?topic=42452.msg209934#msg209934