rying to properly VLAN a guest network with OpnSense

[Cyb3rG1rlc0d3r]

I have 2 WIFI networks, one I want to access my main network, and the other for IoT that just goes straight to the internet.

This is what I have so far:

VLAN 20 created for IoT traffic:


Port 6 goes to the AP:


For OpnSense I have the following:

Interface created:


Firewall rules for said network:


DHCP enabled on interface:


I have VLAN aware on the interface for Proxmox:


But my issue is, when I connect to said guest network, I don't get an IP from the DHCP server so I'm assuming that there is an issue with the VLAN.

Ideas of what I need or should try?

[dseven]

I don't see anything obvious wrong. I assume you have the switch port connected to proxmox's enp4s0f1 also has the tagged VLAN allowed?

I'd probably start with a packet capture on the VLAN interface in OPNsense, while attempting DHCP, to see if the requests are arriving...

[EricPerl]

The proxmox bridge I use as LAN trunk is not "VLAN aware".
Per Proxmox docs:

VLAN awareness on the Linux bridge: In this case, each guest's virtual network card is assigned to a VLAN tag, which is transparently supported by the Linux bridge. Trunk mode is also possible, but that makes configuration in the guest necessary.

Since I have not made the bridge VLAN aware, I never looked at what it takes to enable trunk mode.

The comment on vmbr2 is kinda odd. I ignored it assuming it's instead your LAN trunk (going to the switch).
The interface assignment page would help...

The uplink on the switch appears to be port 4. It's also a trunk port, right? Essentially same question as dseven.

I also noticed floating rules. They could get in the way. Check your FW logs...
AFAIK, the gateway setting in DHCP can be left blank to use the interface's IP (per inline help).

[Patrick M. Hausen]

I'd recommend configuring the VLAN in Proxmox and presenting it to OPNsense as another virtual interface. That's how you would do it in ESXi, at least.

[EricPerl]

I started with passthrough NICs and did all the VLAN management in OPN (and my managed switches/AP obviously).
I converted to using proxmox bridges later (reco in the forum, and it should help with HA if I enable that later) and I kept all VLAN management in OPN.
I didn't even think twice about it.

Plain Proxmox vmbr2 assigned to OPN vtnet1. All VLANs with vtnet1 as parent (no interface assigned to vtnet1 directly, you know why 😉).
I'm not sure why I'd want to configure VLANs in yet another layer (e.g. proxmox) unless I had to.

[Patrick M. Hausen]

I'm not sure why I'd want to configure VLANs in yet another layer (e.g. proxmox) unless I had to.

Because at least in ESXi the hypervisor vSwitch/VLAN/Port Group features are way superior and perform better compared to doing it in the guest. If you use PCIe passthrough for entire network interfaces, that's of course a different story.

I have been running virtualised firewalls for decades - not OPNsense, though - and the general consensus was "do the switching in the hypervisor".

Your mileage may vary.

[EricPerl]

As mentioned in an earlier thread, I respect the experience, which is why I ask questions. Mine is measured in weeks so...
I obviously can't compare Proxmox and ESXi but for me, it was all about simplicity and minimizing configuration.
The first thing I had to do with OPN was converting from a physical prosumer router and migrating my VLAN incrementally. I'm pretty sure that would have been more complicated if that included steps on the host per VLAN. Having to reboot the guest OPN (to pick up the new interface) per migration step would also have been cumbersome, assuming it was necessary.

I'm still uneasy about VLAN management in Proxmox. That seemed more straightforward in OPN.
I don't know the OP's experience level. He can judge by himself.