OPNsense + PROXMOX + VLANs (again)

[spetrillo]

Ok I have a managed 1 gig switch I am using. The config is as follows:

1) PC connected to port 5, with the port set to vlan 2 untagged. I have also set the vlan to 2 on the PC NIC.
2) Server connected to port 6, with the port set to vlan 2/3/20 tagged.
3) Server connected to port 7, with the port set to vlan 10/12 tagged.

VLAN 2 is my LAN interface on OPNsense. I hard coded my PC NIC to 192.168.1.10/26. When I try to ping 192.168.1.1 I get nothing. I then re-configured the PC NIC and removed the vlan from the NIC. I try to ping 192.168.1.1 again and get nothing. Ok what am I doing wrong here?

[Patrick M. Hausen]

If the port on the switch is VLAN 2 untagged, don't set a VLAN on the PC.

[spetrillo]

Still does not work...

My PC's port is set to both vlan 1 and vlan 2 untagged. Do I need to delete the vlan 1 reference from the switch port or just set the PVID to 2?

[Patrick M. Hausen]

PVID 2 and no additional VLAN.

[spetrillo]

And away we go!

Got a connection to the GUI. DHCP gave me an IP, so I know that is working.

Right now I use vlan 1 as my mgmt vlan. In this new build I am moving it to vlan 2 and vlan 1 will no longer be used.

Now to see if I can get to the Proxmox GUI on vlan 3.

[spetrillo]

Ok so I was not able to get to the Proxmox GUI. Going to reboot and see if that helps.

[spetrillo]

Id like to think I am good...but sometimes you just gotta walk away from the problem and then come back to it later...which is what I did. I found that the Linux vlan for the Proxmox GUI IP was incorrect in my brave new vlan world. Modified it, rebooted, and yes the GUI is available. At this point its time to deploy the new firewall. If I can do this tomorrow morning I will try to get to it. I will need to reboot all devices using vlan 1, which is not many.

[spetrillo]

It's ALIVE!!!

I am live on the new firewall, with the new vlan structure. I am still working out a few wireless vlan kinks but nothing too onerous. Speaking of wireless I went to begin building my new Unifi VM. I had a problem getting IP from my dnsmasq DHCP server but figured out that since I turned off VLAN 1 I had to reset default to VLAN 2, including normal PVIDs. All good!

[elreyquerabio]

I finally got it!
Following viragomann's instructions led to the solution.
There are still some details to add.

1. Add the listening interfaces to the DNS (in my case, DNSMASQ).
2. Add the listening interfaces to AdGuard (which isn't trivial). You either have to modify AdGuardHome.yaml, or delete it and start over.

Now I'll add blocking rules between VLANs so it behaves the way I want.

I've added a new photo with the final settings into the first post, so newbies like me don't have to waste so much time.

THANKS EVERYONE!

[Patrick M. Hausen]

Best, always have the services listen on all interfaces ("0.0.0.0"). This is by far the most stable configuration and the reason why in the UI the wording is "All (recommended)".

Firewall rules will take care of nobody accessing your services from the WAN side. No need to limit listen interfaces at all.

[elreyquerabio]

But...

"Interface IPs used to respond to queries from clients. If no interfaces are selected, Dnsmasq will listen on all available IPv4 and IPv6 addresses by default. However, DHCP related firewall rules will only be added for explicitly selected interfaces, never for all interfaces."

[Patrick M. Hausen]

I would not enable DHCP on all interfaces, only DNS. Is this a single setting in DNSmasq? I'm using Kea and Unbound and so I can leave Unbound at the default and get a stable socket on 0.0.0.0.

[elreyquerabio]

Why not enable DHCP in all interfaces?
Yes, there is a single option in DNSmasq section. I already read that Kea is, perhaps, the best option. I'll check once I finish setting what is working now.
Apprecite!

[Patrick M. Hausen]

Why not enable DHCP in all interfaces?

Because of the automatic rules :-)

I think it's rather nice to have them where DHCP is active.