[SOLVED]Put dedicated LAN port in VLAN?

[fastboot]

Hi.

As I bought a new Firewall for my hopefully coming soon Fibre Link, I am struggeling if I should use the LAN port as a VLAN.
In my old setup on the LAN port only my PC is connected. But it came to the situation that I wanted to add another PC into the same subnet. I dont have that many ports on the new FW. 4x 2.5 gigs copper and 2x 10gigs fibre.

Are there any disadvantages when I do that?

So in steps:
1. Add VLAN 500
2. Assign Interface
3. Remove IP from physical LAN interface
4. Add prior LAN IP to the VLAN
5. Connect FW to trunk port on a switch and finally connect the PC to an access port which the same vlan

The physical LAN Port would only cover the VLAN for the LAN itself. Nothing else. For all the other stuff I use other dedicated ports as trunk.

Or is there a better approach? Not sure how I would share the LAN subnet over a switch. Beside I put it on an access port with VLAN 500 and would configure more ports for the same VLAN

[Gauss23]

Why do you want to use a single VLAN?
You could just plug a switch to the LAN port and connect your client devices.

What’s the goal of the VLAN 500?

[Patrick M. Hausen]

If you have a tagged VLAN on a trunk port to a switch and you want access ports in the same VLAN on your OPNsense device, you need to configure a bridge with all the access ports and the tagged VLAN as members. The interface assignment and consequently the IP configuration and services must be on the bridge interface, not any members. And the two tunables from the LAN bridge documentation must be set.

Mind that your switch is way better at handling this than FreeBSD doing it in software without a switching frabric. Better just configure the access ports for that VLAN on your switch. You do have a managed switch, don't you? Otherwise tagged VLANs on a trunk port don't make sense, anyway.

[fastboot]

Because I do not want to interfere with the VLAN 1 of a TP-Link Management switch.
On top of that I wanted to have an easier way to spread the LAN subnet over other physical ports which run as trunk.

My assumption from what I read here
- the normal LAN Port is VLAN 1(native vlan) e.g on igc0, even if not declared in the GUI/CLI
- if I configure for switch mgmt VLAN 1 on igc1 (and other vlans) then I would bridge this vlan 1 from my LAN with the mgmt vlan of the Switch

Or do I mix here something up?

I just want to have it as clean as possible.

Documentation:"Do not mix tagged and untagged VLANs on the trunk connecting the OPNsense Appliance and the Managed Switch. Side effects include leaking Router Advertisements, DHCP, CARP and other broadcasts between tagged and untagged VLANs. This depends on the brand of the deployed switch, so avoiding untagged frames for trunk ports is the safest method. Additionally, the interface statistics of the untagged VLAN would show all traffic, which can be confusing."
Ref: https://docs.opnsense.org/manual/how-tos/vlan_and_lagg.html

Also for the WAN (pppoe) port, for being able to connect to the mgmt of the modem. Following this:
https://forum.opnsense.org/index.php?topic=36936.msg180650#msg180650
or this:
https://forum.opnsense.org/index.php?topic=33497.0
would mix it up I guess.
 

[Patrick M. Hausen]

Use a dedicated untagged port for VLAN 1 and a trunk port carrying only tagged VLANs to connect OPNsense to the switch. On the switch configure PVID on that trunk port as something unused like 99 or so.

[fastboot]

Use a dedicated untagged port for VLAN 1 and a trunk port carrying only tagged VLANs to connect OPNsense to the switch. On the switch configure PVID on that trunk port as something unused like 99 or so.

But how should I manage then the switch itself?

So for instance.
igc0 <-> PC = LAN Interface (untagged) 192.168.0.1/24
igc1 <-> Switch Port 1 = Mgmt, WIFI (tagged with VLAN 1, 10,20,30) 192.168.1.0/24,10.10.X.X/24, 10.20.X.X/24, 10.30.X.X/24
Switch Port 3 <-> AP = (WIFI Networks VLAN 10,20,30, Mgmt of AP is VLAN1)

Mgmt of Switch and AP is in VLAN 1. I cannot change the MGMT of the TP-Link switch to another VLAN.
Also when I change the PVID of Switch Port 1 and Port 3 to PVID different as VLAN 1, I cannot conect anymore to the Switch or AP
For the AP(OpenWRT) I could change the VLAN != 1, but unfortunately not for the switch. So I have to stick with PVID and Tag = 1

So I am a little stuck with this. That was the reason why I was thinking to configure a tagged port for the LAN on the FW, connect the FW to the switch as tagged, and create another untagged port for the PC on the switch. As surely I do not want to waste a needed port on the FW unnecessarily for managing the Switch and the AP.

Perhaps I am overseeing something?

Thanks a lot for your inputs so far!

[Patrick M. Hausen]

Use a dedicated untagged port of OPNsense to connect to the switch on a port with VLAN 1, equally untagged. This is either LAN or a dedicated management network depending on your needs.

Put all other VLANs tagged on a trunk port.

[fastboot]

Use a dedicated untagged port of OPNsense to connect to the switch on a port with VLAN 1, equally untagged. This is either LAN or a dedicated management network depending on your needs.

Put all other VLANs tagged on a trunk port.

Sorry, I don't get it.

That would mean I lose one port on the FW just for mgmt of switch and ap, as I do not want to have the Switch and AP mgmt IP in the same subnet as my LAN is?

e.g
igc0  <-> Switch Port 1 = 192.168.1.0/24 untagged for switch and ap mgmt,
igc1 <-> PC = 192.168.0.0/24 untagged LAN interface where the PC is connected
igc2 <-> Switch Port 3 = Tagged with WIFI VLANs

I would like to have an OOB for the Mgmt of Switch and AP and not share the same subnet with my LAN.

[Patrick M. Hausen]

Sorry, I don't get it.

That would mean I lose one port on the FW just for mgmt of switch and ap, as I do not want to have the Switch and AP mgmt IP in the same subnet as my LAN is?

Exactly - so you did get it  What's the problem with that?

e.g
igc0  <-> Switch Port 1 = 192.168.1.0/24 untagged for switch and ap mgmt,
igc1 <-> PC = 192.168.0.0/24 untagged LAN interface where the PC is connected
igc2 <-> Switch Port 3 = Tagged with WIFI VLANs

I would like to have an OOB for the Mgmt of Switch and AP and not share the same subnet with my LAN.

If you are short of ports, run 192.168.0.0/24 where the PC is connected also tagged over the trunk port and plug the PC into the switch.

[fastboot]

Exactly - so you did get it  What's the problem with that?

If you are short of ports, run 192.168.0.0/24 where the PC is connected also tagged over the trunk port and plug the PC into the switch.

Sometimes you do get it, but you prefer not to believe it

Okay, now I am thinking. Because if I just put the LAN tagged as well over the trunk where the other VLANs pass through, then I'll share just 1gbit with all of them. uhm...

I guess I would favour then to go back to my intital line of thought. I will put the LAN interface dedicated on a port and give it a tag. Let's say VLAN 50. Create a Trunk on the switch, connect both, set PVID to something. At least this way I can keep the sh*** VLAN 1 on the other trunk to do the mgmt of the devices.

Are there any pitfalls or disadvantages if I do that?


Tbh I am thinking to just get a new switch where I can do that differently. Especially since I paid now ~800 Bucks for the new Firewall to make it right once I have fibre via gpon sfp. But finding a good switch which does not have a huge power consumption is not that easy as well The TL-SG608E  is very moderate in its power consumption. Either way I wanted to hand over later the other VLANS via 10gig on fibre to the firewall, too. Thinking....

[Patrick M. Hausen]

I am quite fond of my Mikrotik CRS326 - 2x SFP+ to the firewall, 24x 1G copper. VLAN 1 tagged or untagged, whatever you need.

[fastboot]

@Patrick Thanks again for kicking me in the right direction.

I tried at first to work with a backup and change the settings. But it completely failed. No idea why tbh. I changed the naming of the interfaces to the new firewall. Everything came up and ran, but I could not reach any hosts in the different subnets. For what ever reason. Tried to change it via GUI, then via changing the XML file. So even the official way did not work.... Well.... I started from scratch and also changed some things I wanted to change already before

Now I have two trunks.
1. igc1 covers vlan for LAN and for the vlan 1 mgmt
2. igc2 covers all other vlans for wifi, iot, test networks and stuff.

So far I am quite happy with this. And I do not mix tagged and untagged anymore

Funfact: As I read discussions about vlan naming, ppl were complaining about the naming scheme and so on. I learnt it can have only 15 chars. And its not possible to have it like igc0_vlan123. So I was quite suprised when I added the vlan directly in the setup and it was named igc0_vlan123. Whats not possible via the gui though...


EDIT: Ah, yes. For the ones who also would like to configure it like that. I had a hard time to try this via the GUI, so I ended up doing a factory reset, declared WAN and LAN from the CLI and created directly the LAN VLAN there. Booted up and configured the rest. Tested and works...

[EricPerl]

I followed this thread because I was in the process of migrating my router (ER-605) to OPNsense and the rest of my infrastructure is TP-link Omada devices.
I had also gotten that recommendation from Patrick about not mixing untagged and tagged on trunks (can't say I ever had issues before and unclear if I had a choice).

As of today, my VLAN 1 is unused. It still exists in Omada (no choice), but it's set for an IP range not handled by OPNsense. I ended up deleting the OPNsense LAN interface entirely, and all VLANs are parented off of the igcN device used on the LAN side. The Omada devices now are in their own management VLAN (that part was easier to setup with a router that is not Omada compatible!). I'll keep using the "All" profile (1 untagged, all VLANs tagged included) because it's the only one that's managed automatically when VLANs are added/deleted... 

[fastboot]

I followed this thread because I was in the process of migrating my router (ER-605) to OPNsense and the rest of my infrastructure is TP-link Omada devices.
I had also gotten that recommendation from Patrick about not mixing untagged and tagged on trunks (can't say I ever had issues before and unclear if I had a choice).

As of today, my VLAN 1 is unused. It still exists in Omada (no choice), but it's set for an IP range not handled by OPNsense. I ended up deleting the OPNsense LAN interface entirely, and all VLANs are parented off of the igcN device used on the LAN side. The Omada devices now are in their own management VLAN (that part was easier to setup with a router that is not Omada compatible!). I'll keep using the "All" profile (1 untagged, all VLANs tagged included) because it's the only one that's managed automatically when VLANs are added/deleted...

I was also thinking of this Omada switches. But I read I need to have some crappy app or even cloud to configure them. Definitely nothing for me. With my cheap TP-Link Switch I am forced to stick with VLAN 1. I guess sooner or later I'll switch either way to other hardware, that I can use the second fibre slot of my new FW.

What do you mean with "All" Profile? For my "not so" trusted networks, I changed as well now the PVID from 1 to something which is not in use. Just some random VLAN which is nowhere used. This way I can keep at least the trunk port clean where my other subnets belong to.

[EricPerl]

To be clear, I'm not recommending TP-link. I still use the gear I have (apart from the router), as isolated as I can, because I'm not $$$ ready to replace everything.

Centralized management is very convenient. You don't have to ssh or open a web GUI to each network device needing configuration...
With Omada, the controller (the central management system) is separate (Cloud, or small piece of hardware, or software (for Windows or Ubuntu/Debian)). I believe Ubiquiti integrates such controller in some of their routers and also has a software version. Ditto for Mikrotik (never used that myself but it's been recommended).

Omada has a few defaults: A default network interface (you can actually change its VLAN. I missed that at first because it's not entirely clear what you can and cannot change in the default network...) and a few switch port profiles (Disable, Default (untagged VLAN of default interface, no tagged VLAN) and All (untagged VLAN of default interface, all VLANs tagged)) which are automatically updated when VLANs are created/updated/delated. There's obviously a basic profile for each VLAN to be used for access ports. The profiles are assigned to switch ports. It's less repetitive and error prone than the easy smart managed switch UX...

So, my default network is still completely unused (and now with a "bogus" VLAN ID), and I could in fact have a tagged VLAN 1. I believe that's 100% compliant with Patrick's recommendation.