Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
VLAN and untagged on same interface?
« previous
next »
Print
Pages: [
1
]
Author
Topic: VLAN and untagged on same interface? (Read 3954 times)
Chiefmas
Newbie
Posts: 6
Karma: 0
VLAN and untagged on same interface?
«
on:
May 10, 2022, 02:00:22 am »
Hello,
I want to make sure what I'm trying to do will work the way I'm trying it. I am currently running OpnSense 21.1.5 on a Protectli device with 4 ports. I only use it as a network appliance to host services, it is not my network edge router(the rest of my network is managed Ubiquiti if that ends up mattering).
So the goal is to have a virtual IP on a VLAN sharing the same interface that is configured currently as untagged. This is so I can migrate off 192.168.1.x (the untagged network) without disrupting everything(so hopefully the services will listen on all interfaces, but that's a different problem I haven't gotten to). So to summerize: I want 192.168.1.161 on em0 untagged, and 10.117.1.161 tagged with VLAN 117 also on em0.
I tried this a while back and when I turned the new virtual interface on, I lost connectivity to the entire device. I ended up just restoring to backup config to roll back quickly. I was able to do this under on a physical Windows machine without any issue, so I think I must have missed something in configuration in OpnSense, so I guess I'm looking for a quick check of what I did to make sure I didn't miss anything. So steps I took:
In interfaces>>Other Types>VLAN, created an interface on em0(the port I want to share) with the tag set to 117
In assignments, added a new interface, called VLAN117, set it the network port resulting from the previous step (vlan 117 on em0)
In the new interface, configured the static IP, left block private and bogons unchecked. Basically everything at defaults
The last step is the place I suspect maybe I went wrong, because I don't think I assigned a MAC address. I think I had assumed last time around it would auto-generate a unique MAC. But if that doesn't happen, I could see that being why I stopped being able to access things from the network maybe.
Anyway, I'm just trying to get to where I can successful access OpnSense from an IP in the VLAN, so I can start migrating clients over as well. I'm not using multiple physical interfaces because I am running a bit low on ports on the upstream switch, but if that's the only way I can get this to work, I'll make it work, at least in the short term. So, if there's something I missed, or some reason what I'm doing won't work, I could use the info!
Thank you
Logged
meyergru
Hero Member
Posts: 1691
Karma: 165
IT Aficionado
Re: VLAN and untagged on same interface?
«
Reply #1 on:
May 10, 2022, 12:07:12 pm »
Usually, all VLANs share the MAC address of the physical device, so if you leave the MAC unset, all should work fine by itself.
I had problems with assigned MACs on some occasions. In FreeBSD, there is a difference between hwaddr and ether. When you change the ether address, other network devices have to learn that for ARP, so there can be short outages. Also, there may be problems when you set the MAC during runtime for some specific NIC hardware,
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005
1100 down / 440 up
,
Bufferbloat A+
yourfriendarmando
Full Member
Posts: 103
Karma: 8
Re: VLAN and untagged on same interface?
«
Reply #2 on:
May 11, 2022, 10:17:50 am »
Don't forget to make sure your the switch port N is allowing untagged vlan X and is allowing the Tagged Vlan Y. On a Netgear style switch, for VLAN port N membership, you want VLAN Y tagged. For VLAN X you want it UnTagged and the main PVID for that port.
The PHYs on Protectli are the stablest thus far for the price. igb0 drives the work network untagged.
On igb1, I have a plain interface/network assigned, which to the switch is the untagged Vlan X and PVID. I added a VLAN Y on parent igb1, and subsequently created the interface/network on the newly created vlan interface pair. The switch should immediately trunk traffic on that VLAN/port combo.
After assigning static IPs and DHCP servers on both networks, add some rules. These drive one a network for IoT things, and another for the guest network. I figured to pile them on together so that they stay out of the way of the work network, and add some pipes with rules to fine tune that.
If you have more unused ports, you can make a sort of MGT port that's available to directly plug in, and debug your router if it becomes unreachable while flipping your networks onto VLANs.
Logged
Chiefmas
Newbie
Posts: 6
Karma: 0
Re: VLAN and untagged on same interface?
«
Reply #3 on:
May 11, 2022, 04:41:23 pm »
Thanks for the suggestions!
I do have it working now. It seems that there were two things that caused me the issue first time I tried it. In my case, it turns out the Flex-Mini switch I was connected to has an odd limitation, although you can tell it to be a trunk port, it doesn't like it if you don't have another switch plugged in. It wants to assign a VLAN to the port if you really are only using it as an access port but one with the extra MACs and IPs like I am trying to do. So I moved it up to my core switch which is a bit more flexible and that resolved that.
The other issue seemed to be that I had to explicitly set the MAC address on the untagged interface. It seemed like when I assigned the new MAC to the VLAN tagged interface, all packets coming out were getting ID'd as the new MAC (which was causing all the packets to get put into the tagged VLAN). I'm inferring this from what the Ubiquiti status screens were showing me, I didn't explicitly do a packet capture. But once I explicitly set the MAC address on the original interface to be it's actual MAC address so that both had MACs set, it started working as I wanted. It seems assuming the default MAC would stick was a bad assumption, or for whatever reason wasn't working out that way in my setup.
Still, I've got it working, thanks again for the input!
«
Last Edit: May 11, 2022, 04:43:17 pm by Chiefmas
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
VLAN and untagged on same interface?