Problems setting up VLANs

Started by Matt_K, July 20, 2022, 11:01:34 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 20, 2022, 11:01:34 PM
I'm trying to segment my network a bit. I'm trying to have 3 VLANs. VLAN 1, Vlan 100, and VLAN 200.
My Switch is a managed TP-Link. One Port 1, which is where the Firewall is connected. I have configured the port for VLAN 1 untagged, VLAN 100 Tagged, VLAN 200 Tagged. I created 2 other ports 7 & 8 to be untagged on VLAN 100 and 200 for testing.

In the firewall I created the 2 new VLANs. Attaching them to the LAN interface. I assigned each interface and gave them a static IP on a new subnet. I created new firewall rules on each interface. Basically allow all ip4. I also added DHCP for each interface.

I can't ping the ip's and the firewall can't ping my computer. I have nothing in the firewall logs from or to that interface ether. Any idea what I'm missing here?

July 21, 2022, 12:37:03 AM #1
a picture of your interfaces, interface assignments and firewall rules for each interface would be helpful.
July 21, 2022, 12:47:28 AM #2
I can do that.
July 21, 2022, 12:56:33 AM #3
So I spoke too soon. I don't know how to add pic inline.
So I am attaching them. Sorry.
July 21, 2022, 12:57:20 AM #4
and some more.
July 21, 2022, 01:27:16 AM #5
untagged vlans are unsupported if you are using tagged valns on the same interface.
July 21, 2022, 03:55:56 PM #6
Can you expand on that please?
I thought I could have, for example.
The native / default VLAN (which is untagged)
Then a tagged VLAN

If I can't do that. What is the proper way to setup OpnSense to have more than one VLAN on the LAN interface?
July 21, 2022, 04:06:10 PM #7
It is not entirely unsupported but discouraged because things that rely on promiscuous mode like DHCP tend to stumble over mixed tagged and untagged frames in the FreeBSD network stack. The general recommendation is not to use a native VLAN on FreeBSD.

If your switch on the other end insists on running one VLAN untagged/native, set it to one you don't use. I use 1001 for that in all my infrastructure.

Then simply assign LAN to e.g. VLAN 1 (tagged) ... or any other number, of course.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
July 21, 2022, 04:40:33 PM #8
I think I understand.
So if I want 3 VLANs make all of them including the base LAN tagged. I will try that.
July 21, 2022, 04:47:15 PM #9
So the base interface LAN doesn't appear to have a way to attach a VLAN ID. Do I just delete the IP address for this interface and give it to a VLAN interface that is attached to the physical interface LAN?

July 21, 2022, 06:13:53 PM #10
You go to Interfaces > Assignments and assign "LAN" to "VLAN-1" instead of igb0 - done, LAN is now tagged.

Since OS 22.1 you also need to assign the parent igb0 to a dummy interface and enable that. Architectural reasons, I hope they find a more intuitive solution in the future.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
July 22, 2022, 04:49:53 PM #11
Thank you. I'll give it a shot.
Print
Go Up Pages1
User actions