VLANs and bridges - 3 NICs for LAN and multiple VLANs

[chho]

So I started to configure my OPNsense device last week and currently stuck on some core principles, regarding VLANs and bridges. My physical layout looks like in the attached image. 1 router with 4 NICs, 1 WAN port and the other three ports go to different switches/AP.

My initial idea was to create one bridge over the three physical ports and then add the different VLANs I want on top of the bridge. This didn't work, no tagged frames are picked up by the router. After searching the forum it is mentioned several times that FreeBSD does not support VLANs on top of Bridges. For example:

Physical --> Lagg --> VLAN --> Bridge

The FreeBSD network stack works only this way.

So to my questions:

• If I want VLAN 10 to be accessible on all 3 LAN ports do I need to add VLAN 10 to the three physical ports and then bridge the three VLAN interfaces? (3 interfaces for the physical port, 3 interfaces for VLAN 10 on each physical port and 1 bridge interface) or do I bridge one VLAN 10 interface with two other physical interfaces?
• Is it enough to just add VLAN 10 interface for each physical port without the bridge?

[Patrick M. Hausen]

You need to create three VLAN interfaces, e.g. vlan10, vlan110, vlan210 - one for each port - if you want to have VLAN 10 tagged on each port. And then create a bridge with these vlan interfaces as members. And if the OPNsense is supposed to have an IP address in vlan 10, then configure that on the bridge interface.

But ... be aware that FreeBSD is not a switch. Performance will definitely be worse compared to connecting your switches and the AP directly and use only one interface to connect OPNsense.

Why don't you want to let switches do the switching and turn OPNsense into your "core switch" instead?

[chho]

Why don't you want to let switches do the switching and turn OPNsense into your "core switch" instead?

Thanks for the quick response.

I thought the overhead wouldn't be that big of an issue and it looked neater, physically, instead of chaining it together. Although, thinking about it one more time I could have realized that performance in dedicated switches must be a lot better. I will change the physical layout so I only use one physical LAN port. It will make the configuration a lot easier as well.

[Patrick M. Hausen]

Should you want to further expand your network - the classic "router on a stick" configuration does work perfectly well. So e.g. a lagg interface built from two ports cinnected to a managed switch (2x1G or 2x10G) and n VLANs on top of that. Then assign ports of that switch to the individual VLANs as needed. It's just the bridge that is not that great - although it is going to be vastly improved in OPNsense 22.1/FreeBSD 13.

[pankaj]

I had similar issue almost a year back so struggling to recall actual details but I did following that solved the problem:

1. OPNSense device has 6 ports so leaving one for WAN, I was able to create 5 VLAN on the remaining ports (no untagged port on OPNSense device in my network)
2. Connected each VLAN port from OPNSense to an unmanaged switch ==> use this switch to connect to the hard wiring topology in my house.
3. In each room I added a managed switch connected to the wall port and configured its port for VLANs as needed

There has been no glitch or congestion for me, in fact I only needed managed switch in two rooms as rest of the devices are able to work off WiFi which is also on a separate VLAN.