Fresh 26.1.1 configuration failure with VLAN and managed switch

[ole]

I am replacing my HomeLab LAN with the latest OPNsense version on an APU4C4 and Cisco SG-200 managed switch.

In addition to the LAN (192.168.11.0/24) on igb1, I have three additional VLAN devices (User, Guest, IoT with IDs 10, 20, 30, and 192.168.{110,120,130].0/24) with igb2 as the parent. The static interface IPs are set to the .1 host in the network, and DHCP/DNSmasq is also configured for LAN and VLANS. Everything looks OK to me here.

The physical devices igb1 and igb2 go to the switch. All ports are configured as trunk ports - except for port g3, which is the access port for VLAND ID=10. My test PC is also connected to this port, but it is not receiving an IP address. When I plug the cable into port g4, I receive an IP address from the LAN network.

What is not as I expect here, and how can I narrow down the error?

All firewall rules are default.

[lmoore]

I'm not familiar with the SG-200, however, I expect there are some settings you may want to change from their defaults.

Settings I used to disable globally on the SG-300 & SG-500 series switches are;

Dynamic Voice VLAN
GVRP
Smartport

I would also change the Default VLAN ID from 1 to a value for the network being configured.

With the interface VLAN mode, I would use Trunk ports for LAG's and set other ports to either General or Access mode. You can assign multiple VLAN's to ports in General mode.

With trunk ports where only VLAN's would be used on the port, I would set its PVID to 4095 - Forbidden, thus only tagged VLAN traffic traverses the port and no untagged traffic will be seen on it.

Note: Vendors which use VLAN ID 4095 will implement it differently. VLAN ID 4095 on the Cisco SG-300 & SG-500 (and probably on the SG-200) switches is a black hole, whereas on VMware VLAN ID 4095 will send _all_ network traffic through this VLAN.

In your environment I'll make some assumptions.

You've created all the VLAN's on the switch.

Switch-Port -> Node:
GE1 -> igb1
GE2 -> igb2
GE3 -> Test PC

Assuming igb1 will never have any VLAN's operating on it, you can set GE1 PVID to your Default VLAN ID and set the interface mode to Access.

Set GE2 interface mode to General and add tagged VLAN's 10,20 & 30. You can leave the PVID (untagged) at its default as long as it's not one of your tagged VLAN's. Set the Frame Type to 'Admit Tagged Only'.

In OPNsense configure a firewall rule on each of the VLAN interfaces to allow ICMP type Echo Request to the interface's address.

With all DHCP servers enabled and running in OPNsense, set GE3 Access port PVID to the VLAN you want to test. It is currently configured for VLAN ID 10. If you do not obtain an IP Address on the 192.168.110.0/24 subnet, manually configure the interface on the Test PC with an IP address in this subnet and see if you get a reply when you ping the OPNsense address of 192.168.110.1.