[My iptv decoder steels leases from LAN net dhcp but not from vlan dhcp

[EricPerl]

Please show your rules.
I use this set on my test VLAN:
You cannot view this attachment.

RFC1918_networks is an alias that contains the private network IP ranges.
You don't have to add them. At least the ones you use.

[Siarap]

Edited my previous post. Read it. I got firewall rules on any vlan thats allow acces to everything. Only vlan with tag 10 has access to the internet.

Little update: Connected pc to vlan tag 10 network. No internet access at all. Same time my hap ac2 mikrotik router has access in parallel from same sybnet. I dont know what is hapenning here. Mtu errors or something?

BIG update 2 : Maybe its operating system dependent. Mikrotik, and windows 11 machine has access to the internet over the vlan. Same vlan same settings. Two pcs with debian, and mx linux, and android based iptv decoder have no access to the internet. Something is wrong with os or its opnsense?

[EricPerl]

That's not a very efficient way to communicate...

Anyway, all interfaces added after LAN only get the auto-generated rules, which don't allow much (essentially just DHCP and out traffic).
If a machine on the VLAN gets IP via DHCP, it's a good sign it the switches are setup properly.
Past that, rules are needed.

IP ranges can NOT overlap with any other interfaces. You can share your 'Interfaces > Overview' for us to check if you want.

Either you share your rules (something might be obvious) or share screenshots of the FW live view filtered to the VLAN.
We don't have crystal balls as to what is going on...

[Siarap]

Its os/device dependent. Updated previous post. One configuration on opnsense. Switching beetween networks by swtich device. Linux has no access over vlan but windows and access point have.

[EricPerl]

My reply still applies. I do not have enough information.

[Siarap]

Its not rule fault. This is my firewall rule for vlan: IPv4 *    *    *    *    *    *    *
One device has connection (win 11) but other not connecting even when leasing ip from same vlan (linux). Same rule same vlan. Same ip pool.

EDIT: I must add that opnsense has something broken with displaying dhcp leases. Invisible device has access to the internet. Visible one has no access. Sometime leases refresh very long (over 30 minutes or more).

EDIT2: Tried on my pc with dual boot windows 11/fedora linux. On win 11 network works. Rebooted into fedora and no connectionto the internet. SAME settings on swtich/opnsense, even same machine. Why is this happening to me? hahaha :D

EDIT#: Read some info on internet. This errors with vlans are network-manager for linux (gui) fault. Replacing network-manager may help. But i just build my network in another way, and stop using linux on my machine.

[EricPerl]

Most machines you connect should be blissfully unaware they are in a VLAN.
While you can in theory tag network all the way, it can be a little tricky.
And many devices just don't have that capability.

VM hosts are an obvious exception if they deal with guests belonging to multiple VLANs.
But most devices/machines should be hooked to a switch port configured as an access port (VLAN ID untagged, PVID = VLAN ID, all other VLANs not members).

[Siarap]

Anyone can provide info how to connect debian/debian based distro to the internet trough vlan?

[meyergru]

Its os/device dependent. Updated previous post. One configuration on opnsense. Switching beetween networks by swtich device. Linux has no access over vlan but windows and access point have.

Anyone can provide info how to connect debian/debian based distro to the internet trough vlan?

You must still be getting something wrong here. If you do it as designed (tm), then you would connect any normal network client to a port assigned to a VLAN.

This means that if you assign a switch port to VLAN X, only those packets arriving on VLAN X will be sent out over the port, stripping it of the VLAN tag on egress. On ingress, only untagged packets will be used and tagged with VLAN X - but by the switch, not the client. Thus, it is not up to the client to decide which VLANs it receives or sends - it sees untagged packets only and it can only send such packets.

That in turn means: Had you correctly configured your ports, it MUST work independent on what OS the client machines are using. That is what @EricPerl meant by "bissfully unaware". Period.


The only exceptions are machines that are connected to "trunk" ports, which do not filter any VLAN tags on either egress or ingress. In such cases, the connected machine can decide for itself with VLANs it sends and receives packets on. This would normally be true only for:

• VM hosts (because they probably host VMs on different VLANs)
• OpnSense or other routers (because they need to feed all the VLANs)
• Uplink ports connection VLAN-aware switches with one another
• Access points (because they associate SSIDs with VLANs)

So, your second question does not apply for normal Debian clients, because they do not need any VLAN config. If you wanted to do this anyway, it depends on the type of configuration (/etc/network/interfaces vs. /etc/netplan/...) and is explained here.

[EricPerl]

Any random networked device can be made to use a VLAN, even when you can't configure the VLAN (or most aspects of networking) on the device itself.
That's done via the switch config for wired devices, by connecting to the proper SSID for Wi-Fi devices.
The added benefit is that you don't need to trust the device, which is critical for most IoT devices.

Whatever works for untrusted devices works just fine for your PCs, whatever OS they run, because it does not matter. They don't know they are in a VLAN.

[Siarap]

Ive set properly everything. I get tagged vlan assigned to port 8 on my managed switch. Only this port connects to the assigned vlan and devices on other ports have different vlans / connect to LAN net. I get address pool from dhcp assigned to vlan device. Windows 11 and mikrotik device has connection in this way. My linux machines cannot connect, they just only pull ip adresses from vlan dhcp. It may be mtu problem? On my windows machine i get lower mss value on tests site when im connecting via vlan its normal situation and indicates that im connecting via tagged vlan.

[meyergru]

As per default, only the LAN interface has an "allow any to any" rule. For any addtional interface (including VLANs), you have to manually create a rule.

[EricPerl]

I realize there could be a language barrier (English not being the primary language of any of the people on this thread) but this is quite confusing.

MachineX1 connected to a port configured as an access port for VLAN X (VLAN X untagged on egress, PVID=VLAN X for ingress) should absolutely receive an IP for the DHCP pool associated with the interface assigned to VLAN X.

they just only pull ip adresses from vlan dhcp

is expected.

[Siarap]

Yes. My english is limited. Its not my native language. I know its expected. Read on reddit that one person had identical problem as mine. Problem was solved by setting untagged vlan. How to set untagged vlan on opnsense?

[meyergru]

Maybe it would help if you clarify what your "problem" exactly is. You said that the Linux machine connected to port 8 gets the expected DHCP IPs.

By looking at the client you can try: Is that true? Is the network mask correct and the gateway is within that subnet (and identical to the VLAN interface IP of the OpnSense)? Is the DNS server IP the same? Can you resolve DNS names? Can you ping OpnSense's VLAN IP? Can you ping 8.8.8.8?

What are your OpnSense interface settings?

Please show the IPs and ranges - since they are RFC1918, none of this information is confidential. Do not assume everything is correct as it obviously isn't.