VLANs almost working on test setup

Started by silmaril, January 02, 2026, 05:59:05 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 02, 2026, 05:59:05 PM
I am currently running PFsense on an APU2 in my home network and I'm thinking about migrating to OPNsense.
To find out how things work, I created a VM on Proxmox VE that simulates similar hardware and installed OPNsense 25.7.10.

So far it looks very promising. I think I was able to transfer all relevant settings to OPN.
There is one thing that seems to work incompletely and I don't understand what's going on.
It seems that one VLAN is working, but not the others.

I configured several VLANs on the firewall (tags 10, 20, 30, 111) and added each of them to a group that shows up under "Interfaces".
I am using Dnsmasq for DHCP, which is enabled for all those VLANs.
For each VLAN there is a DHCP range in a different IPv4 subnet defined.
All VLANs are configured as "Static IPv4" (with an IP that fits the DHCP subnet) and IPv6 is set to "Track Interface".

I have a Debian VM connected to the OPN LAN interface via a Linux-Bridge in Proxmox ("VLAN aware" is off).
This VM gets an IPv4 address via DHCP from the LAN interface without any problems. IPv6 is working, too. It gets an IPv6 that matches the prefix shown for the OPNsense LAN interface.
I added VLANs to the VM's network config for all tags (just for testing, I don't want to use it like this).
VLAN 10 behaves just like the LAN interface. It gets both IPv4 and IPv6 addresses that match the OPN addresses of this interface.
With the other VLAN tags, nothing seems to happen. They only show their link local IPv6.

I tried many things, eg. deleting all VLANs and adding only one of the non-working tags, but I couldn't find a way to make 20, 30 or 111 work.

Activating "VLAN aware" on the Proxmox bridge doesn't help. This only leads to none of the VLANs working any more, which makes sense for me, since the bridge should only transport everything between the virtual network ports and VLAN tags are handled by the systems on both ends.

Since one of the VLANs is working, I guess my setup is almost correct.
Can anyone give my a hint for settings I should double-check?
As far as I can see, all VLANs are configured identically, but it looks like there must be some difference I am missing.
I am also not entirely sure if the problem lies on the Proxmox or OPNsense side.

Any help you can give me would be very much appreciated!
January 02, 2026, 08:04:53 PM #1
VLANs should be configured on the VM host (Proxmox), not in the guest (OPNsense). The guest should have a dedicated interface for each VLAN.

Cheers
Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
January 03, 2026, 03:24:29 PM #2
Maybe you're right. The setup should be as close as possible to the actual use case in hardware I want to simulate.

This means activating VLAN awareness on the bridge in Proxmox and setting the interface to one of the VLAN tags.
I added one network device to the client VM for each VLAN, so I can test all of them at the same time.

Doing it this way shows the same behaviour as before:
Without a VLAN tag on the interface, I get a connection to the LAN interface on OPN.
With VLAN tag 10, I get a connection to this VLAN.
With the other VLAN tags, no connection can be established.

So I'm basically at the same point I was yesterday: One VLAN is working fine and the others aren't and I can't find what I have configured differently.

Does anyone have any idea, what could be causing this?
January 03, 2026, 04:00:14 PM #3
Found it!

It was a very simple configuration error, which I managed to not notice many times.
The non-working VLANs were assigned to the WAN interface instead of LAN.
After changing this to the correct interface, everything works as expected.

Why do computers always do what I tell them to do, instead of what I want them to do? ;-)

January 03, 2026, 04:56:04 PM #4
Quote from: Maurice on January 02, 2026, 08:04:53 PMVLANs should be configured on the VM host (Proxmox), not in the guest (OPNsense). The guest should have a dedicated interface for each VLAN.

Quote from: silmaril on January 03, 2026, 03:24:29 PMThe setup should be as close as possible to the actual use case in hardware I want to simulate.

This depends on the use case in my opinion.

I also run my OPNsense virtualized. To one of the host NICs the wifi AP is connected with five VLANs running over it. It makes no sense to me to configure these on the host and add five NICs to the VM in this case.
So I have all VLANs terminated in OPNsense and this works flawlessly.
January 03, 2026, 05:28:21 PM #5
If you can use PCI passthrough or SR-IOV, handling VLANs in the guest makes sense of course.
But with macvtap or bridge interfaces, I don't really see the benefit of moving VLAN tagging into the guest.

Trying to emulate a bare metal setup for testing is a special use case though.
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
Print
Go Up Pages1
User actions