need a little Help with VLANs on OPN sense Interface

[+DS_DV+]

Hello lovely community (:


today i switched around my setup since i migrated my opnsense to a new box which fortunately has 4 instead of 2 interfaces.
i want to use this opportunity to put my access point directly into the opnsense to gain a free port on my switch (:
so basically my old and new setups look like this:



but i need help / am confused on the opnsense side of configurations.
before it looked like this:


for the new setup i tried to switch the parent to igc2 interface on the vlan device configuration but that did not work.
the wifi devices cant reach opnsense and therefore get no dhcp ip etc.

i feel like i am missing something and would greatly appreciate a little help on how to set this up correctly <3
(basically how to get my AP which tags VLANs to work directly plugged into opnsense)

[patient0]

Can you show the VLAN configuraton page of OPNsense? And is it what you wanted to do, VLAN 20 is tagged with VLAN ID 50 (2nd screenshot)?

[+DS_DV+]

VLAN 20 is tagged with VLAN ID 50 (2nd screenshot)?

good spot i corrected that (:

my VLAN Devices look like this: (Parent set to the Interface with the AP (igc2))


before that the Parent was set to the Laninterface (igc1) where a switch is attached which passes the VLANs from the AP.
From what i understand only the AP should Tag the vlan and the rest (switch / opnsense) is just accepting them on untagged interfaces (correct?)

[Patrick M. Hausen]

From what i understand only the AP should Tag the vlan and the rest (switch / opnsense) is just accepting them on untagged interfaces (correct?)

No. The AP tags the frame with a VLAN ID. For that the AP must be connected to a trunk port on the switch. A trunk is a port that carries tagged VLANs. So the switch must know about all the VLANs and the port to the AP must be configured to carry them tagged.

Similarly the connection from switch to OPNsense must be configured for tagged VLANs on the OPNsense and on the switch side.

[+DS_DV+]

i had a zyxel gs 1200 and a netgear gs108e
on both i just set the "trunk" to the opnsense to carry all VLANs and the port with the AP i set to carry the ones for the SSIDs

but i think i don't understand how to set this up in opnsense :/

i think igc2 (where the AP is connected) needs to accept the AP tagged VLANs (20 is the one i currently test with)
that's why i thought setting VLAN Device vlan020 to parent igc2 was enough 🙈

[+DS_DV+]

oh maybe its the DHCP.
I noticed that i set up the dhcp for LAN to give the AP its IP.
but now that the AP is not behind the Switch anymore maybe opnsense does not know that it should give it the same ip on another interface?

[patient0]

i think igc2 (where the AP is connected) needs to accept the AP tagged VLANs (20 is the one i currently test with)
that's why i thought setting VLAN Device vlan020 to parent igc2 was enough

Your thinking is correct, yes. The AP tags the traffic with VLAN tag 20 and OPNsense accepts it on the VLAN 20 tagged interface VLAN_20_WIFI.

oh maybe its the DHCP.
I noticed that i set up the dhcp for LAN to give the AP its IP

Now VLAN_20_WIFI is it's own interface, separated from LAN. And therefore needs a DHCP server and firewall rules for that interface.

[EricPerl]

Note that if you still use the switch and some VLANs span wired and wireless networks, then you'll need to bridge the ports on OPN (SW switch).
I'm not sure that's a good trade-off to gain one port...