VLAN configuration clarification

[ibrewster]

Technically I have this working, but the configuration doesn't feel right to me, so I'm hoping someone can provide clarification.

Running OpnSense 23.7.10 on an intel Core i7-3770 3.4 with 24GB RAM.

For the LAN, I have two physical ports: em0 and em1. These are set up as members of a bridge (bridge1), which is then assigned to the LAN interface.

My wireless router is physically connected via a switch to em1. The wireless router creates a guest network, which is vlan tagged as VLAN 20 (I have no control over this, I can only turn the guest network on or off and assign a SSID).

In order to separate out the guest network traffic, I created a vlan 20 interface in the OPNsense box, assigned it a parent of em1, created a DHCP server for it, put in firewall rules to prevent traffic from the VLAN from reaching my internal network, etc.

As I said at the start, this all works, but my main concern is having em1 as the parent for the VLAN. Is that correct/kosher? What happens if I move the wireless to em0 at some point? My first thought was that the bridge should be the parent for the VLAN, but that isn't even an option, and may not even make sense. Then I was thinking maybe I should have a loopback interface be the parent, and add the VLAN as a member of the bridge, but I'm not sure about that either.

Do I have this set up correctly after all? Or is there a better way?

EDIT:

Just saw this thread: https://forum.opnsense.org/index.php?topic=38562.0 which suggests setting up the VLAN twice, once for each physical port, and then creating a bridge containing the two VLANs. Unfortunately that doesn't seem to work: I got DHCP well enough with that setup, but no traffic was passed on the bridge interface. I guess I might have missed something, but at the end of the day all I did was change the device for the interface from the single VLAN device to the bridge device, so it seems like the settings should have all been tied to the interface, not the VLAN device. Dunno. Maybe I'll try this configuration again in a couple of days.

[bartjsmit]

Why not tag the wireless router port on the switch with VLAN 20 and join the OPNsense em1 port to the same VLAN as untagged?

[ibrewster]

My apologies for being dense here, but I'm not clear on how that would solve the main issue I have with the current configuration, that being what happens if I plug the wireless router (or the switch it is on) into em0 instead of em1? Since those are both LAN ports, I would like to be able to plug into either one of them arbitrarily and have the behavior remain unchanged.

That said, I am also struggling a bit with a couple of other points relating top your response:

1) What do you mean by "join the OPNsense em1 port to the same VLAN as untagged"? Isn't that the default, i.e. no VLAN?
2) The switch in question is unmanaged, so I can't set a specific port to a specific VLAN. I guess I didn't mention that, sorry!
3) Even if I could, I don't want *all* traffic from my wireless routers tagged as VLAN 20, only the guest traffic. This is the way they are currently working with the wireless router doing the tagging.

Reading over my original post yet again, I see that I may have led to some confusion by not mentioning that the guest network is NOT isolated on port em1. In fact, currently all my LAN devices are physically connected through em1. The Guest traffic is simply a small portion of the traffic flowing through that port, identified by the VLAN tag applied by the wireless router when a client connects to the guest SSID rather than the main SSID.

Sorry for any confusion created by not mentioning this to begin with!

[bartjsmit]

The switch in question is unmanaged

You need to get a managed switch that ties the 'normal' traffic from OPNsense to VLAN tagged traffic to your wireless router.

The issue is outside the firewall - you have a device on your LAN with an odd VLAN and the switch is the logical place to fix it.

Bart...

[ibrewster]

I'm sorry, but I'm still confused how this would help. For one thing, I don't want all wireless traffic to be tagged for the VLAN - wouldn't setting a port on the switch to the VLAN tag all traffic on that port? For another, I am still unclear as to how this would solve anything should the switch be connected to em0 rather than em1 - OPNSense would still need to know that the VLAN could be on either em0 or em1, right?

Sorry, I am clearly missing something here...

[Patrick M. Hausen]

A VLAN cannot be on either port - well it can, but the concept is to designate specific ports to carry tagged frames, so called trunk ports, and to designate other ports to carry untagged frames, so called access ports.

Why would you ever want to move the connection to the switch from em0 to em1 or vice versa?

The advice about the managed switch still holds - only managed switches feature trunk ports and tagged frames.

[ibrewster]

A VLAN cannot be on either port - well it can, but the concept is to designate specific ports to carry tagged frames, so called trunk ports, and to designate other ports to carry untagged frames, so called access ports.

Ok, so what/which am I doing when I create a VLAN with a parent of em1? Clearly my understanding of this concept was more lacking than I thought... 

EDIT: After thinking about this some more, my thinking is that creating a VLAN with a parent of em1 is turning em1 into a trunk port - correct? If so, then the question is how do I *also* turn em0 into a trunk port for the same VLAN, such that the DHCP server, etc, is available on that VLAN on both physical ports?

Why would you ever want to move the connection to the switch from em0 to em1 or vice versa?

Why wouldn't I? The point of having two LAN ports in a bridged configuration is that they are interchangeable, and I don't have to worry about what is plugged into what - it's essentially just a two-port switch. Or what if I add another switch/access point on em0 and want to put some Guest network devices on that one as well, such that there are guest network devices on both ports?

The advice about the managed switch still holds - only managed switches feature trunk ports and tagged frames.

Sure, and I'm not saying it's not good advice - I'm just saying I don't understand how it helps in this situation, where the wireless router is sending both tagged and untagged traffic on the same port.

In case it wasn't clear, the goal is to have a Guest network/VLAN available on the LAN with its own DHCP server, isolated traffic, perhaps a captive portal, etc, such that any traffic tagged with that VLAN id is isolated to the Guest network. This is working as desired with my current setup - as long as the traffic comes in over em1. What I'm not clear on is if it would still work if the VLAN traffic was coming in on em0, given that the parent device for the VLAN is em1.

[Patrick M. Hausen]

Ok, so what/which am I doing when I create a VLAN with a parent of em1? Clearly my understanding of this concept was more lacking than I thought... 

EDIT: After thinking about this some more, my thinking is that creating a VLAN with a parent of em1 is turning em1 into a trunk port - correct?

Correctamundo 

If so, then the question is how do I *also* turn em0 into a trunk port for the same VLAN, such that the DHCP server, etc, is available on that VLAN on both physical ports?

You can't because OPNsense is not a switch. In a switch all ports which carry the same VLAN tagged or untagged are connected via the switch backplane or "forwarding plane".

You can create an interface with em0 as parent and VLAN 2 tag. Let's name it vlan02.
You can create an interface with em1 as parent and VLAN 2 tag. You cannot name it vlan02, so let's name it vlan022 or whatever. The name vlan02 is assigned to that other interface.

These two interfaces are not connected in any way! OPNsense is not a switch!

You can use a workaround by creating a bridge interface with vlan02 and vlan022 as members and assigning that interface to "guest" or whatever including running a single DHCP server for everything etc.

This does bridging and forwarding all in software in your main CPU, there is no forwarding plane in OPNsense because OPNsense is not a switch. 

Why wouldn't I? The point of having two LAN ports in a bridged configuration is that they are interchangeable, and I don't have to worry about what is plugged into what - it's essentially just a two-port switch. Or what if I add another switch/access point on em0 and want to put some Guest network devices on that one as well, such that there are guest network devices on both ports?

If you really want to go that route, you need to create all necessary VLANs on both ports (with different names) and create a separate bridge for each VLAN - so that's at least two, one for LAN and one for guest.

BUT ... you cannot use the ports untagged for LAN. You need to create two tagged VLANs on each port, say tag 1 for LAN and tag 2 for guest and then create the bridges.

Because as soon as an untagged port is a bridge member you cannot use that port for VLANs. Simply not possible. That's a constraint of the FreeBSD network stack. And that's because ... you guessed it ... FreeBSD is not a switch.

I don't intend to be snarky, I really just want to bring that point home. Tagged interfaces on OPNsense - and this is similarly true for any FreeBSD or Linux host or even Cisco routers (in contrast to Cisco switches which are perfectly fine with that of course). The "VLANs" are really just tagged subinterfaces on top of a physical port. And that's that. Every packet is handled by the CPU.

HTH,
Patrick

[ibrewster]

Because as soon as an untagged port is a bridge member you cannot use that port for VLANs. Simply not possible. That's a constraint of the FreeBSD network stack. And that's because ... you guessed it ... FreeBSD is not a switch.

HTH,
Patrick

Interesting. Because em0 and em1 are bridge members in my configuration - and I was able to put em1 as the parent for the VLAN without issue, and it works.

Regardless, your point about OPNSense not being a switch is well taken. It sounds like I should find something else to do with that second physical port rather than trying to make it available as another LAN port - even if my CPU can handle the load without breaking a sweat, the system simply isn't designed for the use case I am envisioning.

Thanks for the information!

[Patrick M. Hausen]

Interesting. Because em0 and em1 are bridge members in my configuration - and I was able to put em1 as the parent for the VLAN without issue, and it works.

"Official FreeBSD" statement - don't ask me why it works despite of that in your case. 

There might be rare edge cases when it doesn't. E.g. creating a bridge but not assigning the IP address for that network to the bridge interface but to a member interface instead completely breaks multicast on the bridge network. Many people don't notice because with IPv4 that's rarely a problem and they don't run Sonos or Apple gear etc. Then they start to use IPv6 and nothing works. IPv6 relies heavily on multicast.

Just an example, the real reason for "a bridge member must not have VLAN subinterfaces" might be similar.

[Patrick M. Hausen]

Regardless, your point about OPNSense not being a switch is well taken. It sounds like I should find something else to do with that second physical port rather than trying to make it available as another LAN port - even if my CPU can handle the load without breaking a sweat, the system simply isn't designed for the use case I am envisioning.

What I do is put the two ports I have available into a lagg (LACP) interface, connect that to a managed switch and run everything but WAN (which is a dedicated port) as VLANs on top of that lagg.

Necessary in a home lab? Well ... no. Fun, and "just because I can", because I'm a network engineer who runs this stuff in the data centre? Yes of course!