Management VLAN on multiple physical interfaces

[Ste_opns_1]

Hello OPNsense Forum community,

I am new to OPNsense and trying to move my home network setup to OPNsense. Unfortunately I failed at some configuration areas, hoping that you could help me in understanding the limits and maybe the needed confifguration.

First of all my setup:
Hardware: Modem, 6eth mini PC (OPNsense/router), 2 smart managed switches, 1 L2+ managed switch, 1-2 WLAN Access Point

My intended setup would be as followed:

Modem (WAN) ---> eth0 Opnsense (WAN)
eth1 --->  L2+ managed switch [L2MS] (VLAN: 30,40,50, 20(WLAN AP), GUEST(WLAN AP), MGMT)
eth2 ---> smart managed switch 1 [SMS1] (VLAN: 20, MGMT)
eth3 ---> smart managed switch 2 [SMS2] (VLAN: 20(WLAN AP), GUEST (WLAN AP), MGMT)

My intent is, to have all my network devices WebUIs (OPNsense, 3 x managed switches, 1-2 Access Points) avialable on the MGMT VLAN.

Side info, it would be possible to connect
OPNsense box ---> SMS1 and
L2MS & SMS2 ---> SMS1

The needed communication between certain VLANs should work with Firewall rules.

I hope you can clear some things up, if this is possible or if my understanding as flaws.

Thank you in advance!

[Patrick M. Hausen]

Create all VLAN subinterfaces on the physical ports as desired. Don't use the port for untagged frames, only tagged VLANs.

Create bridge interfaces to connect same tag VLAN subinterfaces across multiple ports.

E.g.

- VLAN 20 on eth2
- VLAN 20 on eth3
- bridge with these two as members

Place management IP address and assignment and firewall rules on the bridge interface, never on the member interfaces.

Make sure to set the tunables as per step 6 of the docs:
https://docs.opnsense.org/manual/how-tos/lan_bridge.html#step-six

HTH,
Patrick

[Ste_opns_1]

Thank you for the quick answer.

How do I create a VLAN subinterface for 2 physical ports?

First I create the VLAN (Interfaces/Others/VLANs), no problem.
Then I go to Interfaces/Assignments and assign the e.g. VLAN 20 to eth2.
Now the VLAN 20 is gone and I cannot assign it again to eth3.

In order to create a bridge interface, I need an assigned interface.

I must have missed or missunderstood something right?

Further, just for clarification, you mean with "Don't use the port for untagged frames, only tagged VLANs." that the physical ports should not be assigned as an interface?

Thank you and with Regards,
Stefan

[Patrick M. Hausen]

Create eg. VLAN220 and VLAN320 both with tag 20, one on eth2, one on eth3 - btw. what hardware is this? To my knowledge there is no "eth" interface in FreeBSD ever. Shouldn't that be "igb2" oder "ix2" or similar?

The names of the VLANs must be different but the tag can be the same.

[Ste_opns_1]

Ah now I get it, thanks I will try that!

Sorry for the confustion it is igb2, I used eth (Ethernet) for the physical port, it is a 6 port mini PC (N305).

Further, just for clarification, do you mean with "Don't use the port for untagged frames, only tagged VLANs." that the physical ports should not be assigned as an interface (like "LAN")?

[Patrick M. Hausen]

Further, just for clarification, do you mean with "Don't use the port for untagged frames, only tagged VLANs." that the physical ports should not be assigned as an interface (like "LAN")?

Exactly!