HyperV Trunk VLAN and VLAN over Opnsense is not working

Started by fox-octi, February 21, 2025, 08:19:36 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 21, 2025, 08:19:36 PM
Hi,
i want to use one virtual interface on the vm and using the VLAN configuration from opnsense to create multiple vlans.

szenario:
vlan 90: Mgm VLAN for Wlan Controller
vlan 96: Guest VLAN for AP usage


on HyperV:
$adapters=get-vm ifi-fw01 | Get-VMNetworkAdapter
#$adapters |?{$_.MacAddress -like "*A077"} |get-VMNetworkAdapterVlan
$adapters |?{$_.MacAddress -like "*A077"} | Set-VMNetworkAdapterVlan -Trunk -AllowedVlanIdList 96-99 -NativeVlanId 90

on opnsense:
vlan0.96: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        description: WlanGuestVlan96 (opt10)
        options=80000<LINKSTATE>
        ether 00:15:5d:3f:a0:77
        inet 192.168.92.1 netmask 0xffffff00 broadcast 192.168.92.255
        groups: vlan
        vlan: 96 vlanproto: 802.1q vlanpcp: 7 parent interface: hn6
        media: Ethernet autoselect (10Gbase-T <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

hn6: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        description: WlanMgmVlan90 (opt9)
        options=80018<VLAN_MTU,VLAN_HWTAGGING,LINKSTATE>
        ether 00:15:5d:3f:a0:77
        inet 192.168.90.1 netmask 0xffffff00 broadcast 192.168.90.255
        media: Ethernet autoselect (10Gbase-T <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>


the vlan on the opnsense is not working, if i do the same powershell command on a windows vm and set the vlan on the network adapter it is working, so i think this should be a issue with opnsense.

to configure a interface for each vlan is not working, because i use HyperV 2k16 and this is limited by 8 interfaces.
 
hopefully someone can help, because i found no solution, i think it depends on HyperV <-> Opnsense.


best regards

Chris

February 21, 2025, 09:25:53 PM #1
I have no experience with Hyper-V but the general recommendation when running on a hypervisor and you cannot PCIe pass through an entire network adapter, is to use the hypervisor's vSwitch to create the tagged interfaces ("port groups" in VMware) and assign one virtual interface per VLAN to the VM.

This is how I have been running virtualised firewalls for decades. YMMV.

HTH,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
February 21, 2025, 09:44:27 PM #2
No experience with Hyper-V either.
I typically reserve specifying VLAN on the host to cases where the VM can't really be trusted, or maybe to replicate "access port" functionality on the host's bridge.

When dealing with an OPN VM (under Proxmox), to reduce the management burden to one system only, I've passed the entire bridge down to the VM.
Then, from the VM's perspective, it looks similar to PCIe pass-through...
In any case, pick which side is going to do the tagging!

In your case, the parent interface of vlan0.96 is hn6. isn't hn6 a tagged interface?
February 25, 2025, 08:44:38 AM #3
Hi,

i found the problem, the problem was, that the parrent interface hn6 was not active in opnsense interface configuration, after enable it, it was working :(

Print
Go Up Pages1
User actions