VLAN and untagged traffic primer

[Inxsible]

Can someone please explain to me the concept of untagged traffic in OpnSense

Currently I have the following setup :
Interfaces: Assignments
Interface   Identifier    Device   
[CCTV]   opt3   igb2_vlan10 CCTV VLAN (Parent: igb2, Tag: 10)
[GUEST]   opt6   igb1_vlan20 Guest VLAN (Parent: igb1, Tag: 20)
[IOT]   opt4   igb2_vlan30 IOT VLAN (Parent: igb2, Tag: 30)
[LAN]   lan   igb1
[LAN2]   opt1   igb2
[WAN]   wan   igb0
[WGVPN]   opt2   wg1 (WireGuard - wireguard)


The LAN interface is setup with subnet 192.168.40.0 --- and all the devices on my main network are assigned IPs from that subnet. However, does it mean that all the traffic on this subnet is untagged -- since it is using the physical interface (igb1) rather than the VLAN interface?

If yes, is there a way to move the same subnet (192.168.40.0) to a VLAN interface(igb1_vlan40) and change the subnet on the physical interface (igb1) to say - 192.168.50.0

Should I update the LAN subnet first to 192.168.50.0 or setup the igb1_vlan40 with some random subnet and then move the devices over and then go back and change the IP subnet in LAN and then again in igb1_vlan40.

I hope my question makes sense...

The bottom line is that I want my main network devices to be tagged to 40 -- so I can move them off in my cisco switch from the default vlan1 to vlan40 and then shut down vlan1 on the switch.

on the switch side -- I am already allowing vlan 40 on the trunk ports, but the native vlan on those trunks is vlan1 -- which i need to change to 50 but when i do this, I lose all access to opnsense presumably because I am on a different vlan and can't access opnsense anymore. So I want to make sure I do this in the correct order and not lose access to any device on my network.

[zakaron]

You are correct in your assessment. With 192.168.40.0 assigned to the physical interface (seen as "lan" under your assignments), that traffic is untagged and will match to whatever your default vlan is on your switchport. Easiest way to change this would be to have console access to your Opnsense server. If that is not possible, put a PC in the same vlan as Opnsense, which sounds like that is already the case. Change the IP on Opnsense interface (assuming 192.168.50.1), then manually set your PC to something in that same subnet (192.168.50.2). You'll be able to reach your firewall now and then complete the vlan 40 setup. Just make sure your switches have an IP in the new vlan 50 and have that vlan 50 set to the default vlan between uplinks.

[Inxsible]

Easiest way to change this would be to have console access to your Opnsense server.

I do have access to the console. What would be the steps to change the LAN to 192.168.50.1 and then use vlan40 as 192.168.40.1?

Should I reconfigure igb1 and provide it a new IP of 192.168.50.1 first? and then proceed to create the vlan 40 in the Opnsense console? What is the command to create a vlan in console?
Finally can i copy all the dhcp reservations from my current LAN to this new VLAN40 interface?

[Inxsible]

Current main network (192.168.40.1) is on LAN(igb1) and therefore untagged. I want my main network (192.168.40.1) to be on vlan40 (tagged) and I want igb1 to use 192.168.50.1 so .50.1 will be untagged. I created a vlan40 but gave the IP of 192.168.99.1 temporarily.

Can I do the following by editing the XML config and re-uploading it?

• Under <interfaces><lan> - Change the <ipaddr> from 192.168.40.1 to 192.168.50.1
• Under <interfaces><opt5> - Change the <ipaddr> of vlan40 from 192.168.99.1 to 192.168.40.1
• Under <dhcpd><lan> - Change the <range>  to be 192.168.50.x and 192.168.50.y
• Under <dhcpd><lan> - Change the <dnsserver> to 192.168.50.1
• Under <dhcpd><lan> - Cut the static maps from <lan> and copy it under <dhcpd><opt5>
• Under <dhcpd><opt5> - Change the <range> to be 192.168.40.x and 192.168.40.y
• Under <dhcpd><opt5> - Change the <dnsserver> to 192.168.40.1

After saving the file and re-uploading this configuration -- Will my PC, opnSense firewall, switch and other devices (APs, servers, etc) still be accessible as they will all be in the same subnet?

Thanks in advance

[pfry]

I was going to say "Running tagged and untagged traffic on an interface will be a disappointing experience", but I can't say that with certainty unless there's a bridge involved. Still, it's not recommended - it appears that some of the interface hooks (in the FreeBSD kernel) were poorly designed/placed, and you'll get packets showing up where they shouldn't. Documentation link: VLAN and LAGG setup (the "Attention" sections).

I'd recommend tagging all traffic on trunk ports simply out of an abundance of paranoia.

[zakaron]

pfry, thank you for that link. I must have skipped over that part when going through the documentation. Most networks I set up I do just use a network management vlan as the untagged vlan between switches and firewalls, but I have seen others use vlan 1 as their untagged and then just disable vlan 1 on all the switches. I have not noticed any ill side effects yet. I have my Opnsense server connected to an Alcatel switch. I have just learned to live with the statistics showing ALL traffic combined for every vlan on the management untagged vlan, but I may now go back and redo this based on that recommendation.

Inxsible, that seems reasonable to just modify the xml file and reimport, but I would check to make sure you have your System -> Settings -> Administration "listen on interfaces" set to the appropriate interface / vlan you want to access it from. Also, make sure your firewall policy allows you to access the webUI, though the built-in anti lockout policies may have you covered.
When I mentioned having access to console, it was more for just updating the IP of your main interface just in case you do lose access you can easily change it back. As long as your PC is on the same vlan as your listening interface, you can always set your PC IP manually to match something in the same subnet as that interface.