VLAN setup issues with HP 2530-8G switch and OPNsense – no connection on VLAN 10

[flamur]

Hi everyone,

I'm trying to set up a home network and I've run into some trouble with VLANs.

My setup is:
- OPNsense as the firewall, directly connected to fiber
- HP 2530-8G switch to distribute traffic to a server, access point, and a computer (If I can get this to work that is 😅)

Everything works fine with the default setup. I've followed the official OPNsense documentation and this YouTube guide:

The problem starts when I try to configure VLANs as shown in the video. The guy in the video uses a more professional switch, while mine is older and I'm not even sure if it fully supports the desired needs for this. I'm completely new to this kind of networking—I'm used to basic home routers like Asus—so apologies for any lack of knowledge gaps.

As long as I avoid the VLAN steps, everything runs smoothly.

I've created VLAN 10 in both OPNsense and the switch. Port 1 on the switch connects to the firewall, and Port 5 connects to my computer (running Chrome OS—hopefully that's not causing issues).

I configure the switch via its web GUI using Port 3 (I initially set it up via console and even tried VLAN settings there out of desperation following a guide). According to the video, I should test the VLAN by connecting my computer to Port 5 (assigned to VLAN 10), but when I do that, the computer gets no connection. If I plug it back into Port 3, it works immediately, as I guess this uses the default VLAN setting in the switch.

In the VLAN 10 settings on the switch:
- Port 1 and 2 are set as **tagged**
- Port 5 is set as **untagged**
- The default VLAN is still untagged on the remaining ports

I've tried different IPv4 settings for VLAN 10: disabled, manual, and DHCP. Nothing works - or atleast not as I have tried it.

I've also uploaded all the manuals of the switch (500+ pages) to googles ai and asked for help there, but it only repeats things I've already tried and double-checked.

One thing the AI mentioned is to check: 
"802.1Q: This is the standard protocol for VLAN tagging used by your switch. It must be supported and enabled on the firewall port."
I have no idea how to do that. I've Googled and searched through all the menus in OPNsense but haven't found anything on this or a setting to active this protocal.

I also enabled STP with RPVST mode in the swtich — no change.

Any tips or guidance would be very, very appreciated!

Best regards, 
Flamur (a noob trying for two days straight and starting to loose my mind)

[flamur]

This is the switches config report, maybe it helps to clarify what I have set up:
Running configuration:

; J9777A Configuration Editor; Created on release #YA.15.16.0006
; Ver #06:04.9c.63.ff.37.27:12
hostname "HP-2530-8G"
timesync sntp
sntp unicast
sntp server priority 1 194.58.200.20
time timezone 2
ip default-gateway 192.168.10.1
ip timep dhcp
snmp-server community "public" unrestricted
vlan 1
   name "DEFAULT_VLAN"
   no untagged 5
   untagged 1-4,6-10
   ip address 192.168.1.2 255.255.255.0
   exit
vlan 10
   name "VLAN_10_Opnsense"
   untagged 5
   tagged 1-2
   ip address dhcp-bootp
   exit
spanning-tree
spanning-tree mode rapid-pvst
no tftp server
no dhcp config-file-update
no dhcp image-file-update

[meyergru]

With that switch configuration, your port 5 is "internally" on VLAN 10, but externally, your attached PC can use this as untagged, so business as usual.

You OpnSense on the other hand on port 1 needs to tag its interface with VLAN 10, because the port is tagged. So, for the PC and OpnSense to see one another, you will have to create a VLAN 10 and assign it to be LAN instead of the physical NIC.

[flamur]

With that switch configuration, your port 5 is "internally" on VLAN 10, but externally, you attached PC can use this as untagged, so business as usual.

You OpnSense on the other hand on port 1 needs to tag its interface with VLAN 10, because the port is tagged. So, for the PC and OpnSense to see one another, you will have to create a VLAN 10 and assign it to be LAN instead of the physical NIC.

In opnsense VLAN 10 is assigned to the LAN port which goes to the switch. I followed the youtube guide on this. So VLAN is assigned to the port in opnsense. Can I have missed something in those steps/settings perhaps in opnsense?

[meyergru]

That depends on whether you really assigned your LAN or another LAN-type interface to your new VLAN. Additional LANs do not have the default "allow any" rule in them, so you probably would need additional firewall rules for any other interface than LAN. Also, if that is another interface, it obviously has another subnet, DHCP must be set up a.s.o.

Then, you would also need to have your client get a new IP address from the other range, which it will not do until after its old lease expires.

[flamur]

That depends on whether you really assigned your LAN or another LAN-type interface to your new VLAN. Additional LANs do not have the default "allow any" rule in them, so you probably would need additional firewall rules for any other interface than LAN. Also, if that is another interface, it obviously has another subnet, DHCP must be set up a.s.o.

Then, you would also need to have your client get a new IP address from the other range, which it will not do until after its old lease expires.

If I did correctly, as I understood the youtube guide, I set up VLAN with parent igc1 (the port that goes to the switch) and ID/Tag 10.

Then I go to that interface (name "untrusted") and choose static ip4, 192.168.10.1/24 (the normal LAN interface uses 192.168.1.1/24).

I also followed the guide to setup initial firewall rules to allow traffic for the new untrusted VLAN network.

BUT you mention "old leases expires". I will google to see if I can run something to do this manually to really know its not this that hinders connection on VLAN 10 ("untrusted")

[flamur]

"To expire old network leases on ChromeOS Flex, you can either disconnect and reconnect to the network or restart the device. If you need to permanently remove saved networks, you can "forget" them in the network settings"

So it seems this is done when I move the ethernet cable between the ports automatically.

Anything else I can double check?

[meyergru]

You could rule out DHCP issues by setting a static IP and trying if that works. Ping from a CLI from both sides to both the OpnSense and the PC IP.

You need to have these correct:

1. VLAN association of both ports (including VLAN tags)
2. IP addresses and subnets on both OpnSense and PC (failing DHCP can be a part of that problem)
3. Firewall rules

[flamur]

You could rule out DHCP issues by setting a static IP and trying if that works. Ping from a CLI from both sides to both the OpnSense and the PC IP.

You need to have these correct:

1. VLAN association of both ports (including VLAN tags)
2. IP addresses and subnets on both OpnSense and PC (failing DHCP can be a part of that problem)
3. Firewall rules

I tried setting a static IP on the "laptop" (old windows touchpad with chromeos flex on it, so not optimal for this I guess). Then I get connected! 🥳 But without internet connection and I couldnt reach the switch GUI or opnsense gui.

Maybe you are on to something?

I used static ip 192.168.10.5 and 255.255.255.0 and gateway 192.168.10.1 (what I believe is the opnsense VLAN ip set in opnsense).

[meyergru]

When the bilateral IP connection works, you must look at the routes and get the firewall rules straight.

Also, you should check on the DHCP setup such that you do not have to set the client statically.

[flamur]

I think I found the issue. It seems DHCP is the root problem here as you mention - thanks!

The guide I followed maybe somewhat outdated, and looking in the opnsense DHCP manuals I found that the ics DHCP is EOL.

I activated the DNSMASQ DHCP for my VLAN interface and now I get IP and can go online to google.se etc.

However I cant reach neither my switch 192.168.10.3 (as set in the VLAN 10 in the switch ip settings) nor access opnsense on 192.168.10.1 as set in the VLAN settings in opnsense.

Is this still related to DHCP or rather firewall rule? 🤔

[meyergru]

That should be two different issues:

- The switch should be on the same (V)LAN, so OpnSense is not involved in the traffic between your PC and the switch on the same subnet - prerequisite for a connection is that the switch IS on the correct VLAN and that is has the correct IP configuration (either static or via DHCP).

- If you can pass traffic via OpnSense, but not connect to the GUI on its LAN interface, it sure looks like firewall rules. As I already said, there is an "allow all" rule for the first LAN only. For every other (V)LAN, you will have to create rules yourself.

[flamur]

That should be two different issues:

- The switch should be on the same (V)LAN, so OpnSense is not involved in the traffic between your PC and the switch on the same subnet - prerequisite for a connection is that the switch IS on the correct VLAN and that is has the correct IP configuration (either static or via DHCP).

- If you can pass traffic via OpnSense, but not connect to the GUI on its LAN interface, it sure looks like firewall rules. As I already said, there is an "allow all" rule for the first LAN only. For every other (V)LAN, you will have to create rules yourself.

Many thanks for your patiance and help with this! Its very much appreciated! 🙏

I will look into the VLAN settings (ip settings) in the switch to see if I have messed it up with all the back and fourth I have been doing. Would you say that the config report earlier would be ok to start with for my simple pourpose to get this firing?

The firewall rules has a bigger learning curve so I just try to mimic the youtube guide. He seemed to cover all these things. Not sure what I am missing.

However I can confirm I can connect to the opnsense GUI. I had choosen the wrong interfarces under "Listen interfaces" under settings - administration, as the guide goes through. Now I can connect to the firewall again also... so slowly getting this going I guess.

I will try to understand my switch a bit more. It has me a bit stressed at the moment to just trying out more or less guessing 😬

Again! Thanks very much for your help. You are a hero member indeed! 🫡

[flamur]

I take that back about the switch. I can access my switch also(!) - if I just remembered to type in the stupid IP I set it to!

I will pause this for now - my brain is foggy and I make stupid mistakes.

Everything works now 🥳 Thanks again 🙏