How to configure VLANs over Bridges

[Whaley]

I cannot find much about it:

https://docs.opnsense.org/manual/how-tos/vlan_and_lagg.html

Gemini says we need to create the VLAN and add it to be part of the bridge but when you define the VLAN's physical interface that is the bridge as well, won't that be a problem :S

So basically here is my setup, I'm using the Opensense appliance as a regular switch with splitting some ports into 2 separate networks by using 2 bridges.

This works just fine I can even define NAT rules so the 2 segments can reach each other and vice versa.

bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
   inet 10.1.0.1 netmask 0xffffff00 broadcast 10.1.0.255
   nd6 options=1<PERFORMNUD>
   groups: bridge
   member: em7 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
           ifmaxaddr 0 port 8 priority 128 path cost 2000000
   member: em5 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
           ifmaxaddr 0 port 6 priority 128 path cost 55
   member: em4 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
           ifmaxaddr 0 port 5 priority 128 path cost 55
   member: em3 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
           ifmaxaddr 0 port 4 priority 128 path cost 55
   member: em2 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
           ifmaxaddr 0 port 3 priority 128 path cost 55

bridge1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
   inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
   nd6 options=1<PERFORMNUD>
   groups: bridge
   maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
   member: em6 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
           ifmaxaddr 0 port 7 priority 128 path cost 55

I would like to add an external manageable switch to this configuration to extend this 2 VLANs in another room.

This is not obvious how to configure it on OpenSense, also no idea how to define a specific TRUNK port which will transport my VLANs to the switch.

[pfry]

[...]won't that be a problem[...]

Yep. Either leave the main unconfigured or unassigned. Ideally you'll configure your switch (or other device) to send only tagged packets on that port.

[...]
This is not obvious how to configure it on OpenSense, also no idea how to define a specific TRUNK port which will transport my VLANs to the switch.

Nothing to it, it's just like your other interfaces:

Code Select Expand

root@fw:/home/user # ifconfig bridge1
bridge1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        description: TRUST (lan)
        options=0
        ether 58:9c:fc:10:ff:c9
        inet 10.101.11.1 netmask 0xffffff00 broadcast 10.101.11.255
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: vlan0.109 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 19 priority 128 path cost 2000
        member: vlan0.107 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 17 priority 128 path cost 2000
        member: vlan0.105 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 15 priority 128 path cost 2000
        member: re0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 6 priority 128 path cost 800
        groups: bridge
        nd6 options=9<PERFORMNUD,IFDISABLED>
root@fw:/home/user #

(I have three more bridges as well.) Nothing defines a trunk port on OPNsense other than configuring VLANs on it.

[Whaley]

.

[Whaley]

.

[Whaley]

Ok I figured it out, so I leave the answer here for everyone's convenience :D

Use this logic to set this up:

1) Login to the switch, setup your VLANs: leave the 2 trunk ports UNTAGGED

2) When creating the VLANs for example OFFICE vlan, PHONE vlan add the regular (UNTAGGED ports) into the VLAN group and ONLY TAG THE TRUNK PORT

3) Once this is all good the best thing is you take your TRUNK cable coming out of the OpenSENSE box and plug it into a laptop running Wireshark so you see what's the port spitting out


So on the Opensense box use reverse logic:

4) Find the trunk port you want eg EM7 (make sure this port is not a member of any BRIDGE groups, if so remove it)

5) Go to Interfaces > Other types > VLAN

6) Add all the VLANs one by one using your trunk EM7 as parent  (make sure you use the exact same VLAN numbers as on the switch)

7) At this point none of these dummy VLAN interfaces are active go back to Interfaces > Assignments and readd them one by one

8) Once this is done they will show up in the LEFT menu among the other interfaces, no need to assign any IP for them just Enable them and save it (initially they will get some name like OPT12 OPT13 use this time to rename them to user friendly names)

9) Go into the Firewall > Rules and one by one go through all of these new interfaces and add 2 rules (PASS all IN and PASS all out), save and apply the firewall

10) And as the last step go back to Interfaces > Other types > BRIDGE and now add the corresponding new VLAN interfaces you created into the BRIDGE you like, the bridge is like a port group on a regular switch, eg if BRIDGE0 is the first 4 port and that is the WORK VLAN add the new WORK VLAN interface into the bridge

That is true that you will NOT be able to add two VLANs into the same bridge interface. In my case this is more then enough, hope it will help somebody some day.