Problems setting up DMZ VLAN

[Callahan]

Hi there,

I was hoping I could get some help (as well as confirmation that I'm not missing anything obvious). I am setting up what is/should be, a relitively simple thing. Im running OPNSense on a NUC with 2 ports (not USB, I'm using the mini PCI-e - https://blog.fosketts.net/2015/06/05/adding-a-second-ethernet-port-to-an-intel-nuc-via-mini-pcie if you're interested). This box has served me well enough so far and I've had no real issues with it.

I wanted to set up a DMZ by adding a VLAN, assigning it's parent as the em0 (LAN port), add the interface, enable DHCP/DNS on the new interface with a range that isn't my main subnet (IP range for VLAN: 192.168.50.0/24), drop in a quick rule to allow anything on the DMZ out (testing phase) and I should be done.

So I bought a 24 port switch that has VLAN capability (TPLink TL-SG1024DE - this may be the mistake here) and set it up with the most minimal of configs (see attached image). I then plugged the ESXi box I'm testing from into port 24 of the switch. The LAN port of OPNSense is plugged into port 1 of the switch. I then added a port group in my ESXi host to the only physical NIC in there and assigned the new Port Group the VLAN ID 50. I then assigned the virtual NIC on a new test Linux VM to the new Port Group (VLAN 50).

All pretty standard straight forward stuff so far and exactly how we use this at work.

I reboot the VM after making the above changes expecting to see it grab an IP address from the 192.168.50.0/24 range but it gets nothing. I have seen it once grab an IP from OPNSense during a state of rebooting either the switch or OPNSense during a spate of trying to resolve this issue but never again. The logs in DHCP suggest the request for an IP never reaches OPNSense's DMZ virtual interface:

Code Select Expand

2020-04-28T01:06:55 dhcpd: Server starting service.
2020-04-28T01:06:55 dhcpd: Sending on Socket/fallback/fallback-net
2020-04-28T01:06:55 dhcpd: Sending on BPF/em0_vlan50/c0:3f:d5:69:1b:93/192.168.50.0/24
2020-04-28T01:06:55 dhcpd: Listening on BPF/em0_vlan50/c0:3f:d5:69:1b:93/192.168.50.0/24
2020-04-28T01:06:55 dhcpd: Wrote 0 leases to leases file.
2020-04-28T01:06:55 dhcpd: lease 192.168.50.5: no subnet.
2020-04-28T01:06:55 dhcpd: For info, please visit https://www.isc.org/software/dhcp/
2020-04-28T01:06:55 dhcpd: All rights reserved.
2020-04-28T01:06:55 dhcpd: Copyright 2004-2020 Internet Systems Consortium.
2020-04-28T01:06:55 dhcpd: Internet Systems Consortium DHCP Server 4.4.2
2020-04-28T01:06:55 dhcpd: PID file: /var/run/dhcpd.pid
2020-04-28T01:06:55 dhcpd: Database file: /var/db/dhcpd.leases
2020-04-28T01:06:55 dhcpd: Config file: /etc/dhcpd.conf
2020-04-28T01:06:55 dhcpd: For info, please visit https://www.isc.org/software/dhcp/
2020-04-28T01:06:55 dhcpd: All rights reserved.
2020-04-28T01:06:55 dhcpd: Copyright 2004-2020 Internet Systems Consortium.
2020-04-28T01:06:55 dhcpd: Internet Systems Consortium DHCP Server 4.4.2

And there it sits, not answering anything. I want to point the finger at this switch. I bought cheap and I think I'm now paying for that in more ways than one.

I'd really appreciate any advice on anything you think I've missed or equally if you think this all looks as it should and you think I shouldn't have cheaped out on a switch and thats my issue. I can swallow buying a better switch if I know it will resolve my issues. :-)

Thanks for your time.

[Callahan]

And therein is why you shouldn't be testing this stuff at 2:30am. I hadn't tagged in the DMZ ports.

All working now....