VLAN untag on specific interface

[ultimeus]

Hi all,

I'm trying to acheive the following on my opnsense
ETH0 WAN
ETH1 Vlan 10 Untag pvid 10
ETH2 - ETH3 LAG LACP Vlan 3,4,10,20,30,99 Tagged

Vlan 10 is my management Vlan, so I would like to have ETH1 as my main MGMT port but still carry the VLAN 10 to other switches trough the LACP.

I fiddled with the vlans, assignments, bridges etc but I just managed to locked out myself of the system many times.

Could someone point me in the right direction?
As I have read freebsd cannot do pvid?

Thanks in advance

[Patrick M. Hausen]

You need to create a bridge interface with eth1 and VLAN 10 on eth3 as members.

Are you sure your interfaces are named eth0, eth1, etc.? I don't know of any network driver in FreeBSD that would create such device names. Looks like Linux to me.

Network interfaces in OPNsense are named e.g. ix0, ix1, ... or igb0, igb1, ...

[cookiemonster]

probably virtualised setup

[Patrick M. Hausen]

They would be named vtnet0, ... for VirtIO and em0, ... for E1000 in that case.

[cookiemonster]

right you are.

[ultimeus]

I'm just used to name physical interfaces ETH, but no they are name igc0, igc1,etc in my opnsense.
My setup is using a topton nuc, it's not virtualized.

Thanks Patrick, I will have a look and report.

[ultimeus]

I got it work, not the most intuitive for sure.
I mainly followed this https://docs.opnsense.org/manual/how-tos/lan_bridge.html and additional info is to set the network IP on the bridge and give a pass rule on the firewall.

[Patrick M. Hausen]

Don't forget the two tunables. It's more complicated than you probably expected, because FreeBSD is not a switch. So you have to "fake" that with a bridge interface.

[ultimeus]

Yes, I just checked the tunables and changed according values.
Coming from a Ubiquity EdgeOS it's more work but like you said it's more kind of a workaround to fake that.

[ultimeus]

Couple months later I finished redoing my network and servers.
Unfortunately the bridge is not working.
When I connect igc1 to my switch (untag vlan10) it's making a loop in the network.

I tried IPv4 configuration type to none and Static IP on interface Bridge_to_igc1 bot both where making a loop

See screenshots

[netnut]

From a quick look at your screenshots:

The Bridge Device is the only interface that should be numbered (including the tunables you did)

Bridge member interfaces should be unnumbered

Create VLAN10 on your LACP uplink and bridge that VLAN10 device under bridge0

The bridge interface ip will be the gateway interface for VLAN10

[ultimeus]

Hi netnut,

I don't get what you mean by unnumered.

Could explain a bit more in detail?

[netnut]

I don't get what you mean by unnumered.

If you create a bridge device with one or more members, the only device with an IP address (L3) is the bridge device itself (numbered). All member interfaces are being bridged (L2) so just need to be enabled and assigned the parent bridge device without any IP configuration (unnumbered)

Your screenshots shows a bridge device with 192.168.10.1 and a member with 192.168.10.99, that last one should be unnumbered.

If you're patching both the "management" interface (igb1) and your LACP trunk (igb2+igb3) to the same switch and next create a bridge on igb1 with a VLAN assigned to the LACP trunk, yes, a better loop isn't possible :).