Trouble with VLAN setup on 4-port OPNsense

Started by User074357, November 20, 2025, 05:08:10 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 20, 2025, 05:08:10 PM
Hi,
I have a 4-port OPNsense box to which I have my WAN, PC and NAS connected. OPT1 and OPT2 (NAS and PC) are bridged for LAN. I know it's not recommended to use a bridge for this, but I'm trying to avoid a dedicated switch for now.
The NAS is running TrueNAS SCALE and I now want to create a VLAN for some of the VMs on it. I added a VLAN interface on TrueNAS with tag 20 and the static IP 192.168.20.2/24. I then created a VLAN for igc1 (OPT1) with tag 20 on OPNsense and removed OPT1 from the bridge, since I read I cannot use the untagged interface on a bridge while also using VLANs. The goal is to use 2 VLANs between TrueNAS and OPNsense and adding one of them to the OPNsense LAN bridge.
I added the VLAN interface under assignments and set the IPv4 Configuration Type to Static IPv4 and configured the IP 192.168.20.1/24.

I was expecting to be able to ping my TrueNAS host under 192.168.20.2 from my PC in LAN now, but this doesn't work (100% packet loss). The firewall live view also doesn't show anything.

I'm new to VLANs and I know I should just buy a managed switch, but I'm confused as to why this doesn't work. Am I missing something?
November 20, 2025, 09:07:17 PM #1
Routing issues? Your PC would normally use the firewall as its gateway in order to route to the NAS subnet. In the other direction, the NAS would also use the firewall as its gateway to reach your PC. And, of course, if you use it to route, the firewall would need a default gateway to the Internet. You have the option of routing directly on the bridge, e.g. use a static route on your PC to route to the NAS through the firewall. If it's not routing, you'll likely need to provide more detailed information.

I use bridges for everything, as I can conveniently assign interfaces to whatever bridge I need them on at any given time, with no address or rule changes. It's not for everyone, but it works.
November 20, 2025, 10:29:45 PM #2
Quote from: pfry on November 20, 2025, 09:07:17 PMRouting issues? Your PC would normally use the firewall as its gateway in order to route to the NAS subnet. In the other direction, the NAS would also use the firewall as its gateway to reach your PC. And, of course, if you use it to route, the firewall would need a default gateway to the Internet. You have the option of routing directly on the bridge, e.g. use a static route on your PC to route to the NAS through the firewall. If it's not routing, you'll likely need to provide more detailed information.

I use bridges for everything, as I can conveniently assign interfaces to whatever bridge I need them on at any given time, with no address or rule changes. It's not for everyone, but it works.

Routing seems to be fine. I can see the OPNsense sending outbound packets on the VLAN interface.
Just did a packet capture on both ends. There are ARP requests outgoing on the VLAN interface which never get responded to by TrueNAS.
When attempting to ping the OPNsense box from the NAS with "ping 192.168.20.1" the NAS also sends ARP requests which are never responded to.
Not sure what's going on there.
November 20, 2025, 11:32:07 PM #3
Without seeing your config, my next guess would be "Interfaces: Settings" -> "VLAN Hardware Filtering" - I'd disable all of the offloads, at least for testing. I don't know of any firmware issues that would affect i225/226 VLAN filtering, but you never can tell. I assume your NAS is directly connected to the firewall?
Today at 01:32:00 AM #4
Quote from: pfry on November 20, 2025, 11:32:07 PMWithout seeing your config, my next guess would be "Interfaces: Settings" -> "VLAN Hardware Filtering" - I'd disable all of the offloads, at least for testing. I don't know of any firmware issues that would affect i225/226 VLAN filtering, but you never can tell. I assume your NAS is directly connected to the firewall?
All the offloads are disabled. NAS is directly connected to one of my firewall ports.
I attached some screenshots of my configuration to this post.
Today at 04:59:41 AM #5 Last Edit: Today at 05:09:00 AM by InvalidHandle
It sounds like you are missing firewall configuration for the vlan interfaces that you set up and I don't think you need the bridge.
If you want to allow traffic between both LAN and vLAN networks I'm not sure what you gain with the vlan unless you really need to split a single port into multiple subnets.  Here is the documentation on vlans: https://docs.opnsense.org/manual/how-tos/vlan_and_lagg.html

Just food for thought, vLANs can be very tricky if you are using IDS/IPS.  If you have enough ports on your hardware and aren't trying to segment traffic, create a separate LAN subnet interface for your TrueNAS, skip the vLAN, and setup firewall rules accordinly if you want to isolate the NAS LAN from WAN.  That is my two bits.

Print
Go Up Pages1
User actions