OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 21.1 Legacy Series »
  • Questions About VLAN
« previous next »
  • Print
Pages: [1]

Author Topic: Questions About VLAN  (Read 2736 times)

PWCDC

  • Newbie
  • *
  • Posts: 17
  • Karma: 2
    • View Profile
Questions About VLAN
« on: March 24, 2021, 12:40:55 am »
Hello,

I have some questions about how OpnSense handles VLAN.

In the following example, I have a quad port device running OpenSense.
igb0 is WAN.
igb1 is trunk for all VLANS.

Lets assume the following VLANS configured:

VLAN 100 - Management - Parent: igb1
VLAN 200 - Workstations - Parent: igb1
VLAN 300 - IoT Stuff - Parent: igb1

  • In this example, how can I select which VLAN is native to the trunk port (if someone physically plugs into the port). This is a theoretical question, since I would likely have a managed switch which would tag all packets on the trunck anyway, but I don't see an option for it in opnsense. Ideally, it would be the management LAN.
  • Is there a way to ensure all packets traveling to the trunk port (igb1) are tagged? Or at least a way to configure opnsense to react as though all untagged packets are in a particular VLAN? I assume this would be related to the question above.
  • Is there a way to configure the additional physical ports (igb2, igb3, etc) as access ports for VLANs defined above, which already have their parent port assigned to igb1. I don't see an option for this.

Thanks in advance.
Logged

Maurice

  • Hero Member
  • *****
  • Posts: 1194
  • Karma: 152
    • View Profile
    • GitHub
Re: Questions About VLAN
« Reply #1 on: March 24, 2021, 12:44:36 pm »
OPNsense is not a switch, so you shouldn't think in switch terms here.

- VLANs are always tagged. Untagged frames are handled by the parent. If you want the management LAN to be untagged, assign it to igb1 directly and don't create VLAN 100 at all.

- If you don't assign igb1, inbound untagged frames will be ignored and no untagged frames will be sent.

- You can e.g. create a bridge between VLAN 200 on igb1 and the igb2 parent. Since parents are always untagged, igb2 will then behave like an access port for VLAN 200. Bridges have performance limitations though, so you should only do this if you are low on switch ports.

Cheers

Maurice
Logged
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).

kosta

  • Hero Member
  • *****
  • Posts: 540
  • Karma: 2
    • View Profile
Re: Questions About VLAN
« Reply #2 on: March 25, 2021, 09:39:00 am »
Since you do have 4 ports available, why bother with VLANs for firewall management at all? Just give it one port for firewall management only, isolate it and be done with it. I would say this is the most secure option.
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 21.1 Legacy Series »
  • Questions About VLAN
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2