VLAN Interfaces function ?!

Started by tryllz, August 28, 2023, 09:12:01 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 28, 2023, 09:12:01 AM
Hi All,

I have the following VLAN interface configured.


My question is whether the VLAN tag 10 is added to packets (like a switch does) that go through this interface to the outside

or

Whether the interface only allows traffic with this tag (packets not tagged with 10 are dropped).

I have gone through the https://docs.opnsense.org/manual/other-interfaces.html, and its not clear to me.

Would appreciate if someone can clarify this.
August 28, 2023, 09:12:42 AM #1
Basically both.


Cheers,
Franco
August 28, 2023, 09:19:10 AM #2 Last Edit: August 28, 2023, 09:30:07 AM by tryllz
Quote from: franco on August 28, 2023, 09:12:42 AM
Basically both.
Thanks,

If I understood your reply correctly, any packets coming to this firewall interface will have VLAN 10 tagged to it by the firewall if its leaving the interface to the outside only if its not already tagged by the switch.

Any packets coming with tag other than 10 will be dropped right ?
August 28, 2023, 09:37:17 AM #3
It's a bit simpler:

Packets leaving this VLAN interface will have VLAN 10 set on the physical interface. Packets incoming to the physical interface with VLAN 10 will be seen by the VLAN interface as incoming traffic. The VLAN device is not concerned with anything else.


Cheers,
Frnaco
August 28, 2023, 03:45:39 PM #4 Last Edit: August 28, 2023, 04:14:12 PM by tryllz
So the reason for this question is the below.

This is how the network is.



Below is the Portgroup from Distributed Switch where Edge_UL1 and Edge_UL2 are VLAN trunks carrying only traffic with VLAN ID 25 and 26, but only traffic from VLAN 25 can reach the firewall VLAN interface 10.10.25.1. Traffic from 10.10.26.101 or 10.10.26.102 cannot reach its gateway 10.10.26.1.



However, when I change both the Edge_UL1 and Edge_UL2 Portgroups to carry all VLAN traffic as below.



Everything works fine, all IP addresses from 10.10.25.0/24 and 10.10.26.0/24 can ping their respective gateway of 10.10.25.1 and 10.10.26.1 on the firewall VLAN interfaces.

So the question :

When Distributed Switch Portgroup is adding VLAN 26 tag to traffic heading to the firewall interface 10.10.26.1, is the firewall stripping the VLAN tag 26, or adding another VLAN 26 tag, or what does it do because the traffic never reaches the gateway ?
August 28, 2023, 04:15:38 PM #5
VLAN 26 tagged traffic will be ignored unless you add a VLAN interface for it.


Cheers,
Franco
August 28, 2023, 04:34:08 PM #6 Last Edit: August 28, 2023, 04:37:35 PM by tryllz
Quote from: franco on August 28, 2023, 04:15:38 PM
VLAN 26 tagged traffic will be ignored unless you add a VLAN interface for it.

The firewall has a VLAN interface with IP address 10.10.26.1 for VLAN tag 26 (opt9 in the diagram).
August 28, 2023, 04:39:46 PM #7 Last Edit: August 28, 2023, 04:42:37 PM by tryllz
A packet capture on firewall reveals the firewall Parent Interface sends an ARP Broadcast even though the VLAN interface 10.10.26.1 and 10.10.26.101 are on the same network and directly connected to it.

August 29, 2023, 01:43:49 PM #8
Please don't change the scope from the original question or at least don't require me to comment on the moving goal post. I just want to help with a simple question and not troubleshoot packet dumps.


Cheers,
Franco
August 29, 2023, 01:55:39 PM #9
Quote from: franco on August 29, 2023, 01:43:49 PM
Please don't change the scope from the original question or at least don't require me to comment on the moving goal post. I just want to help with a simple question and not troubleshoot packet dumps.

Apologies, you are mistaken, the original question is related to what ever has been added.

I don't recall asking to troubleshoot packet dumps.

Anyway, no worries, appreciate your help..
Print
Go Up Pages1
User actions