Opnsense - Tagged-Trunk port only?

[bx2]

Hello everyone,

My home network is planned to have the following VLANs:

VLAN 2 = Data
VLAN 3 = Wifi
VLAN 4 = Wifi-Guest
VLAN 101 = Management


Now, when I setup Opnsense on my CWWK N100 box, I set eth0 (igc0) to be my WAN and eth1 (igc1) to be my "lan" network. This network is assigned the 192.168.1.x/24 network.

The network switch I am using is a Ruckus-Brocade ICX7150 switch.

So, I know how to configure VLAN interfaces off of igc1 but what I am looking to do is only accept tagged traffic (aka Trunk)  between my Ruckus-Brocade switch and Opnsense.

Example, today I was trying to figure this out and I had had my brocade uplink port to Opnsense tagged in my vlans and untagged on the default vlan #1.

When I removed my switch port #1 (which goes to Opnsense igc1) from the default vlan, I lost connectivity.

In Opnsense, my VLANs are defined with VLAN tags, but what I think is that maybe the traffic is passed between Opnsense and my Brocade switch on default VLAN #1.

I am very familiar with L2 switching and the Brocade style configuration. I want all of my VLANs tagged on the uplink to Opnsense.

What I am not sure is how to only accept traffic on Opnsense, interface igc1 as only tagged traffic.

Thank you,

[Patrick M. Hausen]

Easy: assign all your symbolic network names (LAN, OPT1, whatever you pick) to tagged VLAN interfaces only. This is in fact the recommended way. Don't use tagged and untagged frames on the same physical interface in FreeBSD/OPNsense.

[EricPerl]

Easy: assign all your symbolic network names (LAN, OPT1, whatever you pick) to tagged VLAN interfaces only. This is in fact the recommended way. Don't use tagged and untagged frames on the same physical interface in FreeBSD/OPNsense.

So LAN setup with None for IP configuration types?

Where is that recommendation coming from?
It seems to be working fine with a mix (currently playing with an OPNsense connected to my existing network, totally isolated via VLANs, but with OPNsense's WAN & LAN port both receiving untagged traffic).
My networking hardware can handle a MGMT VLAN but it's painful at adoption time so I currently run my network infrastructure in the default untagged network and all clients are in a few VLANs.

[meyergru]

Although some NICs may have problems with a tagged/untagged mixture, I have resorted to the same setup with MGMT on untagged and all other VLANs tagged as well.

I tried to use MGMT tagged, but I found that Unifi equipment has problems doing that: once the devices are adopted, you can change their management VLAN, but you must adopt new devices untagged first. That was too much of a hassle to me.

I have seen no problems with tagged/untagged mix on I225 and I226 NICs.

[dseven]

So LAN setup with None for IP configuration types?

No, he's suggesting to reassign the "LAN" interface to use a VLAN "device" instead of igc1. OP would need to decide what "LAN" should represent ("Data" or "Management"?).... alternatively "LAN" could just be deleted entirely, but a VLAN interface for management access would need to be established first to avoid lockout...

[EricPerl]

Although some NICs may have problems with a tagged/untagged mixture, I have resorted to the same setup with MGMT on untagged and all other VLANs tagged as well.

I tried to use MGMT tagged, but I found that Unifi equipment has problems doing that: once the devices are adopted, you can change theit management VLAN, but you must adopt new devices untagged first. That was too much of a hassle to me.

I have seen no problems with tagged/untagged mix on I225 and I226 NICs.

Glad to hear it. TP-link Omada has the same issues. I have I225 & I226 too.

So LAN setup with None for IP configuration types?

No, he's suggesting to reassign the "LAN" interface to use a VLAN "device" instead of igc1. OP would need to decide what "LAN" should represent ("Data" or "Management"?).... alternatively "LAN" could just be deleted entirely, but a VLAN interface for management access would need to be established first to avoid lockout...

Ah, so leave the physical device unassigned, create "native" VLAN with physical device as parent, assign LAN to that.
Are additional VLANs parented to the physical device too? I ask because it seems you can have a VLAN as parent too, which I can't really conceptualize yet.

[dseven]

Are additional VLANs parented to the physical device too? I ask because it seems you can have a VLAN as parent too, which I can't really conceptualize yet.

Yes, all the VLANs would have the physical device (igc1) as their parent in this case.

Google "QinQ" ... and have some paracetamol on hand ;D

[EricPerl]

I had noticed the prefix in the device name.
I just read the wikipedia article about QinQ. I get it conceptually (VLAN within VLAN). I'm glad I'll never have to deal with this.
Thanks all.

[bx2]

Easy: assign all your symbolic network names (LAN, OPT1, whatever you pick) to tagged VLAN interfaces only. This is in fact the recommended way. Don't use tagged and untagged frames on the same physical interface in FreeBSD/OPNsense.

Edit, I don't think you are speaking of QinQ. In my case, I don't want all clans to be trunked under a primary VLAN.
Thank you, I've been stuck on this for a bit.

What you are referring to, is that QinQ?

[dseven]

QinQ came up because it was noticed that it's possible to specify the parent of a VLAN "device" to be another VLAN "device". It's not something that applies here - you'd set the parent of all VLANs to igc1, as I said earlier...

[Monviech (Cedrik)]

Here is also a new tutorial section that explains the best practice way to connect the OPNsense to a managed switch: https://docs.opnsense.org/manual/how-tos/vlan_and_lagg.html

If anybody finds issues with this guide, feedback and PRs are welcome as always.

[cookiemonster]

Here is also a new tutorial section that explains the best practice way to connect the OPNsense to a managed switch: https://docs.opnsense.org/manual/how-tos/vlan_and_lagg.html

If anybody finds issues with this guide, feedback and PRs are welcome as always.

Great addition @Monviech . It was desperately needed.

[Monviech (Cedrik)]

Thanks  ;D

[bx2]

Here is also a new tutorial section that explains the best practice way to connect the OPNsense to a managed switch: https://docs.opnsense.org/manual/how-tos/vlan_and_lagg.html

If anybody finds issues with this guide, feedback and PRs are welcome as always.

Thank you very much.
As basic as this was, it didn't click despite me doing this before but I must have been trying too many things at once and confused myself.

I set igc3 to be my recovery port (VLAN102) and once I was in there, I deleted the default igc1 LAN assignment and created the VLANS and assigned them to igc1.  Enabled the interfaces, created some basic rules and setup DHCP and I'm good now.


Thank you everyone for the help. I'm sorta slow with new things.