Simple VLAN doesn't work.

[sparticle]

I really need some help with this.

I have now a very simple setup.

The main OPNSense config is as it was with the addition of a single VLAN config. I restored the config from a previous point before I started messing with VLANS to ensure I was back at my base config for the network. I followed this guide https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-vlan-on-opnsense and setup the VLAN exactly as the LAN is configured but with a new subnet with the LAN interface as the parent. The new VLAN 50 interface OFFICE has DHCP services configured exactly the same as the LAN interface in the new subnet. e.g. 10.0.50.0/24 with an interface address of 10.0.50.254. I have cloned the firewall any rule from the LAN to the OFFICE net. Everything appears to be setup correctly. As I have an any rule on the LAN I can ping the OFFICE interface from outside the OPNSense server from my PC on the main switch.

On the HP Switch that OPNSense is connected to I have configured VLAN50 and the ACCESS and TRUNK ports to connect to OPNSense and the other switches. See attached image of the setup. This is a very simple setup to get one VLAN working. It doesn't work and I cannot get DHCP from OPNSense or even if I config a static IP in the OFFICE subnet I cannot ping the OPNSense OFFICE interface.

I am completely at a loss as to why this is not working. The VLAN config on the switch looks right. The OPNSense VLAN config looks right I have FW rules and DHCP and DNS services on the OFFICE VLAN.

In words the switch is configured as follows. See image for detail.

Port 1 TRUNK Untagged 1 Tagged 50 PVID 1 (LINK TO OPNSENSE)
Ports 11 and 12 ACCESS Untagged 50 PVID 50 (LAPTOP TEST PORTS)
Port 17 TRUNK Untagged 1 Tagged 50 PVID 1 (WAP with 2 wif networks 1 on the default VLAN and 1 on VLAN 50)
Port 25 TRUNK Untagged 1 Tagged 50 PVID 1 (LINK TO REST OF NETWORK)

This should work but it doesn't, OPNSense shows no packets on the OFFICE interface.

Can anyone please put me out of my misery and help me to get VLANS working.

Just to add I know the switch is working as I can config an admin address in the switch on the VLAN 50 subnet and I can ping it from the Laptop on the VLAN 50 network. So I know the switch ports as working as expected within the switch. I also know the switch VLAN config is working between switches. I can ping the HP on its VLAN50 address from the Netgear connected via a TRUNK to TRUNK connection to the HP oort 25 using the laptop manually configured with a VLAN50 ip.

BUT, I get the destination host unreachable and no route to host if I try to ping the OPNSense VLAN50 interface on 10.0.50.254. No packets are received on the OPNSense OFFICE (VLAN50) interface. Also the WAP on the HP TRUNK port 17 gets no DHCP service either. I can configure a static IP on the wifi connection and connect to the VLAN 50 wifi network but can't get anywhere.

It is like any VLAN subnet on the LAN interface is blocked and I suspect that pinging the VLAN 50 address from the default network is simply getting a response from the parent interface as stats show no packets on the VLAN 50 interface.

What is going on here?

Cheers

[cookiemonster]

Hi. I am certainly not expert but from this it seems your interface to OPN is mixed with tagged and untagged traffic. I have it from good authority that that is not the supported configuration.
The trunk i.e. the port with all the VLANs in it coming into OPN should be set to tagged traffic only.
So, on the switch is tagged on trunk to OPN, the rest of ports as access.

That said maybe that's how you have it setup and I just don't understand your switch's nomenclature.

[sparticle]

Hi. I am certainly not expert but from this it seems your interface to OPN is mixed with tagged and untagged traffic. I have it from good authority that that is not the supported configuration.
The trunk i.e. the port with all the VLANs in it coming into OPN should be set to tagged traffic only.
So, on the switch is tagged on trunk to OPN, the rest of ports as access.

That said maybe that's how you have it setup and I just don't understand your switch's nomenclature.

Are you saying that the trunk port cannot carry the default VLAN 1 untagged?

Currently PORT1 the trunk port to OPNSense has VLAN1 (default) untagged and VLAN50 Tagged. I can't see anyway of setting VLAN1 as tagged on the TRUNK port! The default VLAN1 is always untagged AFAIK.

Many thanks for taking the time to reply.

Cheers

[bimbar]

You should, if possible, not use VLAN 1.

[Patrick M. Hausen]

You should, if possible, not use VLAN 1.

Why not? There is nothing special about it.

[cookiemonster]

Hi. I am certainly not expert but from this it seems your interface to OPN is mixed with tagged and untagged traffic. I have it from good authority that that is not the supported configuration.
The trunk i.e. the port with all the VLANs in it coming into OPN should be set to tagged traffic only.
So, on the switch is tagged on trunk to OPN, the rest of ports as access.

That said maybe that's how you have it setup and I just don't understand your switch's nomenclature.

Are you saying that the trunk port cannot carry the default VLAN 1 untagged?

Currently PORT1 the trunk port to OPNSense has VLAN1 (default) untagged and VLAN50 Tagged. I can't see anyway of setting VLAN1 as tagged on the TRUNK port! The default VLAN1 is always untagged AFAIK.

Many thanks for taking the time to reply.

Cheers

I imagine then that having the default and a tagged VLAN on the PORT1 is OK because the default tag is not actually added by the switch, so you can carry on as you were.
I say I imagine is because I don't know the implementation of your switch. I use mikrotik and they allow to change the default

[bimbar]

You should, if possible, not use VLAN 1.

Why not? There is nothing special about it.

On the switch side, it's usually the trunk native vlan, and as such untagged. Sure you can do all that but it's kind of asking for trouble.

[Patrick M. Hausen]

On the switch side, it's usually the trunk native vlan, and as such untagged. Sure you can do all that but it's kind of asking for trouble.

Of course you need to know what you are doing. I set the native VLAN to 99 which is never used anywhere on all trunk ports in my infrastructure. With Linux/BSD systems it's even easier - just don't configure the untagged interface at all.

Repeating myself: the "native VLAN" was a very bad idea. It breaks symmetry and that always leads to "surprises" 

[sparticle]

Many thanks to all for replying. As this is part of migrating from a single flat network that has many services running I need to be able to be comfortable with the configuration and operation of VLANS on both the devices and network infrastructure.

Current status is that I upgraded my OPNSense to the latest 4.1 and started from scratch with a clean config. Recreated my old LAN and rules etc.

Then setup one VLAN exactly as before. I now have one VLAN working across both switches and can get appropriate DHCP DNS etc. services. Reading a lot on the ESXI side there have been challenges with more than one VLAN. I had to set the PG VLAN ID in ESXI that the OPNSense LAN NIC sits on to 4095 to allow the tagged VLAN packets in and out.

There is no granularity on the PG config to set untags or tags. It is either 0 (default) or a specific VLAN tag or 4095 (all).