[SOLVED] Need some help with VLANS

[MknSubnets]

First .. my very first post here at the OPNsense forum and I will admit I am a newbie. So please try not to bury me.
 
However I have my OPNsense running on my Protecti device and it is fine with no issues on my home network. I would like to initially setup 3 devices on a VLAN. In the future I want to add 3 more wireless devices into another VLAN but that is the future.

I have a managed switch TP-LINK  TL-SG1016DEs so nothing terribly complex. It is currently unmanaged as I cannot get the VLANS to work with OPNsense.

I created a VLAN on the managed switch using 802.1Q for 3 devices just to test.

However the problem and thus this post is that the 3 devices (Raspberry Pi devices) cannot access the web. They spit out data 24/7 and thus this is critical. I tried to setup a VLAN on OPNsense and setup a firewall rule to allow a device to get out. I could not get it to work.

So there are 2 desires here .. and I am just going to try to get the 3 devices on the 1 VLAN to work. I will work on the other one later. I will try to leave some more information on how it is setup below.

These 3 devices have a 10.0.0.X IP and just send out data to the WAN and only to 1 external domain. I have a need to access a locally generated map from that data on my main PC (also 10.0.0.X on the same subnet) on the lan. That was all working fine before I made the VLAN on the switch.

The 3 devices are DHCP and get their static IP addresses as defined under the LAN interface. They need to remain static as it just complicates things if they are not (mostly from the point of view of accessing them on the LAN).

I assume that I need to do 2 things here .. setup the VLAN on the managed switch and setup OPNSense for the VLAN as well. Somewhere along the way .. I have not done something right. I really do not know much about how VLANS work and assume that OPNSense needs to know about the VLAN before it will allow traffic to pass.

I should note I have a 4 port Protectli Vault and am currently only using LAN / WAN and am totally ok with using the other 2 physical ports there for these 2 VLANS if it would be easier. The 2nd future VLAN is wireless and only needs access to the WAN only with no LAN access needed.

The managed switch part is very simple. The OPNSense part .. is more complex as I think I need the overview of all the steps I need to setup OPNSense to support a VLAN.

Any assistance would be appreciated.

[cookiemonster]

This I think should help you. It was when I was correcting my setup.
https://forum.opnsense.org/index.php?topic=36530.msg178381#msg178381
You need a trunk ie all traffic tagged into OPN. Then your managed switch will add the tags to the access ports, which are the ports where devices connect into but they don't tag themselves.
Normally that is a port-based tagging. So not device-tagging.

[MknSubnets]

Thank you for your help however I have a question. Can the IP Addresses of the VLAN be a subset of the LAN interface or do they have to be completely different.

My LAN is 10.0.0.X and I cannot get the DHCP to work on the VLAN. Do I need the VLAN on a different subnet ?

It gives me errors of the range already defined or overlapping.

[cookiemonster]

It has to be a different network, the purpose of a VLAN really. If it was a subsection of the LAN then it is not a VLAN anymore and both would be in the same broadcast area.
Maybe VLAN is not what you need but I'm a bit unclear what your goal is.
If it is to segreagate a number of devices in a separate network, VLAN is an option but requires the devices to plug into a managed switch that will tag and untag the traffic coming into its ports.
If you have a spare port in your firewall, then that port is already another network when setup, so that is another option. Just plug an unmanaged switch into it and your devices there and no VLANs are necessary to separate them from your current LAN that is another port.
Unmanaged switches are very cheap in most places.

[MknSubnets]

The thing is maybe I do not need a VLAN ? I DO have 2 free ports on my Protectli as below.
I have 6 devices I would like to segregate in 2 separate groups of 3 on my currently flat ? network.

I tried to plug in my Asus router for WiFi (3 items) into my managed switch and use port VLAN and it failed. Once I took the switch out of unmanaged mode .. it broke several items on other ports and they could no longer access the internet. So the switch is going to remain unmanaged.

Really the ONLY true goal is to keep the 2 groups of 3 items separate from my main PC (which is plugged into the switch) and is fine. There is an ethernet cable connecting the switch to the LAN port on my Protectli.

I have a backup file .. so no hig deal trying to play with things at this point as I cannot really break anything.

I have time so I will play with it.

Thanks for your assistance.

EDIT .. took me all of a few min to activate the OPT2 PORT and via the ASUS router for WiFi to that port. It is segregated and working perfectly.

I do have 3 more devices I would like to do (will go to OPT1 port) and I will use the unmanaged swtich for that. There are 3 devices there, 3 cables thus I will use the switch in that case.

After I have done some testing to make sure it is all working, I will add the other 3 devices to OPT1.

I just have to say a HUGE thank you .. as that was so easy and no vlans needed.

[cookiemonster]

glad to hear.
>  .. as that was so easy and no vlans needed.
until you do. We'll be glad to give a hand when the time comes. That 16 port managed switch will be asking you to.
Mind you if most devices are wireless, then the wait could be long

[MknSubnets]

I have successfully installed my 6 devices into 2 ports on my Protectli and it works very well. Much easier than a VLAN.