Help transitioning to lan interface to vlan with minimum disruption

Started by jata, April 12, 2025, 02:38:16 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 12, 2025, 02:38:16 AM
Hi all,

I recently read this opnsense guide https://docs.opnsense.org/manual/how-tos/vlan_and_lagg.html

And have realised that my setup is not 100% aligned/correct as I am mixing untagged (lan) and tagged (vlan) traffic

My setup is simple for a home network. I am really happy with opnsense and how everything is working. Current setup on a dedicated 4 port minipc:

wan - port0 (dhcp)
lan - port1 (static with dhcp via ISC)
vlan2 - lan as parent (static with dhcp via ISC)
vlan3 - lan as parent (static with dhcp via ISC)


I do not have a lagg and not sure I need one - i see it is optional in the guide linked above.

So what I was hoping to do is the following but transitioning is tricky as I think I will lose connectivity as soon as I disable the lan interface.


1. create a new vlan for my main network (to replace the lan) but I know that i can't give this vlan the same ip as lan yet!
2. remove lan interface so that port1 is unassigned
3. link vlan1 to port1 and set ip and dhcp config to the same as lan (now removed)
4. link vlan2 and vlan3 to unassigned port1

This can't be done using the gui but maybe using the console?

Any assistance appreciated!

Given that everything seems to be fine currently and I rarely use my vlans - is it worth doing this at all?











April 12, 2025, 03:13:07 AM #1
a little more info that might explain why everything is working...

I have a unifi managed switch that is connected to opnsense. This is configured with a native vlan/network that is tagging lan traffic with vlanid=1

So does this mean that as far as opnsense is aware, everything is tagged correctly?
April 12, 2025, 05:21:56 AM #2 Last Edit: April 12, 2025, 06:30:35 AM by OPNenthu
Since you have more than two router ports, you can leave LAN as is and just migrate the VLANs to their own tags-only trunk.  AFAIK there's no requirement that LAN itself needs to be tagged, only that you shouldn't mix tagged and untagged on the same interface.  It may still be a good idea to tag LAN regardless.

If you were working with a 2-port router then you'd have no choice, but attempting to convert LAN to a VLAN at this point carries a lot of risk of taking down the network.  I defer to others on how to accomplish that.

QuoteI have a unifi managed switch that is connected to opnsense. This is configured with a native vlan/network that is tagging lan traffic with vlanid=1

So does this mean that as far as opnsense is aware, everything is tagged correctly?

No, this is confusing in UniFi.  The "Default" network is not tagged unless you explicitly make it so, even though it is labeled with VLAN ID 1.  By default all the switch ports carry the "Default" network as "native" (untagged).

A typical OPNsense trunk would have everything tagged and disallow untagged traffic.  In UniFi (I'm using Network application v9.0.114 with a "Pro Max" series switch), you would set the port like this:

Code Select
Native VLAN / Network: None
Tagged VLAN Management: Allow All (or "Custom" and tick specific VLANs to allow)

If you are combining LAN with your other VLANs on the same trunk, then LAN itself needs to be a VLAN (VID=1) in OPNsense and you would include the "Default" network in UniFi in the "Tagged VLAN Management: " list.
April 12, 2025, 06:23:38 AM #3 Last Edit: April 12, 2025, 06:37:29 AM by OPNenthu
On second thought, if you have 3 router ports then you can migrate LAN onto a common trunk with your VLANs pretty easily (I think) by leveraging the 3rd interface as a temporary migration point for LAN.  You can do all this from the GUI.

1. Set up a VLAN in OPNsense with ID=1 and parent interface=igc2 (or whatever your free router interface is).
2. Make sure "Default" is tagged on a free port in UniFi.
3. Change the LAN assignment in OPNsense to the new VLAN device.  You'll lose connectivity.
4. Connect the 3rd router port to the temporary switch port you created in step 2.  After link up, you *should* (operative word) have connectivity.
5. Now you can tag "Default" on the original trunk port in UniFi.
6. Change the parent interface on VLAN 1 in OPNsense to the same one where your other VLANs are.
7. Unplug the 3rd router port.  You should have connectivity again via the original trunk port.
8. Clean up in UniFi (delete the temporary switch port definition you created in step 2).

Please let others sanity check this before you try it!
April 12, 2025, 11:45:32 AM #4
thanks. Sounds a bit tricky but worth another try.

I did do something similar in my testing using a spare port and created a LAGG but I lost the network and had to plug a monitor into the router and restore a backup from the console.

I'll see if anyone else has any thoughts on this. It's quite tricky to do this while keeping the LAN working. I think the trick could be to get it working on a new vlan then switch over once I have the vlan working correctly.
April 12, 2025, 08:36:55 PM #5
It shouldn't be that hard. If you have Wi-Fi APs with the same mix, it's a little more complicated.

First, you need to make sure the switch itself is getting its IP in a VLAN (often called management VLAN).
You can reuse an existing VLAN or create a new one. It depends on your isolation principles.
You might need new FW rules to access the switch (if inter-VLAN).

Then:
Create a new VLAN device in OPN, parented to the existing physical device.
Make the switch aware of the new VLAN ID.
Prepare an access port for the new VLAN.
Make sure the trunk includes the new VLAN ID.
Reassign the LAN interface to the new VLAN device (the physical device is now unassigned).
Move the PC used to access OPN to the access port prepared above. It should reconnect right away.
Reconfigure the ports used by LAN clients as access ports for the new VLAN.

It helps if your switch ports are properly identified (so you know which ones need to be updated).
The disruption should be minimal. The tricky part is moving LAN from the physical device to the vlan device.
If you have issues after that step, head to the console and redo the interface assignments.

A lot of configuration is bound to interfaces. You want to move that (not delete and recreate) by reassigning.

Whether you should do it or not is entirely up to you.
I did this myself ~6 months ago, shortly after I moved all my VLANs from a prosumer device to OPN, one by one.
Removing the prosumer router was the tricky part.
Mixing tagged and untagged often works until it doesn't. It's supposedly mostly tied to the rest of your networking equipment.
April 13, 2025, 12:33:33 AM #6
Thanks everyone for the info and tips. I do have a few wifi APs (combo of Unifi and asus) and not sure if the asus APs will be able to handle the main network on VLAN=1 but that is another question.

I see now a way forward in the opnsense GUI plus some config of my unifi switch and APs.

I'm going to use one of my spare ports on opnsense and get all the vlans working with this. I think I will create a LAGG to do this. Once all my VLANs working I will disable LAN interface and then change the IP / dhcp subnet on VLAN1.
April 13, 2025, 12:59:34 AM #7
If you don't have VLAN/SSID combinations on your APs (IOW, all your Wi-Fi devices are on the LAN), then the switch ports going to the APs are regular access ports for the LAN VLAN ID.

VLAN aware APs should already be connected via a trunk. The additional step is to also manage the APs via a management VLAN.
I suspect Unifi allows you to configure a management VLAN for all the devices the controller manages.
The details there are Unifi specific...
Be aware that new device adoption is a bit trickier with a management VLAN.
April 14, 2025, 10:22:31 AM #8
Hi all - I am making progress and learning a bit about configuring the ports on my unifi switch and working with multiple trunk ports (igc1 and igc2) between opnsense and the unifi switch and wifi AP.

Both igc1 and igc2 are connected to my switch and I have setup the ports/wifi/vlans as follows:

1. igc1 = port 5 on switch - only used for LAN with VLANs blocked Native VLAN=default(1)
2. igc2 = port 6 on switch - only used for VLANs Native VLAN=none with 2 VLANs tagged
3. setup my wifi AP so that LAN are on SSID-1
4. setup my wifi AP so that VLANs are on SSID-2

See pic of my interface assignments below...

I have tested all of this and it is working. So I think now I am no longer mixing tagged and untagged on same port! So this is progress.

However, I'd like to transition LAN (igc1 untagged) to a VLAN (igc2 tagged) - so everything is running tagged through 1 port. I'm still confused how to do this safely and without losing access and keeping the same IP address range etc.

Given where I have got to, can anyone help me with this last bit?




 
April 14, 2025, 12:10:45 PM #9
OMG - I'm an idiot. All I had to do was reassign the interface(s) to the vlan device(s) and have the ports set correctly on my switch.

So easy and all done. I totally overcomplicated it for myself.

Thanks for the assistance



Print
Go Up Pages1
User actions