VLANs and mixed tagged and untagged traffic

[cookiemonster]

I've been battling with my VLAN setup to make it compliant with best freebsd advice and not mix tagged and untagged packets but maybe after all the permutations of settings in the managed switch, the concepts that I thought were clear to me are beginning to blur. I presently don't have a problem to solve in my setup.

I have a LAN interface on OPN. The physical cabling of it goes to a port on the managed mikrotik switch.
The switch has a few ports assigned to VLAN 200. The rest have been on default VLAN 1. I recently changed the default to 100, just to avoid VLAN 1, no other reason other than avoid vendor quirks on default 1.
Clients on the access ports are all VLAN-unaware and there are only three ports being tagged with VLAN 200, and the rest are presently left untagged on ingress.
On OPN I have a VLAN tagged 200 with parent igc1 [LAN].
That means OPN will have by this what I would call "normal" interface definition scheme, a mixture a both tagged and untagged packets flowing through the wire.

How are we then to not mix the packets?

[Patrick M. Hausen]

Don't mix tagged and untagged only applies to trunk ports, obviously.

And how to achieve that is simple - tag everything on that particular port. On a Cisco switch for example there is the

switchport trunk native vlan X

setting. I set that to 1001 throughout my data centre and that VLAN is never used.

Let's assume you want to trunk VLANs 1, 2, 3 and for between your switch and OPNSense.

Cisco:

switchport mode trunk
switchport trunk native vlan 1001
switchport trunk allowed-vlan 1,2,3,4,1001

OPNsense:

vlan01: tag 1, parent igc0
vlan02: tag 2, parent igc0
vlan03: tag 3, parent igc0
vlan04: tag 4, parent igc0

Of course there will still be a native VLAN on the Cisco and a "naked" port on OPNsense. They will just never be used for any traffic or service ...

[cookiemonster]

Thanks Patrick. So that means then I have to do a few things.
- I need to start tagging all traffic with a VLAN on the switch and the default VLAN is no good for this. It has to be explicit. So until now that traffic would be arriving untagged at OPN. I'm not clear yet with the conversations with mikrotik but it seems traffic gets stripped of tags when the port is left to default vlanid.
- I need to create a new VLAN on OPN for the new tag, say 300. I have already changed default from 1 to 100.
- I need to (and this is the hard part) get the needed help to get the mikrotik switch to tag all traffic. So far I've been unable to crack this even if I didn't have OPN ready for it.
I'll see if I get more help there today. Danke.

[Patrick M. Hausen]

- I need to start tagging all traffic with a VLAN on the switch and the default VLAN is no good for this.

Tag or no tag is defined per port and not per switch. You need to tag all VLANs that are in use on that single port connected to OPNsense. There is no global "tagged" or "untagged" concerning the whole switch.

HTH,
Patrick

[cookiemonster]

Right. What I mean is that all devices that are in current LAN on OPN are going through this switch.
Therefore the port being "trunk" will need to send all tagged. There is only one VLAN at the moment so the trunk will need to start tagging all traffic from ports that currently are on Default.
It has been truly frustrating that there is no way as in cisco to simply label a port as trunk.

One more thing. This means that if we have a LAN in OPN as usual, and we want to use VLANs, then this is what needs to be done. That is LAN can not be just LAN + a VLAN (or VLANs) but everything that was on it (LAN) will have to move to a VLAN. Do I get this right?
Otherwise we end up as I have been until now, with mixed tag & untagged.

[Patrick M. Hausen]

Right. But "LAN" is just a label for a particular interface and policy. So you can in Interfaces > Assignments assign the "LAN" to vlan01 ...

See my interfaces in the attachment.

There is no "a LAN" that suddenly needs to be turned into "a VLAN". There's an interface that's either physical or VLAN or LAGG or bridge that OPNsense by configuration names "LAN".

LAN is not a technical term for an untagged interface. The term for that is "interface".

[cookiemonster]

Aha!! OK. I'll look at this on mine now in preparation for the mikrotik part. I was beginnig to wonder how to move things from LAN to new VLAN that is not on current VLAN. I'll sure be back. Thanks.

[cookiemonster]

All done and as you advised and the assistance of also the mikrotik community.
All traffic now is tagged on the trunk.
Thanks Patrik. I've learned with this exercise.

[bazsa79]

Hello!

I also want to make something similar, but recently I ran into the fact that the firewall became completely inaccessible from the inside. What could I have messed up? Should the nativ (default) VLAN be transferred (is recommended?) then transferred from 1 to another vlan number? 1 on all Aruba switches now the trunk. Should I then change this default VLAN to eg 1001 on all switches?

So these vlans are currently on the switch that I want to connect to the Opnsense machine running under MS Hyper-v (1 WAN and 1 LAN port now, not tagged):
1 - native (untagged)
90 - lan
103 - cameras

Under Opnsense, I added 90 and 103 to the VLAN.
I assigned 103 to an interface. The parent is the current "LAN" (this should be VLAN 90).
I added firewall rule 103 to pass.
I routed the port connected to the Hyper-v server on the Aruba switch as follows:
vlan trunk native 1
vlan trunk allowed 90,103
Is it a problem here that I left out the 1 (native) VLAN?

Then when I assigned VLAN 90 to the LAN interface under Opnsense, everything inside became inaccessible. (Now I've done it so that I can access it from outside the place as well :D)

So what do you suggest I do first? (nativ vlan number...)
Also, what did I screw up?
What should I do, in what steps?

One more question.
If I want to reach the 103-VLAN from a couple of computers from the LAN, do I have to add a route (or bridge?) manually under Opnsense?

Thanks in advance for any help!