Archive > 21.7 Legacy Series

VLAN/Multiple OPNsense LAN Ports Question

<< < (2/4) > >>

Patrick M. Hausen:
You should never mix tagged and untagged frames on the same interface. Never. Seriously.

Superduke:
I'm nowhere near competent to understand why.....but if this is indeed true, and I have no reason at all to doubt you.....are all of the Youtube videos that exist on how to setup VLANs on OPN and pFSense wrong in their approach?

If yes....then can you point to a proper approach to separate church from state?


--- Quote from: pmhausen on October 13, 2021, 07:55:45 pm ---You should never mix tagged and untagged frames on the same interface. Never. Seriously.

--- End quote ---

Patrick M. Hausen:
Use one interface for untagged and a separate physical interface for tagged traffic.
A port connected to a switch carrying tagged traffic should carry only tagged traffic.

Of course the idea is not fundamentally wrong or technically impossible. The general advice I give here is mostly about edge cases and possible failure situations. For example you cannot put a VLAN on top of a bridge in FreeBSD. So if you want to have more than one interface in your untagged "LAN" to use the OPNsense device as a cheap switch - bad luck for the tagged VLANs. You can of course put a bridge on top of a VLAN which is the ways this is supposed to work.

Then the IDS/IPS components (Sensei/Suricata) frequently fail in non-intuitive ways in a setup like this.

There are reported cases in which dhcpd does not work on the tagged VLANs if it is also serving the untagged one.

So, it's complicated. I cannot claim to state "it is bad and will not work because ..." - it only has a high probability of "weird" failure modes depending on your setup and hardware.

So repeating my advice: simply don't. Access ports are access ports (untagged only), trunk ports are trunk ports (tagged only). Even Cisco's documentation explicitly states: you should not use VLAN 1 for anything. VLAN 1 is the default untagged VLAN on trunk (tagged) ports.

HTH,
Patrick

Greelan:

--- Quote from: pmhausen on October 13, 2021, 09:16:50 pm ---Use one interface for untagged and a separate physical interface for untagged traffic.

--- End quote ---
I suspect you meant to say “a separate physical interface for tagged traffic”.

I suspect you are probably right that this is largely a concern for edge cases. I’d hope for normal firewall behaviour that carefully defined rules (eg making sure source IPs in the rules are confined to what they should be, rather than using “any”) will avoid unanticipated outcomes. Franco in fact suggests this in his original comment

Patrick M. Hausen:
Yes, typo - thanks. I fixed it.

Navigation

[0] Message Index

[#] Next page

[*] Previous page