Help with vlan and untagged on 1 interface. Kind of works :(

[allebone]

Hi there,

I would like to create a vlan and have this run over the same physical cable as my current untagged LAN.
I have configured what I imagine to be an acceptable configuration but it does not work 100%.

The config is as follows:

Physical:
An RJ45 from port em1 (LAN) to a unifi switch.

Configuration OPNsense
Create under interfaces - other types - vlans - VLAN5 on interface em1.
Under assignments create VLAN5 on em1 so it appears as an interface.
Configuring interface vlan5 I set static ip of 192.168.5.1 (Lan is set to 192.168.2.x already).

Create a rule to allow all traffic anywhere to anywhere on vlan5 firewall rules for testing.

Save config.

At this point I can no longer log into the web interface of my opnsense box, although it appears like everything is working.

So to try resolve logging into opnsense I configured other types - bridge - and added vlan5 and LAN as a bridge.

Once saving, this means I can access the web interface again. However the web interface is very slow, and takes about 30 seconds to load up a page when clicking from page to page, as opposed to immediate when I had no vlan5 config at all.

Can someone assist me in explaining where I am going wrong in understanding what I should do and how to achieve 1 physical interface to run both LAN and a VLAN on top of it? Reason for this requirement is I have no other ports available because I have another VLAN thats on a separate cable and dont have this problem with it.

Kind regards
Pete

[bartjsmit]

Hi Pete,

Well done getting it kind of working - I wouldn't have thought you'd get anywhere.

Untagged VLAN's are assigned to access ports. The device plugged into that port has no gumption about VLAN tags and is blissfully unaware that it is segregated in a VLAN.

Tagged VLAN's are assigned to trunk ports. The device plugged in is part of the VLAN infrastructure and usually has some internal networking setup that needs multiple networks. E.g. a hypervisor with a virtual switch.

Firewalls definitely fall into the second category and you should pick a LAN VLAN number if you want to share with VLAN number 5. You can create untagged ports on the switch for the LAN devices in the LAN VLAN.

Unifi makes things a bit more spicy still, since it's an SDN stack where you create networks in the controller, not the switch.

Welcome to VLAN's 

Bart...

[allebone]

What I meant to say is that the LAN has no vlan assigned to it at this time. It was just setup as a physical interface before attempting to do this and I am now attempting to add this VLAN5 along with what is already there. Is that possible? Or an alternative question is why does the current setup make the web interface run slowly?

P

[pilotboy72]

See if you can access the web interface via IP address only and see if that makes it go faster.  What I've found is that DNS replies with two IP addresses and sometimes the VLAN IP address comes first.  If the web interface isn't bound to the IP address on your VLAN then it will definitely be slow to respond since it will try that IP address first and then fall to the LAN IP address.

[lilsense]

I think first off, you would need to explain a bit more of what are trying to set up and how things are plugged in.

Both Opnsense and Unifi use VLAN1 as native vlans, you would need to create another IP subnet for that. I have not figured out how to change the native on OPNSense.

[allebone]

Im actually unsure what else to tell you. Its as simple as it sounds.

The unifi switch has the default out the box 'LAN' set as native on the port connected to the LAN on the firewall. I have also set vlan 5 to be allowed to be tagged on that same interface.

The opnsense setup is described as above.

Everything works but the web interface becomes very slow... thats all I can see not working so unsure what to do to fix that.

Im accessing Opnsense via IP so its not dns etc...

P

[allebone]

I think I might have worked out how to do this but will post back later once I do some more testing. I just had to change how things were setup to accommodate it.

[lilsense]

I have mine configured on the unifi as a dot1q VLAN tagged connected to the OPNSense, so I am not sure what you are attempting to do.

[allebone]

Its ok I worked out how Opnsense wants it. Basically you dont need a bridge and instead of using a physical interface as with an IP on it the way Opnsense wants it is you setup 2 vlans and attach then to the unconfigured interface. Then one of the virtual vlan interfaces is vlan 1 or whatever and the second is vlan 5 or whatever you need and it all works normally. The physical interface ends up not being used at all, no firewall rules etc, and just acts as the place you plug the cable in but the moment you set an ip on the physical interface it all starts going wrong but once I saw you just create multiple vlans on an unconfigured interface then it was easy. All is working great now with the unifi switch and access points etc.