Having issues with VLANS

[TheGon]

I'm new to OPNsense and one of the main reason I switched to it is for VLANS. I do virtual teaching and I have my students log into a physical PC in my home office and I want to make sure they cannot access anything else on my network.
Currently my setup is
Lan 192.168.1.x
Vlan 20 - 192.168.20.x

I do have DHCP enabled on VLAN20 with a pool range from 192.168.20.50 - 192.168.20.100
I'm using a NetGear managed switch and have the VLAN configured on there for 20 as well as the PVID.

I set up a firewall rule to allow all just to make sure everything was working before I starting cutting off access. My issue is, the PCS connected to VLAN 20 are not getting an IP from the DHCP. If I try and do an ipconfig /renew I get an error that it can't access the DHCP.

Is there a firewall rule that I need to allow access to the DHCP?

[Saarbremer]

Hi,

did you get IPs before you cut access or was it never working on VLAN20?

In the latter case you might want to review your switch's setup. PVID 20 shall be set for all connected PCs - and untagged VLAN 20.

How do you connect to OPNsense, is it a port with tagged VLAN20 and tagged VLAN1 (I assume that's your LAN) or is this some hybrid solution (untagged 1, tagged 20)? The latter is known to not behave greatly on OPNsense. I would recommend running all LAN networks as VLANS and using all VLANs tagged and disable the physical interface itself.

Assuming re1 is your interface from OPNsense to the switch. Then you have re1_vlan1 for LAN and re1_vlan20 for VLAN20 and re1 itself is not active. In that setup everything should just work fine.

[TheGon]

So right now I only have the one VLAN setup as I'm new to this I wanted to take is slow one at a time.
I do have the OPNSense untagged on VLAN 1 and Tagged on VLAN 20. I'll try changing VLAN one to tagged

Thanks for the help

[arnocs]

Hi,

I've also couple Netgears with vlans,
I'll try to share my configuration with your vlan id's.
It's easy to overlook some setting as I had :]

Router LAN port (configured with vlan tagging on that interface) connected to switch:
PVID 1 / VLAN member 20 / VLAN Tag 20 / Acceptable frame Admit All

Computers connected ports:
PVID 20 / VLAN member 20 / VLAN Tag none /  Acceptable frame Admit Untagged Only

[Default] switch ports:
PVID 1 / VLAN member 1 / VLAN Tag none / Acceptable frame Admit All

By default the DHCP / DHCPv6 servers are allowed on the interface,
I see those in the [Log files - live view] with label message: allow access to DHCP server

Dunno where those rules are maybe in the floating rules. Never realy looked for it.
Maybe implied by enabling the DHCP server.

Hope it helps, regards Arno

[knebb]

Hi,

how many physical interfaces do you have in total?
One of them will be the WAN side.
Your VLAN on OPNSense should have the LAN interface as parent. Can you post a screenshot of your VLAN config in OPNSense?

So VLAN1 and VLAN20 go through the same interface. Now check your switch port where the physical interface is connected to.

It should be in "tagged" mode, not "access"- naming differs between vendors so translate for your needs.
VLAN20 should be tagged, VLAN1 untagged. PVID 1.

For a port where a PC is connected to, it should bee on "Access Mode" in VLAN20. Or, VLAN20 untagged. PVID20. NO VLAN1!

Once configuration is confirmed, check your DHCP configuration. It the DHCP active on the VLAN interface? Does it have proper settings and enough IPs in the range to provide the clients with?

If still does not work, use packet capture on the physical interface to check if a DHCP-request is coming in. Or check on the PV with Wireshark if it gets a reply.

Good luck!

/KNEBB

[TheGon]

Hey, thanks for the post. So I verified everything you wrote and mine did match. So I decided to do a reboot of my router and switch and my clients started getting DHCP so everything is now working.  Funny thing is I did try before this just not at the same time.
Anyway I really appreciate your time!