VLAN bridging and use them on different ports

Started by PilaScat, June 28, 2024, 03:06:40 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
June 28, 2024, 03:06:40 PM
I'm writing to you here as a continuation of this post: https://forum.opnsense.org/index.php?topic=29436.0
I wanted to ask you, what should I put as the parent interface of the VLANs if I want to use a LAN bridge?
I have a Qotom Q20332G9-S10 with lots of ports as you can see, I want to use 1x10gb sfp for my managed poe switch to link 2 APs and some cameras, and then I wanted to use some 2.5gb from the qotom to my server and pc
I wanted to configure these VLANs:
Code Select
VLAN 1 (Management)
Gateway: 192.168.1.1
Switch: 192.168.1.2
AP1: 192.168.1.3 connected to switch 2.5gb poe
AP2: 192.168.1.4 connected to switch 2.5gb poe
unRAID: 192.168.1.5 connected to qotom 2.5gb

VLAN 10 (DMZ, Docker) https://forums.unraid.net/topic/62107-network-isolation-in-unraid-64/
Gateway: 192.168.10.1

VLAN 20 (IOT)
Gateway: 192.168.20.1

VLAN 30 (Clients)
Gateway: 192.168.30.1
My-PC: connected to qotom 2.5gb
Parents-PC: connected to qotom 2.5gb

VLAN 40 (Guests)
Gateway: 192.168.40.1
I know that switching with the router isn't the best thing, but I have limited money and a lots of ports on the router, so I'm gonna use them
Do you have any suggestions? I'm going crazy
June 28, 2024, 04:52:43 PM #1
I already answered all of this essentially in this thread:

https://forum.opnsense.org/index.php?topic=41148.msg201687#msg201687
https://forum.opnsense.org/index.php?topic=41148.msg202110#msg202110

And with LACP and an untagged port here:

https://forum.opnsense.org/index.php?topic=41209.msg202020#msg202020

For each port where you want VLAN 10 to be active you create a VLAN interface with that port as a parent. Then you create a bridge interface, e.g. bridge10 with all those VLAN interfaces as members.

Firewall configuration (logical assignment, IP address, DHCP, ...) then goes on that bridge interface bridge10.

Same for VLAN 20, VLAN 30.

So if you have e.g. that SFP+ port and 4 2.5 G ports and you want all three VLANs on all of them, you end up with

- 5 physical ports
- 3 VLAN interfaces on each for a total of 15 VLAN interfaces
- 3 bridge interfaces, one for each VLAN, each containing 5 members, namely the VLAN interfaces with the same tag, one from each physical port

That's the only correct way to do it. FreeBSD is not a switch. It cannot run VLANs over bridged interfaces, only bridge together individual VLAN interfaces. But it works. So either go that way or buy a switch.

HTH,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
July 03, 2024, 06:10:31 PM #2
could I use only one cable to the switch? or I need one to separate tagged and untagged?
It's quite a headache ahah
July 03, 2024, 06:50:45 PM #3
Run all your VLANs tagged as far as OPNsense is concerned and you need only one cable. You should not have an untagged network on that same port.

If you need an additional untagged VLAN, e.g. VLAN 1 because you use unifi and they are a bit brain dead in that regard, then you need another port for that untagged VLAN.

It's really dead easy. VLAN tags only exist on so called trunk ports between devices. If VLAN x is tagged or untagged on a particular link concerns only the two devices at each end of that link.

To put the same argument differently in the hope that clears it up:

OPNsense wants to run all VLANs tagged - which is no problem with Mikrotik, Cisco, Juniper, ... about any switch. If unifi insist that VLAN 1 must always be untagged and that provisioning and management must always run on VLAN 1 that is their call, but now we have a conflict here.

That can be solved by using a different port for VLAN 1 (untagged) on OPNsense.

What is your particular reason to want one VLAN untagged? That is not necessary as I explained. Unless you run unifi ...

OK now? :)
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
July 03, 2024, 11:50:58 PM #4
Sadly my APs are Unifi, so I need it, it seems  ;D
I evidently didn't do the proper research before buying switch and router
Now with that in mind, how do I tell OPNsense to pass untagged traffic on that particular port?
Sorry but this is the first time I've attempted to set up a network with different VLANs in practice, I only knew the theory
July 03, 2024, 11:52:04 PM #5
You do not need to tell OPNsense. A single port is always untagged. Just assign e.g. "LAN" to that port and that will be your untagged VLAN 1.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
July 04, 2024, 12:37:22 AM #6
Seems perfect, now I'll try to set it up
I'll probably ask you more haha
Thank you for the great help you are giving me (and for your patience haha)
July 04, 2024, 12:42:17 AM #7
Quote from: PilaScat on July 03, 2024, 11:50:58 PM
Sadly my APs are Unifi, so I need it, it seems  ;D

You could always flash your Unify AP with a current vanilla version of OpenWRT (It's already running OpenWRT, it's only a crippled version build internally by Ubiquity ;D ).

Wireless Freedom _AND_ free configurable VLAN's, both tagged and native, win-win...
July 04, 2024, 12:45:41 AM #8
Too much for me now ahahh, I need to understand opnsense better
I have a question, unifi does need untagged only for management and then it uses tagged to transfer traffic?
or it use only untagged? so I can use lower speed port and don't waste faster ports
July 04, 2024, 08:37:29 AM #9
This depends on how you configure the profiles in the Unifi Controller. If you map all SSIDs to tagged VLANs, then it's all tagged, obviously.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
July 04, 2024, 09:52:40 AM #10
Actually, @Patrick: Even if you map all SSIDs themselves to tagged VLANs, you would normally still need untagged traffic for the Unifi management.

"Brain dead" is a good definition: You actually CAN put the management on a VLAN with Unifi, too - I had that working once. There is a catch, however, if you also use Unifi switches, see this.

For now, I have the management network on untagged and any other network on a VLAN. I get that it is being warned that OpnSense/FreeBSD cannot handle mixing tagged and untagged traffic on a trunk port and that therefore it is generally a bad idea (tm), but for me, it works. I am not doing fancy things like adding bridging or LAGG on top, and I do not use promiscous mode via Zenarmor, though.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
July 04, 2024, 10:24:17 AM #11
Quote from: meyergru on July 04, 2024, 09:52:40 AM
Actually, @Patrick: Even if you map all SSIDs themselves to tagged VLANs, you would normally still need untagged traffic for the Unifi management.

You are right. But @PilaScat could use a "slower" port - whatever that means in their setup - for the management VLAN.

IMHO whoever added the "native VLAN" to the 802.1q standard deserves to be shot.  :)
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
July 04, 2024, 05:16:40 PM #12
could this config work? I want 3 ssid: iot, clients and guests

Switch:
Port 1: AP1 vlan1 untagged, vlan20-30-40 tagged
Port 2: AP2 vlan1 untagged, vlan20-30-40 tagged
Port 3: Reolink IPCAM vlan20 tagged
Port 4: Empty
Port 5: Router, vlan1 untagged
Port 6: Router, vlan20-30-40 tagged
July 04, 2024, 05:53:10 PM #13
If "router" is OPNsense, then probably yes.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
July 04, 2024, 05:57:29 PM #14
yes, perfect, I'll try
Print
Go Up Pages1 2
User actions