What is the correct VLAN mode on managed switch?

[cmonty14]

Hello,

my ISP (Vodafone cable) provides two internet access points:
- standard (like any ISP offers)
- static IP

The router (here: AVM Fritz!Box 6490 cable) basically works like any other Fritz!Box with only one exception:
1 port is configured for using the static IP.
I guess one could call this passthrough.

Anyway, this means that I have the following port configuration with this Fritz!Box:
Port 1 - LAN
Port 2 - LAN
Port 3 - static IP passthrough
Port 4 - Guest LAN

The other network device is a managed switch (here: D-Link DGS-1100).

The use case for OPNsense is this.
On a Proxmox VE I setup a VM with OPNsense as a router and firewall.
Having 5 ethernet ports on the Proxmox VE host, OPNsense VM will use 2 ports with PCI passthrough; eth0 for WAN (= static IP) and eth1 for LAN.

In addition I want to setup different VLANs, e.g. a for Smarthome network, DMZ and PVE Guest network.
I also consider a VLAN for Fritzbox LAN and Fritzbox Guest LAN.

As a result the following interface configuration is available in OPNsense:
screenshot interfaces
1 - Default
2 - Management network
10 - Fritzbox LAN
179 - Fritzbox Guest LAN
161 - DMZ
162 - Smarthome network
100 - PVE Guest network
110 - PVE Migration network
120 - PVE Corosync network

In my understanding the OPNsense LAN interface is untagged, because I don't know how to tag it when creating the interface.
All other interfaces are VLANs and this means they are tagged.
Should the OPNsense LAN interface be tagged, too?
In order to avoid collisions with the Fritzbox LAN?
Or it is recommended to have any LAN be untagged?

And how to configure the VLAN on the managed switch?
Means, what VLAN should be used?
My current understanding is that 802.1Q is the preferred mode when using multiple VLANs on a single port.
And with 802.1Q there are different VLAN modes: Access Port, Trunk Port and Hybrid Port.

In my understanding the OPNsense LAN interface is logically a switch.
If this is true, the VLAN mode of the connected managed switch port must be trunk.
But then the untagged LAN won't work, right?

Can you please advise what is the recommended configuration on the managed switch, in particular the recommended VLAN mode?
What should be tagged? What should be untagged?

THX

[allebone]

My understanding (correct me if wrong) is that normally a trunk is for the switch interfaces where there is another switch behind that is pushing up different tagged clients.
EG: Switch 1 port 1 might be a trunk and underneath port1 is another switch (switch 2) with vlan 100,101,102 accross different interfaces connecting to client PC's. In this case you would have access ports tagged with a specific VLAN on each switch 2 interface as appropriate and a trunk port of 100-102 for port 1 on switch 1.

For opensense the ports work similar to a PC as you are creating a vlan with an IP address and then assigning it an interface. So these are access ports. On the switch above you would set a trunk port.

One thing I dont know how it works on your screenshot is VLAN 10 and VLAN 179 as they both look identical and there is no way I can see how the firewall would know what packets to tag or differentiate between them. I could be wrong on that though. Maybe you can explain?

[cmonty14]

Hello,

I assumed that the OPNsense LAN port is a switch as there are multiple VLANs assigned to the same port.
And the difference of VLAN10 and VLAN179 is that there are 2 different connections to the Fritzbox router proving the relevant networks (Fritzbox LAN and Fritzbox Guest LAN). I have defined DHCP for both VLANs because Fritzbox is offering DHCP service.

THX

[lilsense]

Opnsesne is a router and not a switch. A port that supports tagging (i.e. multiple VLANS) does not make the device a switch.
Opnsense for your example that is configured with tagging (i.e. a trunk interface) carries multiple VLANs VLAN 10 and VLAN179. Opnsense then would need to be configured with gateways for each VLAN. Opnsense can also act as a DHCP for multiple VLANs.

As for a term of switch, Switch is a device that has the ability to keep track of MAC addresses to reduce the ARP requests. Generally these devices (switches) have an ASIC chip that gives them their ability.

you can setup any router with trunk interface (tagged interface, dot1q) with multiple VLANs.

[cmonty14]

Thanks for your reply.

Is my understanding correct that the Managed Switch port connected with OPNsense LAN interface must be defined as 802.1Q VLAN mode trunk?

I reviewed my VLAN settings and decided to go with VLAN1 for Fritzbox LAN; hereby I should reduce risk of complications.

But then I need to define a VLAN ID for OPNsense LAN interface to avoid collision with Fritzbox LAN (e.g. VLAN20).

If this is correct, how should I proceed with OPNsense interface configuration?
Would this means that I create interface LAN w/o enabling it and adding all VLANs to this interface including VLAN20?

THX

[lilsense]

OPNSense can be connected directly to a switch (managed or unmanaged) without needing to be a dot1q. However, the good design is to enable the link as a dot1q because at times in the future you only have to add additional vlans without reconfiguring the ports and taking down the link.

the direct port between Fritz and OPNSense has nothing to do with all other ports.

OPNSense (2,10,179,etc) ---- (2,10,179,etc) Managed Switch --- Frtiz

VLAN1 is dedicated for everything else, i.e. -- IP with no VLAN associated. I would not try to use VLAN1.

[cmonty14]

Thanks for your reply.

With regards to VLAN1...
The issue is that Fritzbox cannot VLAN, this function is not implemented.

Considering this, is it still reasonable to define a VLAN for the Fritzbox LAN network?
If yes, what is the setting for the relevant port of the managed switch?
Access tagged VLAN<ID> or
Access untagged VLAN<ID> or
Access admit all or
anything else?

[lilsense]

just like your pc, you are not sure which vlan you are on... what it means is that you configure the switch port connected to the Fritz and place it in a VLAN that carries the IP subnet.

The interface itself it's not tagged but is in vlan Z.