Seting up Vlan

Started by JustSecure, January 23, 2026, 03:26:59 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 23, 2026, 03:26:59 PM
Hello everybody,

Im new on the forum, and new to opnsense in general. Im not new to tech tho.

So for my question, i have setup a  opnsense router in this hardware.

Intel(R) Core(TM) i3-4130 CPU @ 3.40GHz (2 cores, 4 threads) 8GB. its a old optiplex 3020.
i sticked a extra  nic in there, and  setup everything for my provider odido(NL).
They require i made a  vlan with tag 300(vlan02 odido), i assigned that vlan  to my WAN interface.
I also have the LAN interface (em0).

Everything works as expected in have installed zenarmor adguard home. again this all works.

But no i wanted to make a seperate vlan for my IOT/hacking adventures, my kid likes it alot.
So  i made a  vlan  which i pointed to my WAN interface, i thought everything worked, i did apply all changes. butafter some time all internet stopped working all together, it was late in the evening so i even had to drag a  monitor and keyboard over since i didnt have ssh  openend.
I did reset all the vlan's and re apply'd them.

Maybe somebody can explain when i did wrong? or maybe help me setup this extra vlan.

Thanks in advance.
January 23, 2026, 03:42:23 PM #1
There are multiple purposes for VLANs, it seems you misunderstood the concept.

Basically, a VLAN, as its names suggests, is a vitual network that is created on top of an existing physical network connection, but logically separated from it.

This can be used in order to separate the logical WAN internet connection over a VLAN (potentially with PPPoE) from the connection to the media converter (DSL modem or ONT) web interface. That is the reason why many ISPs choose to use internet connections via a VLAN, like Odido with VLAN 300.

On the other hand, with a local manageable switch, you can connect to your router via a "trunk" port that carries multiple (tagged or untagged) VLANs. The switch can then be configured to split these (V)LANs out to different untagged ports that are set to one specific VLAN. That way, the switch can act like mutiple switches, one for each VLAN, effectively separating multiple local networks.

The latter is what you probably wanted, but you may see right now why it cannot be done when you create new VLANs on the WAN port - they must be set on the LAN port. There is no additonal VLAN on WAN, because your only got two:

a. VLAN 300 for your internet connection
b. The untagged WAN to access your media converter

You would not connect anything else to your WAN port, would you?
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
January 23, 2026, 04:40:06 PM #2
Quote from: JustSecure on January 23, 2026, 03:26:59 PMmy provider odido(NL).

They require i made a  vlan with tag 300(vlan02 odido), i assigned that vlan  to my WAN interface.
The same here : VLAN 300 assigned to WAN Interface and set to DHCP for IPv4 :)

QuoteI also have the LAN interface (em0).
Then you need to assign your new VLAN :
QuoteBut now i wanted to make a seperate vlan for my IOT/hacking adventures, my kid likes it alot.
To that interface ;)

How does the rest of your network look like ?
Do you have managed Switches/Accesspoints that support VLAN a.k.a. 802.1q tagging protocol ?

And don't forget "Guest VLAN Firewall Rules" for your new VLAN : https://docs.opnsense.org/manual/how-tos/guestnet.html
You basically make sure all of it's traffic can only go to the WAN connection and never to any of your other networks.
However your networks will always be able to connect to the Guest network if needed, because they initialize the connection !!

For more information about Firewall Rules see : https://docs.opnsense.org/manual/firewall.html

OPNsense is pretty easy if you happen to be an IT guy or just a huge networking enthousiast/hobby dude ^_^
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
Print
Go Up Pages1
User actions