Untagged Traffic ceased on LAN after 24.7.9

[tops4u]

Meanwhile there is 24.7.12 out... did anybody try?

[tsense]

Unfortunately the problem still exists in the current version. a rollback to version 24.7.9_1 works. However, that is not a solution either.

[cookiemonster]

Unfortunately the problem still exists in the current version. a rollback to version 24.7.9_1 works. However, that is not a solution either.

And repeating...

I have no deny rule on the Lan interface. There are only the standard 2 "allow all" rules ( IPV4 , IPV6 ).
And why does it work for X years with the rules only with the update not. Additionally others have similar problems ?

I've wondered for some time about OPNSense and if it is reliable to work with in all environments.

I'm using it primarily as a VM firewall. In that it seems to be 'not great but works'.

One culprit is now using an OPNSense VM with a hypervisor bridge which has a physical interface with multiple vlan assigned.

The hypervisor sets the PVID egress as untagged on the bridge and tagged for the vlans, which is as it is. However, the tagged vlan are visible as untagged inside OPNSense VM. And that's that. No docu pointing out what to do or not to do.

When using multiple vlan-id on a single bridge the only solution seems to be to create a bridge per vlan, which doesn't really make sense, but works.

I have no deny rule on the Lan interface. There are only the standard 2 "allow all" rules ( IPV4 , IPV6 ).
And why does it work for X years with the rules only with the update not. Additionally others have similar problems ?

Ermm. https://docs.opnsense.org/manual/how-tos/vlan_and_lagg.html
The manual for VLANs takes you to this URL which explains not to mix tagged and untagged traffic.
From this thread what I gather is that we have users who have not heeded the advice and have mixed traffic anyways. So far it has "worked" but not after an update. What might have happened is that the update has exposed the misconfiguration only.
p.s. I was one of those users for some time and it was also not giving me any trouble. Until I realised that one day (like with this update - if that is what it is) it was bound to catch me. So I fixed it, by reconfiguring to the recommended setup.

So the ideal course of action is to correct any remaining installations with mixed tagged and untagged traffic in an interface used with OPN, and then move to diagnose any other problems and thinking OPN is "reliable to work with in all environments."

The TLD. Mixing tagged and untagged has never been a supported configuration. Some setups will expose it in form of problems, others won't.
Expecting new versions to make it go away is an exercise in futility.
Correct your setup.

[tsense]

I don't have any mixed vlan traffic in my setup. But I also noticed that I no longer have internet connectivity when I update to a newer version. My setup is a CARP HA cluster with two machines. The backup machine has internet connectivity. However, the master node is not. When I roll back to version 24.7.9 it works without any problems

Currently running OPNsense 24.7.12 (amd64) at Mon Jan 20 11:08:24 CET 2025
Fetching changelog information, please wait... fetch: https://pkg.opnsense.org/FreeBSD:14:amd64/24.7/sets/changelog.txz: Permission denied
Updating OPNsense repository catalogue...
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/24.7/latest/meta.txz: Network is unreachable
repository OPNsense has no meta file, using default settings
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/24.7/latest/packagesite.pkg: Network is unreachable
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/24.7/latest/packagesite.txz: Network is unreachable
Unable to update repository OPNsense
Error updating repositories!
Checking integrity... done (0 conflicting)
Your packages are up to date.

[cookiemonster]

I don't have any mixed vlan traffic in my setup. But I also noticed that I no longer have internet connectivity when I update to a newer version. My setup is a CARP HA cluster with two machines. The backup machine has internet connectivity. However, the master node is not. When I roll back to version 24.7.9 it works without any problems

Currently running OPNsense 24.7.12 (amd64) at Mon Jan 20 11:08:24 CET 2025
Fetching changelog information, please wait... fetch: https://pkg.opnsense.org/FreeBSD:14:amd64/24.7/sets/changelog.txz: Permission denied
Updating OPNsense repository catalogue...
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/24.7/latest/meta.txz: Network is unreachable
repository OPNsense has no meta file, using default settings
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/24.7/latest/packagesite.pkg: Network is unreachable
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/24.7/latest/packagesite.txz: Network is unreachable
Unable to update repository OPNsense
Error updating repositories!
Checking integrity... done (0 conflicting)
Your packages are up to date.

So why are you posting on this thread that is/was about tagged/untagged traffic?

[tsense]

I saw that there were several problems starting with the subsequent versions 24.7.9. I have a similar problem in that I no longer have internet connectivity... Although the WAN traffic is not tagged. Internet access works permanently on the slave node. So it can't be a misconfiguration. Do you have an idea what I can check?

[cookiemonster]

I saw that there were several problems starting with the subsequent versions 24.7.9. I have a similar problem in that I no longer have internet connectivity... Although the WAN traffic is not tagged. Internet access works permanently on the slave node. So it can't be a misconfiguration. Do you have an idea what I can check?

Instead of latching to any thread with a reported problem, do a search and for your symptoms in case it has been posted already. If nothing found, create your own new thread with your setup, hardware, current version, what worked before, what changed and what is now not working. Add your diagnostics so far.
Try to avoid problem statements lacking andy technical detail. "internet is not working" is an example of what not to do as it just delays the time to resolve whatever problem exists.

[tops4u]

I have now opened an issue on Github to get a fix or a statement on this Problem: GitHub

Until then I will currently not upgrade my System.

[tops4u]

After it was recommended in GitHub that having tagged and untagged Traffic on an Interface is not recommended However I tried various things by tagging upstream Traffic from the Switch that was untagged, moving to another physical interface with the tagged traffic... etc. However no improvement could be observed.

So I assume there is something else that causes the Problems. Maybe due to the age of my configuration and subsequent migrations of the configuration even from other HW.

Some things I noted, some I already fixed (hopefully) others not yet.
- My old VLAN Names are staring with the interface name ie. igc0_vlan01 however at least 24.7.x enforces names start with vlan0...
- All my Interfaces physical or VLAN Identifier are are opt<x> except two WAN and LAN - not sure if this is a problem (currently LAN has all tagged and untagged traffic).

Next I'll try to figure if this is a Kernal or a Distribution issue. However I'll fix the VLAN Names beforehand.

[cookiemonster]

This thread started with an unclear problem and a setup with mixed tagged and untagged traffic on the same interface. You were advised to rectify that as a general starting point.
Now the latest post is unclear to me what the problem is and whether you have set up tagged only on the trunk.

[tops4u]

@cookiemonster

I'll try to explain my setup. As noted it has a certain age and the Hardware has been exchanged and the configuration copied over. So it might have "age" issues.

I have a Cable Modem connected to the WAN interface in transparent mode, I have a DMZ with a Webserver and there is a LAN Interface for the internal Network. Over time I wanted to segment my internal Network and started creating VLANs for this reason. Some on WLAN AP (Ubiquity directly issuing the needed Tags) some Port Based on a Netgear Switch. All are routed to OPNSense for Firewall rules defining wich traffic may pass to what other networks. Tagging is enforced and checked on the Switch. 

As such the "trusted" Traffic remained untagged on the LAN Interface, while all other (more specialized) Traffic get a VLAN (for example IoT Traffic that is not allowed Internet but Access to one IP on the LAN where IOBroker IoT Integration is running).

This all ran fine up until 24.7.10 where the trusted untagged LAN Traffic ceased to work correctly.

So this week I thought I'll try to clean up and migrate the until now untagged Traffic to a VLAN. But for some unknown reason it behaved identical to the update before when I used mixed traffic on the interface. So I suspect some other Problem with my config.

The Problem is clearly on the IP Layer as some Clients were able to get a DHCP IP but then were not pingable from Opnsense. As far as I understood there is no egress on this network from Opensense anymore.

As noted above I have observed some issues for example with vlan naming where older vlans obivously violate naming conventions - however I don't know if this is a problem. I was thinking to check if it is a kernel or opnsense core related issue next. As not many people reported similar problems I assume it is bound to my setup/config.

PS: Config File available on request

[meyergru]

The new naming scheme applies only to newly created VLANs, existing ones work fine with old names. I have that, too, so this should be out of the question.

Although it is advisable to avoid mixing tagged and untagged traffic on the same interface, it usually works fine, too. It seems to be depending on network hardware, because some hardware has idiosyncrasies with that.

I have mixed traffic, too, probably for the same reasons as you: Ubiquiti equipment could handle tagged-VLANs-only, but adopting a new device would become a nightmare with this kind of setup.

That being said, I have not seen any problems with OPNsense 24.7.10 and above, so I would assume that there is no principal new problem.

It could be driver or hardware-dependent, as 24.7.10 had a new kernel (at least after a hotfix) or a configuration issue.

[cookiemonster]

Exactly. @top4u as I refer you back to my earlier post #17 on this thread https://forum.opnsense.org/index.php?msg=226441 .
TLD: mixed traffic works until it doesn't, due to as meyergru says a variety of reasons. Usually hardware and configuration & the combination. Hence it is not advised to be done. You were told the same thing on github.
If however you say you want to move to the not mixed scenario and that is not working for you, then that is something that you could be advised on.
You then need to explain that new setup in detail and explain the problem. Don't expect anyone to go back to the beginning and figure out what the "same behaviour" is. Treat it as a brand new setup and problem statement, as that is what that is.

[tops4u]

Thanks for your fast reply. I have probably a similar HW as you. N100 from Aliexpress equiped with 4 Intel I226-V Ports. I have disabled all HW Support in Opensense for the NICs.

[tops4u]

@cookiemonster: Yes I'll try to cleanup my config first then I'll try to go to a new Version and see how it behaves. Maybe I'll first try it out on my old HW.