vlans over bridges

[zoltar]

Hello everyone,
I have tried to extend the vlans of my network to other ports over a bridge and I have not been able to get it to work properly. In some cases the devices on the vlans communicate with each other but in others they do not.
I have read old posts from two years ago in which this type of configuration is discouraged, and they talk about a limitation in the FreeBSD architecture.
Could someone tell me if this limitation still exists in current versions?

I am attaching a screenshot in case I have not explained myself well, thank very much.

[Patrick M. Hausen]

Bridge over VLANs, not VLANs over bridges.

So create e.g. 4 VLAN interfaces - two on each port - with matching IDs, respectively, then create two bridges containing one VLAN per port each.

That will work.

[zoltar]

Good morning Patrick
Thanks for the reply. The old post I read was a reply from you. I understand that this limitation no longer exists?
I didn't express myself well, I'm sorry for the mistake.
This is how I did it. I created the same vlan id on the second physical port without an IP, and I created a bridge with the old and the new.
Configured like this, should it work?
Thank's.
P.D.: I forgot to mention that in some cases it worked without even assigning the bridge.

[Patrick M. Hausen]

Of course, if:

- you remove the IP address from the VLAN and place it on the bridge interface, i.e. the "assignment" as OPNsense calls it to your logical interface must go to the bridge. Consequently all the rules, too.

- you properly configure the two tunables that are mandatory when using bridges as per this documentation: https://docs.opnsense.org/manual/how-tos/lan_bridge.html

[zoltar]

Oh my god, thanks for the link, I haven't configured it right.
I'm going to try it right now.
I'll have to reconfigure the whole network again because I had created different vlans, the family wanted to kill me  :P.
Thanks a lot Patrick.

[zoltar]

One last question.
If I want to take advantage of the other free port, can I create a lacp and include it in the bridge with the vlans?
That part of the house has many devices, 4 PCs, androidtv, AP and I wanted to move the old NAS there which has a 4-port aggregation and provides various services to the whole family.
Thanks again

[Patrick M. Hausen]

You cannot create an LACP link from a single port. And you need an LACP capable switch.

LACP is port bundling below VLANs bridges etc.

If the question is if you can connect the port to one of your VLANs untagged - yes of course, just throw it in one of the bridges without creating a VLAN interface first.

[zoltar]

Thanks again Patrick. Yes, I am clear that both ports have to be active and enabled to create the lacp. The switch is managed and supports it, another thing is that the lacp works between different manufacturers, but even if it were a simple failover I would leave it connected, that port is not used, I replaced an old router that also acted as an ap and that did not accept vlans precisely for this.
But through the lacp I would need to pass several tagged vlans and continue to see the devices that are already connected to them on both sides.
I attached a screenshot, sorry my English is not good

[Patrick M. Hausen]

You can bundle two ports with LACP between your OPNsense and your switch. These are a single port now.

Then you can create tagged VLAN interfaces on top of that LAGG, not on top of the single bundled interfaces. Same on your switch end. And then just like with the rest - on the OPNsense side bridges on top of the VLANs not the other way round. Your switch will of course be able to manage VLANs tagged or untagged as you need without explicit bridging.

E.g.

Code Select Expand

      bridge for VLAN 1             
     ┬─────────────────┐           
     │                 │           
     │                 │           
     │                 │           
     │                 │           
                                   
     ▲    ▲            ▲           
     │    │            │           
     │    │            │           
tag 1│    │tag 2       │untagged   
     │    │            │           
     │    │            │           
┌───┴────┴────────┐   │           
│ ┌────┐   ┌────┐ │ ┌─┴──┐   ┌────┐
│ │    │   │    │ │ │    │   │    │
│ │    │   │    │ │ │    │   │    │
│ └────┘   └────┘ │ └────┘   └────┘
│                 │               
│ Port 0   Port 1 │ Port 2   Port 3
└─────────────────┘               
                                   
       lagg0                       

Port 2 will now carry VLAN 1 untagged and all ports that are assigned VLAN 1 on your switch will be connected to it as well as to the bridge interface of your OPNsense.

[zoltar]

I forgot to mention that I have another managed switch connected to my port 1, all the vlans with internet access go through that port, some of them are the ones I want to extend to the other OPNsense port.
I'm going to focus on working on creating the bridges first to extend the vlans and when I have everything working I'll work on the lacp.
The important thing is that I understand what I'm doing with your explanations and reading what the parameters I've changed mean, thanks Patrick. Little by little I'm a newbie with OPNsense and FreeBSD.
I've already configured a vlan on both ports, changing the ip to the bridge and it seems to work well, I'm going to copy the rules.
Thanks again Patrick, see you around here, I'm still pending to post in the proxy section because I can't get the deep inspection of squid to work with my certificates  :'(, Suricata seems to be working well at the moment.
As I said little by little.