MAC Address Learning Issue ?!

[Patrick M. Hausen]

Just use the physical interface without the VLAN.

What exactly do you want to achieve?

[Saarbremer]

Yes, exactly.

In order to access the untagged port on OPNsense you use the interface itself rather than a VLAN.

However, same question from me: Why?

[tryllz]

Just use the physical interface without the VLAN.

What exactly do you want to achieve?

Thanks, this is what I plan to do now.

Yes, exactly.

In order to access the untagged port on OPNsense you use the interface itself rather than a VLAN.

However, same question from me: Why?

Thanks, I though it was possible to set up a VLAN interface without tagging.

I was trying to setup NSX Edge to send traffic over Uplinks for all VLANs over Trunk Ports (works), and for specific VLANs over Trunk ports (does not work) as I found it should work both ways, so I'm trying to understand why it does not work with the 2nd way, solely for learning purpose. I'm sure its a configuration issue, so trying to troubleshoot it but couldn't find where the issue was.

[Patrick M. Hausen]

That should work, but if you expect VLANs on OPNsense to be connected in sny way across multiple ports, then that is your problem. OPNsense is not a switch. There is no "fabric". You would need to create bridge interfaces manually.

E.g. VLAN 10 on igb0, VLAN 10 on igb1, and an untagged igb2 are NOT connected in any way. As I wrote you could create a bridge with all these interfaces as members.

[tryllz]

That should work, but if you expect VLANs on OPNsense to be connected in sny way across multiple ports, then that is your problem. OPNsense is not a switch. There is no "fabric". You would need to create bridge interfaces manually.

E.g. VLAN 10 on igb0, VLAN 10 on igb1, and an untagged igb2 are NOT connected in any way. As I wrote you could create a bridge with all these interfaces as members.

I understand the VLANs are not connected in anyway even though they belong to the same parent interface.

I'm just trying to understand why when the Edge Uplink Portgroups are configured with all VLANs [0-4094], the Edge vNIC carrying VLAN 26 traffic can reach the firewall interafce but when specific VLANs are added in the portgroup [26, 24], the same Edge Uplinks that allow VLAN 26 can't reach the same firewall interface.

[Patrick M. Hausen]

Could you do a quick and simple diagram of the two configurations, please?

[tryllz]

Could you do a quick and simple diagram of the two configurations, please?

Network Diagram



Distributed Switch Uplink Portgroup with All VLANs allowed (works)



Distributed Switch Uplink Portgroup with only VLANs 26, and 24 allowed (not working)

[tryllz]

Just adding..

As you can see the Distributed Switch Portgroup has 2 VLANs 25 and 26, only VLAN 26 faces this issue of not reaching its firewall interface, all traffic in VLAN 25 reaches its firewall interface without any issues.

Point being VLAN 25 faces no issue at all in any configuration, but VLAN 26 faces this issue, even though both uplink configurations are the same, except the VLAN ID.

[Patrick M. Hausen]

Sorry - no idea. Use tcpdump or in case of real switches a monitor port to watch the packets. That's what I would do.

Does the source send the packets down the right path? Are they correctly tagged/untagged?
Does the next system in line receive the packets?
Repeat for each next hop.

[tryllz]

Thanks,

I have captured packets on the firewall when VLAN 26 cannot ping its firewall interface.



The firewall parent interface sends an ARP Broadcast.

Appreciate all the help, will go through, and try and rebuild again, must be something I missed.

Thanks again..