VLAN Trunk Help

[Cheezio]

Quick Description:
I have a DEC740 that I have set up two trunk ports.  This setup works fine.
I am trying to add another firewall for an HA setup.  It is virtual via Proxmox.  I am having issues getting traffic to pass the trunk here.

Details:
Each firewall will have 3 connections, Outside, Inside, and Opt1.
I will use Opt1 here for the rest of the descriptions.
The layout is pretty flat.  Outside ----  Firewalls --- L2 Switch
No fancy routing on any of the firewalls, except for Outside.
Opt1 on both firewalls is physically connected to a UniFi Layer 2 switch. (Virtual connected to E0/8, DEC740 connected to e0/9)
Both are using the same port profile that allows vlan 28, 29, 35, and 38.  No untagged vlan is defined.
VLAN 28 Example: On the DEC, I have vlan28 (Interfaces, Other, VLAN, named vlan0.2.28 and attached to igb1 interface)
This works  IP is set to 192.168.28.2 (And has a carp address of .1)

Beautiful

For the virtual, the interface is defined in proxmox at the host level enp2s0f0np0.  I have a bridge (vmbr2) that has vlan aware checked.  I attached vmbr2 to the guest, as "net2/vtnet2", VIRTIO, no vlan tag, and I edited the interface to be "trunks=28;29;35;38"
I have vlan28 (Interfaces, Other, VLAN, named vlan0.2.28 and attached to vtnet2 interface)
IP is set to 192.168.28.3, and I have not defined carp yet.

In the firewall ruleset for the interface for vlan 28, I have IP Any Any > Pass defined.

I cannot get arp across the interface.  Can anyone tell me what I am missing?

[Patrick M. Hausen]

If you need VLANs in OPNsense instead of a virtual interface per VLAN, I recommend PCIe pass through of a dedicated interface for that trunk. Should work splendidly with HA.

[Cheezio]

Passthrough doesn't work with migration which is a key component of what I am trying to accomplish.
This seems straight forward.  I have watched hours and hours of videos on this, it seems like I am missing something really dumb.

I do know that I can stop the trunk at proxmox, and make an interface per vlan.  Which I had done many times before....  But this seems like it should work, and has challenged me to a duel.

Edit: Oh wait, does OPNSense have to see native VLAN1 for the trunk to come up?  I did try to set native vlan 999, but saw no provision for defining a native vlan on OPNSense.  I assumed it didn't matter, but ...  WHAT IF...  The Native VLAN is static and not able to be changed....

[Patrick M. Hausen]

For HA you need identical interface names on both master and backup. Just saying ...

[Cheezio]

Correct, I have very carefully made sure that both firewalls are mapped opt1 to opt1, opt2 to opt 2 and so on.
I ran into that in the config iteration before this one.  HA started mapping vlans all over the place.  It was a mess.

[Patrick M. Hausen]

No, no - the physical device names must match, too ...

Which is a bit easier with VLANs, because you can name them vlan01, vlan02, ... or whatever. But these names and the assignments to OPT1, ... must be 100% identical.

[Cheezio]

The interface names are already identical, as they need to be to make the rest of the HA look clean.
The VLAN names will be identical too before I start down HA, because I am OCD like that anyway.
Thanks for the input!

I just want to get this trunk to work.  I am very close.