All VLAN Configuration

[spetrillo]

Hello all,

Is it possible to have an all VLAN configuration on OPNsense? In the initial configuration the LAN interface is set to 192.168.1.1 on a physical NIC. How can I move this to a VLAN interface and free up the physical NIC to be part of an overall LAG.

Thanks,
Steve

[rainerle]

Hi,

just don't.

LAN and WAN are special interfaces and have automatic firewall rules attached to them.
In a multi-VLAN setup use LAN as your administrator interface - it will never allow to block yourself out.
Use WAN as your uplink interface. Suricata does not like to operate on VLANs for example.
If you ever need to reinstall/freshinstall it makes it easier to upload your configuration again.

Use devices with at least four network interfaces:
1: LAN (Admin Port)
2: WAN (Uplink Port)
3: Additonal VLANs
4: pfSync to HA partner

If you want your WAN and Admin Port in a VLAN - do it on the switch port.

[spetrillo]

Hi,

just don't.

LAN and WAN are special interfaces and have automatic firewall rules attached to them.
In a multi-VLAN setup use LAN as your administrator interface - it will never allow to block yourself out.
Use WAN as your uplink interface. Suricata does not like to operate on VLANs for example.
If you ever need to reinstall/freshinstall it makes it easier to upload your configuration again.

Use devices with at least four network interfaces:
1: LAN (Admin Port)
2: WAN (Uplink Port)
3: Additonal VLANs
4: pfSync to HA partner

If you want your WAN and Admin Port in a VLAN - do it on the switch port.

Ok what do you use your LAN NIC for, other than admin? Is 192.168.1.0 a part of your overall local network topology? I hear ya on the Suricata side, and I have learned never to vlan the WAN side.

[rainerle]

Ok what do you use your LAN NIC for, other than admin? Is 192.168.1.0 a part of your overall local network topology?

The LAN NIC is only for admin, I have our users, servers, dmz in the additional VLANs.

You can get Hardware with 2 1G and 2 10G NICs.
1G   LAN
10G WAN
10G additional NIC
1G   pfSync

4 Port 10G SFP+ LOMs are not expensive, power usage of a DAC cable is lower than with 10G RJ45 Ethernet... .

I always look at running costs - but I live in a country where the public subsidizes high demand electricity companies by abusing a formerly well designed sustainable energy development law - might be different from where you are...

[marjohn56]

Wrong thread!

[sorano]

Hello all,

Is it possible to have an all VLAN configuration on OPNsense? In the initial configuration the LAN interface is set to 192.168.1.1 on a physical NIC. How can I move this to a VLAN interface and free up the physical NIC to be part of an overall LAG.

Thanks,
Steve

Hello Steve from customer service. https://www.youtube.com/watch?v=Zr0xwgqw-BE

I just wanted to add that I run two OPNsense VM's in a "router on a stick" fashion, everything on VLANS (including WAN) along with HA(pfsync) and it's all working perfectly.

Each OPNsense VM has a single vmnic in a portgroup which has all vlans tagged.

Obviously if you've got 1Gbit NIC you risk bottlenecking pretty fast depending on usage but if you got 10Gbit it's actually pretty neat.

With that said, it's worth mentioning that it's my home setup after all

[marjohn56]

It is the wrong thread... oops!

[spetrillo]

Wrong thread!

So my config is as follows:

Onboard NIC(EM0) - WAN interface
4 Port PCI NIC1(IGB0) - LAN interface
4 Port PCI NIC2-4(IGB1-IGB3) - 3 Port LAG to Core Switch

The 3 port LAG carries the vlans for my local networks. I am fine keeping IGB0 as the LAN interface but it seems like a waste of a physical NIC. Could 192.168.1.0 become my mgmt network, so it would make some use of that port?

[rainerle]

The question is rather how many devices you have behind that LACP (lagg). LACP does not double bandwidth, only if your are lucky you get two busy devices separating their traffic over to the two links. Unlucky and both devices use the same link of your LACP.
If you are bandwidth-sensitive rather upgrade to 10G.

I am wasting a 10G SFP+ for management LAN. 4 Port 10G SFP+ LOM cards are cheap, DAC cables are cheap compared to fiber and the electricity costs in the data center are high... . 10G Ethernet uses more power than 10G SFP+...

[spetrillo]

I probably have about 100 or so devices. How would you configure this, knowing I want vlans to logically separate my traffic?

[rainerle]

So in total 5 NICs on a single OPNsense.

LAN
WAN
additional VLANs with a three legged lagg(LACP).

Regarding the separation of Devices:
If you do not want your Xiaomi Roborock see your Philips Hue hub, with OPNsense you need to create separate VLANs. There is no such thing as device isolation.
I separate Users from Services and even use VPN internally to authenticate for a VLAN which contains devices without personalized access.
You can have over 4000 VLANs, so make a plan first and then execute the plan.

[spetrillo]

Yes I have my vlans deployed to separate my traffic. The question was if I have to keep the default LAN interface around what do ppl use it for? The majority of my local traffic will be vlan'ed traffic across the LAG. If a three legged LAG is not going to provide a performance boost then can I run vlans across the physical interfaces, and thus separate them that way?

[sorano]

The question was if I have to keep the default LAN interface around what do ppl use it for?

No you dont have to keep the default LAN interface.

The majority of my local traffic will be vlan'ed traffic across the LAG. If a three legged LAG is not going to provide a performance boost then can I run vlans across the physical interfaces, and thus separate them that way?

Well, obviously 3x1Gbit LAG will have higher available bandwidth and that's how I would run it.

With that said, you could put XY vlans on a single interface and ZV on another.

[spetrillo]

Ideally I would like the LAG interfaces to be used independently, so as to spread the load across but it does not sound like this will happen.

My new plan is to put my wired streaming traffic over one of the LAG interfaces, my wireless over another LAG interface, and the last interface will pickup the remainder.

[spetrillo]

The question was if I have to keep the default LAN interface around what do ppl use it for?

No you dont have to keep the default LAN interface.

The majority of my local traffic will be vlan'ed traffic across the LAG. If a three legged LAG is not going to provide a performance boost then can I run vlans across the physical interfaces, and thus separate them that way?

I get that...but do ppl cable up the LAN interface? I am trying to understand what this is used for? I do not understand why this could not be a VLAN interface on the same physical interface.

Well, obviously 3x1Gbit LAG will have higher available bandwidth and that's how I would run it.

With that said, you could put XY vlans on a single interface and ZV on another.