Combining interfaces and VLAN networks

[Bukball1997]

Horrible title but I'm not sure what the best phrasing is.

I have two physical interfaces that each have a VLAN capable device at the other end.  One is an AP and the other is a switch, if it makes a difference.

I would like to put certain devices from each of them on the same subnet.  I had originally thought that I could just assign them the same VLAN and that would take care of it but that doesn't seem to be the case.

It appears that what I need to do is bridge the two VLAN interfaces together, which means that the actual VLAN ID that they use doesn't have to match.  Is this the best method or is there a different solution that I'm missing?

Thanks.
ฝากถอนslot

[Patrick M. Hausen]

OPNsense is not a switch, so it doesn't have a concept of VLANs spanning multiple ports. Yes, a bridge is the only option.

IF the OPNsense is supposed to communicate in that VLAN, too, i.e. have an IP address configured "there", you MUST assign the IP address to the bridge interface, not one of the VLAN interfaces that are members of the bridge.

Oh, and don't use the same ports for VLANs and untagged traffic.

[ajm]

Yes, you can do that. I'm working on a similar configuration at the moment.

The links to the switch and AP are known as trunk ports, and typically carry several VLAN's using 802.1q, the ethernet frames being tagged with their VLAN ID. As you've realised, the same VLAN ID must be configured on all devices (AP, switch) where the edge devices are on a common subnet. I also use trunk ports for server connections, where VM's or whatever may need to exist on several different subnets but only one physical uplink is available.

In order for these edge devices spread across multiple trunk ports to be connected together, a bridge is used within the OPNsense device, one per VLAN. Each VLAN on each trunk port is created as L2-only interface, and configured as member of the respective bridge. The OPNsense L3 Interface is configured on the bridge.

The only snags I've encountered so far, are (a) when using bridges in this way with tagged traffic, bridging untagged traffic in addition, is not possible, as it causes problems. (b) the L2 interfaces created for the VLAN trunks default to be managed by the firewall, which is unnecessary as the L3 Interfaces take care of that. **

As regards performance, I did some server-to-server tests using iperf3. The throughput direct, was measured at ~945Mbit, and via trunk connections into/out of the OPNsense bridge, was measured at ~895Mbit. So not such a bad drop, and for my use-case that's perfectly acceptable.

HTH

Code Select Expand

IF_BRIDGE(4):
" A bridge works like a switch, forwarding traffic from one interface to
     another.  Multicast and broadcast packets are always forwarded to all
     interfaces that are part of the bridge.  For unicast traffic, the bridge
     learns which MAC addresses are associated with which interfaces and will
     forward the traffic selectively."

** See:
https://forum.opnsense.org/index.php?topic=26789.msg129768#msg129768

[Patrick M. Hausen]

(b) the L2 interfaces created for the VLAN trunks default to be managed by the firewall, which is unnecessary as the L3 Interfaces take care of that.

There's a tunable to change that:
https://docs.opnsense.org/manual/how-tos/lan_bridge.html

Code Select Expand

net.link.bridge.pfil_member=0
net.link.bridge.pfil_bridge=1

[ajm]

Awesome, thanks for that. I will investigate and see if it works for me.

ATB, Andy

[ajm]

Replied in the thread on that topic.