Need help with 802.1x Configuration

Started by ccie5754, April 12, 2024, 06:03:40 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 12, 2024, 06:03:40 PM
Greetings.

Was running my LAN directly on the "LANInterface" associated with igc0 (in my case).  Standard stuff, no VLAN tags, nothing.  Works great.  Now want to add a tagged vlan to the mix, in this case a VLAN interface (vlan0.5) also associated with igc0 but with VLAN tag 5.  Went through the motions of setting this up but no success. 

Connecting switch now has Vlan 1 untagged (the legacy directly connected network) and vlan 5 tagged.  When performing a packet capture on OPNSense for both icg0 and vlan0.5, I see no traffic on interface vlan0.5 but on the capture of igc0 I see the unanswered ARP request of the client PC in Vlan 5, complete with the 802.1q tag correctly set to 5 in Wireshark.  I also see the rest of my vlan 1 traffic without any 802.1q tag.  Therefore, it looks like the switch is doing its job properly.

Question then:
When operating in 802.1q trunk mode to OPNSense, can the physical interface / LANInterface be used for untagged traffic while handling tagged traffic through a VLAN interface associated to the same icg0?  or once you want to use a trunk, all interfaces have to be VLAN interfaces tagged towards OPNSense?

Should I not see the ARP request for my vlan 5 tagged frame in the vlan0.5 interface capture instead of icg0?

Are there additional considerations to enabling this topology (a setting somewhere) that may need to be set?

I put a "permit any" for this interface but in theory OPNSense should respond to the ARP (L2) no matter what the firewall rules are (L3).

Thank you for your insights.
April 12, 2024, 07:50:04 PM #1
Quote from: ccie5754 on April 12, 2024, 06:03:40 PM

...can the physical interface / LANInterface be used for untagged traffic while handling tagged traffic through a VLAN interface associated to the same icg0? 


Can yes, should no. Looking at your nick you should know why.
April 12, 2024, 08:25:05 PM #2
"Should not" I get, but this is my home network so I'm not too worried about some rogue person physically attaching to a port in default vlan.  In addition, I'm running (not so ) smart TP-Link switches and can't put the management IP in anything but the default VLAN, so I'm kinda stuck with it anyway ¯\_(ツ)_/¯

Any insight on what to look for on the OPNSense?
April 12, 2024, 08:58:15 PM #3
Quote from: ccie5754 on April 12, 2024, 08:25:05 PM
...but this is my home network so I'm not too worried about some rogue person physically attaching to a port in default vlan. 

It's not about roque anything.

Quote
In addition, I'm running (not so ) smart TP-Link switches and can't put the management IP in anything but the default VLAN, so I'm kinda stuck with it anyway ¯\_(ツ)_/¯

It's about switch behavior and when/where/how untagged traffic is being processed. Which varies from vendor to model...

Quote
Any insight on what to look for on the OPNSense?

My take, use tagged VLAN's on a trunk only, there is no concept of untagged with OPNsense, only raw interfaces (which can or can't be used as untagged), and that's where all the fun begins, just search for "VLAN" in this forum to get an idea.
Print
Go Up Pages1
User actions