Settings up VLANS.

[Lymba_Sysm]

I've been raking my brain researching on opnsense written tutorials and what videos I can find, but I'm having some issues putting VLANS into practise.TO see if I have understood this correctly as follows:

I'm aware of what trunk ports are and how they are used in VLAN aware router to switch scenarios. Although I'm not sure how to utilize it with my current switch because I can only extrapolate so much from written review, and I'm *very in need* of a tuturial for my SG2210XMP-M2 tplink switch, But I cannot for the life of me find a video tutorial of how I would setup vlans to with with opnsense. I'm struggling here, so I'll do the best to show my current switch configuration. What do I need to do here?

[clownschiff]

Have you setup VLANs on your OPNsense already?

If you do use VLAN-Interfaces on your OPNsense: Set the ports on the switch that are connected to the OPNsense to tagged, as the switch now expects already VLAN tagged packets.
If you do not use VLAN-Interfaces on OPNsense: Set the ports on the switch that are connected to the OPNsense to untagged, as the switch now expects untagged packets and will tag them when they are processed.

[Lymba_Sysm]

Have you setup VLANs on your OPNsense already?

If you do use VLAN-Interfaces on your OPNsense: Set the ports on the switch that are connected to the OPNsense to tagged, as the switch now expects already VLAN tagged packets.
If you do not use VLAN-Interfaces on OPNsense: Set the ports on the switch that are connected to the OPNsense to untagged, as the switch now expects untagged packets and will tag them when they are processed.

Ok, So that is it? Right, That's basically what I was looking up, and it's good for the third opinion. And yes OPNsense was configured with VLAN's. Thanks, I will try this and make sure it's good.

[coffeecup25]

pfSense and OPNsense are nearly identical in many respects. Only the menus and screen verbiage are different.

Perhaps some VLAN oriented videos for pfSense can get you started. You can learn the concepts that apply to your situation and adapt them to OPNsense fairly easily I would assume.

Also, I got into the need for isolated home network parts later than most. I realized that VLANs are sometimes over-thought. It also seems that while every router-included VLAN has common elements with every other one, everyone does their VLAN differently.

And sometimes it only takes a smart switch to do all the work, ignoring the router completely. TP-Link has software specifically for that purpose. I had a TP-Link oriented VLAN once that isolated several ports quite well. I hung an access point off one and put my IOT devices on it. It later failed, however by lowering my entire network to 100mbits for an unknown reason. I suspect it needed a firmware update. The configuration I just described is very common and does not need you to create a VLAN or edit the insides of OPNsense in any way.  My VLAN was simple. If you need to nest switches for various VLAN segments, that is outside my range of experience, but the switches might still be able to accommodate it without editing the router. As I said, I believe some people radically overthink their VLAN needs.

Briefly, routers are used to communicate among different networks. VLANS are used to isolate logical networks on the same subnet and they generally require a managed switch. Switches and switch groups are generally associated with a network. Two networks in one router would normally require two switches. Some wifi routers can get clever with guest networks, but not all. and some are not isolated at all.

That switch looks super powered. It should be quite reliable managing a VLAN.

Good luck. Try the pfSense videos. Or look up TP-Link VLAN instructions, google makes it easy. If you are using TP-Link, use the 802.1Q options. It's very easy.

[Seimus]

Cedrik did write some time ago a nice doc about VLANs and LAGGs.

Please read
https://docs.opnsense.org/manual/how-tos/vlan_and_lagg.html

Regards,
S.

[coffeecup25]

Cedrik did write some time ago a nice doc about VLANs and LAGGs.

Please read
https://docs.opnsense.org/manual/how-tos/vlan_and_lagg.html

Regards,
S.

Thank you. The information about tagging was helpful.

I think I reasoned through the router VLAN vs the Managed Switch VLAN confusion (confusion at least to me).

The managed or smart switch, or several switches, is (are) fully capable of supporting one or more VLANs, depending on the need, completely. OPNsense or a refurb used ac wifi router would end up the same place as far as VLANs are concerned. The switches do the work. It does not matter what the switches are connected to. In that respect, the router is a dumb box.

OPNsense gets involved when you use a multi port box as the router and you want to turn an available port into a managed switch IN Place Of using a managed switch. NOT in addition to a managed switch (Unless you have a specific and defined need for recycling unused ports in that way.) MY perspective is the home or hobby user, not a commercial enterprise with serious needs.

I also suspect that network-talk has evolved into something that's a little incomprehensible sometimes. A Level 2 bla bla makes no sense to 99% of the people who read it. Yet, normal everyday terminology could have easily been used. This encourages people to fit parts together and walk away if it works, thinking they now know how to do it.

[Seimus]

Keeping the proper network terminology is important.
This is an universal language that helps to tshoot, the more deeper you go into a technical matter the more the terminology matters.

For example, Layer 2 and Layer 3 have PDUs.
L2 PDU is called Frame
L3 PDU is called Packet

Frame is not a Packet and a Packet is not a Frame. Yet Frame contains the Packet as its payload cause its encapsulated within the Frame.

Its important to know the differences. Because each layer has its bestowed behavior and control plane.

-------------

The managed or smart switch, or several switches, is (are) fully capable of supporting one or more VLANs, depending on the need, completely. OPNsense or a refurb used ac wifi router would end up the same place as far as VLANs are concerned. The switches do the work. It does not matter what the switches are connected to. In that respect, the router is a dumb box.

Managed switch basically means you are capable to configure it. This goes mostly hand it hand if the switch can only carry a VLAN or TAG it.
Trunk = a port that expects already tagged frames, if he sees a tagged frame it will be associated to the proper VLAN.
Access = a port that is not expected having tagged frames, here the switch tags the frames ingress and un-taggs them egress to the port of origination.

OPNsense gets involved when you use a multi port box as the router and you want to turn an available port into a managed switch IN Place Of using a managed switch. NOT in addition to a managed switch (Unless you have a specific and defined need for recycling unused ports in that way.) MY perspective is the home or hobby user, not a commercial enterprise with serious needs.

No not really. VLANs provide separation, that separation begins on the GW due to the fact the respective VLANs needs to communicate to the outside or between each other. If you have a multiport GW, you dont need explicitly VLANs to do the isolation. Cause you can dictate per port a specific broadcast domain/subnet effectively create a physically isolated networks.

VLANs were created to provide isolation while reusing the same physical hardware. The history of VLANs is actually interesting. If you want check the vid bellow "The Serial Port" made a nice documentary about it.

https://youtu.be/Lq1zpdbOmXY?si=2lD_ofR95a5umICf

Regards,
S.

[coffeecup25]

Seimus, Oh Come On.

Everyday people use everyday language. They do not need to use medically precise terminology to create something to isolate LAN from IOT. Only a minority of IT people need that. Most people only need to be able to do the job and everyday language is good enough for that.

I'm trying to be civil here. Your outrage is ridiculous. For example your Frame vs Packet insights somehow had no effect anything I have built to date as I have not thought about either in probably a decade, and only slightly then. Yet my network works quite well and is not a simple one for a home network.

Lighten Up.

[Patrick M. Hausen]

I don't agree with Seimus in the frame vs. packet distinction being mandatory - I might throw in datagram just to annoy people. :-)

But other things are important. The switch is the "dumb" device and the router is doing the heavy lifting if you implement VLANs with a router and a trunk port. This is called a router-on-a-stick topology and is the most common one, because the most frequent reason to use VLANs is to save expensive dedicated ports on the router and separate switches for each network/interface/zone. Distinguishing layer 2 and layer 3 even if you do not call them that is of utmost importance.

And that leads us to networks (layer 3) and broadcast domains (layer 2) etc. I could go on and I really don't want to at the moment.

[coffeecup25]

I don't agree with Seimus in the frame vs. packet distinction being mandatory - I might throw in datagram just to annoy people. :-)

But other things are important. The switch is the "dumb" device and the router is doing the heavy lifting if you implement VLANs with a router and a trunk port. This is called a router-on-a-stick topology and is the most common one, because the most frequent reason to use VLANs is to save expensive dedicated ports on the router and separate switches for each network/interface/zone. Distinguishing layer 2 and layer 3 even if you do not call them that is of utmost importance.

And that leads us to networks (layer 3) and broadcast domains (layer 2) etc. I could go on and I really don't want to at the moment.

I know what a Router on a Stick is and I described nothing even close to that. A Router on A stick is a way to use a smart switch and a PC with one network port as a router with a WAN in and a LAN out.  It's a work-around. Never built one.

What I described would be similar to what's in a school textbook about Basic Elementary Networking. I'm frankly surprised why it gets 'experts' so unraveled.

I remember from my old IT programmer / system designer days when ordinary talk got people upset. Being able to communicate clearly always upset some people quite badly. Some things never change, apparently.

[Patrick M. Hausen]

Sorry, this does not make sense. If you use VLANs to isolate zones or networks or whatever you might call them to isolate different classes of devices, then you must pass these networks to your router/firewall over a trunk port and create a separate network plus firewall rules etc. for each on the router. Otherwise no isolation. All traffic between VLANs passes the router/firewall.

If the switch handles the VLANs on it's own it is just another router ("layer 3 switch") without any firewalling happening and hence no isolation.

[coffeecup25]

[quote

If the switch handles the VLANs on it's own it is just another router ("layer 3 switch") without any firewalling happening and hence no isolation.
[/quote]

Do some research on TP-link smart switches, the most basic ones. Including how to build VLANS with them. Google presents some good reference materials. It will apparently be an eye-opener for you. Or if you really want to work a bit, look into the Network+ or Cisco elementary 1st exam prep. Managed Switches are quire capable now.