[SOLVED] New VLAN on OPNsense 26.1.4 not passing traffic on interface

[abranca]

Hi everyone,

I'm experiencing a really strange issue with OPNsense 26.1.4 (i came from 25.7). I have several VLANs configured, some existing for a long time and working perfectly (both wired and Wi-Fi), but when I create a new VLAN:

• The VLAN interface is created correctly (Interface -> Assignments), with a static IP set (e.g., 10.10.50.1/24).
•     DHCP (dnsmasq) is configured with a proper range.
•     Firewall rules are enabled, like to other VLANs that work.
•     Even when setting a fixed IP on clients (VMs or PCs), I cannot ping the firewall and i cannot have address from DHCP.
•     Packet capture on the VLAN interface does not show any traffic, not even pings from LAN to VLAN.

I've verified:

•     The VLAN parent is the same as other working VLANs.
•     Omada APs and an unmanaged switch are configured correctly, tags are passing.
•     Using an old VLAN (with tag 10 for example) works: DHCP and traffic are received properly.
•     I've tried changing the VLAN tag, deleting and recreating the VLAN, rebooting OPNsense and switches: nothing works.

Main symptom: the new VLAN seems completely "blind" to traffic, even with a fixed IP. Other VLANs work normally.

I'm asking:

•     Has anyone experienced the same behavior on OPNsense 26?
•   Could this be a bug in OPNsense 26's kernel / VLAN stack?

Thanks in advance for any suggestions or similar experiences!

[pfry]

[...]I'm asking:[...]

Can't help you there, but two things to look at, if you haven't already: "ifconfig -v" (I just throw in the -v to get optics info) and "netstat -r", to verify all (and I mean all, pedantically) config data.

[nero355]

but when I create a new VLAN:

•     Firewall rules are enabled, like to other VLANs that work.
•     Even when setting a fixed IP on clients (VMs or PCs), I cannot ping the firewall and i cannot have address from DHCP.
•     Packet capture on the VLAN interface does not show any traffic, not even pings from LAN to VLAN.

Maybe post your Firewall Rules then ?

Or simply compare them to one of the LAN/VLANs that work ?

I've verified:

•     Omada APs and an unmanaged switch are configured correctly, tags are passing.

I am not a big fan of this : What happens when you test without the Unmanaged Switch ?

[abranca]

[...]I'm asking:[...]

Can't help you there, but two things to look at, if you haven't already: "ifconfig -v" (I just throw in the -v to get optics info) and "netstat -r", to verify all (and I mean all, pedantically) config data.

Hi, thanks for your reply. Here are the details after redoing the VLAN from scratch.

VLAN setup:

• VLAN: vlan0.20
• Parent interface: igc1
• VLAN tag: 20
• OPNsense interface: opt4 assigned to vlan0.20
• IP: 10.10.20.1/24 (static)
• No DHCP configured, testing only with static IP

VM setup (Proxmox and physical machine):

• Connected to a NIC with VLAN tag 20
• IP: 10.10.20.2/24
• Gateway: 10.10.20.1
• DNS: 1.1.1.1
• VLAN-aware bridge enabled (vmbr1) (only for Proxmox VM)

Tests performed:

• Ping from VM to gateway: fails
• tcpdump on VM interface: no traffic observed
• Packet capture on OPNsense VLAN interface: no traffic observed
• Ping from LAN to VLAN gateway: works

Observations:

• DHCP is not involved — this is static IP testing.
• Firewall rules are not a factor — packets do not even reach OPNsense.
• Routing/NAT is irrelevant at this stage — traffic is blocked before Layer 3.
• Other VLANs (e.g., VLAN 10, 30, or 40) work normally on the same physical NIC.
• The issue appears only with new VLANs created after upgrading to OPNsense 26.x.
• Old VLANs created under 25.x continue to function normally.

The problem occurs at Layer 2, likely with VLAN tagging or interaction between OPNsense 26.x and Proxmox or even a physical machine. Everything worked correctly under OPNsense 25.x. The VM or physical machine cannot send packets through the new VLAN, even with a static IP.

Code Select Expand

ifconfig -v
igc0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,HWSTATS,MEXTPG>
    ether 00:d0:b4:03:bf:ae
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    drivername: igc0
igc1: flags=1028943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC,LOWER_UP> metric 0 mtu 1500
    description: vlan1_lan (lan)
    options=4902028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,NETMAP,HWSTATS,MEXTPG>
    ether 00:d0:b4:03:bf:af
    inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    drivername: igc1
igc2: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,HWSTATS,MEXTPG>
    ether 00:d0:b4:03:bf:b0
    media: Ethernet autoselect
    status: no carrier
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    drivername: igc2
igc3: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    description: wan2_lte (opt7)
    options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,HWSTATS,MEXTPG>
    ether 00:d0:b4:03:bf:b1
    inet 192.168.10.2 netmask 0xffffff00 broadcast 192.168.10.255
    media: Ethernet autoselect (100baseTX <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    drivername: igc3
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet 127.0.0.1 netmask 0xff000000
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
    groups: lo
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
    drivername: lo0
enc0: flags=0 metric 0 mtu 1536
    options=0
    groups: enc
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    drivername: enc0
pfsync0: flags=0 metric 0 mtu 1500
    options=0
    maxupd: 128 defer: off version: 1400
    syncok: 1
    groups: pfsync
    drivername: pfsync0
pflog0: flags=0 metric 0 mtu 33152
    options=0
    groups: pflog
    drivername: pflog0
vlan0.10: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    description: vlan10_iot (opt3)
    options=4000000<MEXTPG>
    ether 00:d0:b4:03:bf:af
    inet 10.10.10.1 netmask 0xffffff00 broadcast 10.10.10.255
    groups: vlan
    vlan: 10 vlanproto: 802.1q vlanpcp: 0 parent interface: igc1
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    drivername: vlan0
vlan0.30: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    description: vlan30_dmz (opt2)
    options=4000000<MEXTPG>
    ether 00:d0:b4:03:bf:af
    inet 172.16.10.1 netmask 0xffffff00 broadcast 172.16.10.255
    groups: vlan
    vlan: 30 vlanproto: 802.1q vlanpcp: 0 parent interface: igc1
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    drivername: vlan2
vlan0.40: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    description: vlan40_ipc (opt6)
    options=4000000<MEXTPG>
    ether 00:d0:b4:03:bf:af
    inet 10.10.40.1 netmask 0xffffff00 broadcast 10.10.40.255
    groups: vlan
    vlan: 40 vlanproto: 802.1q vlanpcp: 0 parent interface: igc1
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    drivername: vlan3
vlan0.835: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=4000000<MEXTPG>
    ether 00:d0:b4:03:bf:ae
    groups: vlan
    vlan: 835 vlanproto: 802.1q vlanpcp: 0 parent interface: igc0
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    drivername: vlan4
wg0: flags=10080c1<UP,RUNNING,NOARP,MULTICAST,LOWER_UP> metric 0 mtu 1420
    description: vpn_wg (opt5)
    options=80000<LINKSTATE>
    inet 10.10.30.1 netmask 0xffffff00
    groups: wg wireguard
    nd6 options=9<PERFORMNUD,IFDISABLED>
    drivername: wg0
pppoe0: flags=10088d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1492
    description: wan1_ftth (opt1)
    options=0
    inet xx.xx.xx.xx --> zz.zz.zz.zz netmask 0xffffffff
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    drivername: ng0
vlan0.20: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    description: vlan20_gst (opt4)
    options=4000000<MEXTPG>
    ether 00:d0:b4:03:bf:af
    inet 10.10.20.1 netmask 0xffffff00 broadcast 10.10.20.255
    groups: vlan
    vlan: 20 vlanproto: 802.1q vlanpcp: 0 parent interface: igc1
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    drivername: vlan1



Code Select Expand

netstat -r
Routing tables

Internet:
Destination        Gateway            Flags         Netif Expire
default            static-zzz-zzz-zz- UGS          pppoe0
one.one.one.one    192.168.10.1       UGHS           igc3
10.10.10.0/24      link#9             U          vlan0.10
10.10.10.1         link#5             UHS             lo0
10.10.20.0/24      link#10            U          vlan0.20
10.10.20.1         link#5             UHS             lo0
10.10.30.0/24      link#15            U               wg0
10.10.30.1         link#5             UHS             lo0
10.10.30.2         link#15            UHS             wg0
10.10.30.3         link#15            UHS             wg0
10.10.30.4         link#15            UHS             wg0
10.10.40.0/24      link#12            U          vlan0.40
10.10.40.1         link#5             UHS             lo0
posta              link#5             UHS             lo0
unfiltered.adguard static-zzz-zzz-zz- UGHS         pppoe0
unfiltered.adguard 192.168.10.1       UGHS           igc3
localhost          link#5             UH              lo0
172.16.10.0/24     link#11            U          vlan0.30
172.16.10.1        link#5             UHS             lo0
192.168.0.0/24     link#2             U              igc1
fw                 link#5             UHS             lo0
192.168.10.0/24    link#4             U              igc3
192.168.10.1       link#4             UHS            igc3
192.168.10.2       link#5             UHS             lo0
static-zzz-zzz-zz- link#14            UH           pppoe0

Internet6:
Destination        Gateway            Flags         Netif Expire
localhost          link#5             UHS             lo0
fe80::%lo0/64      link#5             U               lo0
fe80::1%lo0        link#5             UHS             lo0



[abranca]

but when I create a new VLAN:

•     Firewall rules are enabled, like to other VLANs that work.
•     Even when setting a fixed IP on clients (VMs or PCs), I cannot ping the firewall and i cannot have address from DHCP.
•     Packet capture on the VLAN interface does not show any traffic, not even pings from LAN to VLAN.

Maybe post your Firewall Rules then ?

Or simply compare them to one of the LAN/VLANs that work ?

I've verified:

•     Omada APs and an unmanaged switch are configured correctly, tags are passing.

I am not a big fan of this : What happens when you test without the Unmanaged Switch ?

Hi, thanks for the help!
I've already created a "pass any" rule on the vlan20_gst interface just for testing, so there are currently no filters that could block traffic. The rule is:

Interface: vlan20_gst
Type: IPv4
Source: *
Destination: *
Gateway: Failover_GW
Description: Pass any rule

It allows all traffic to any destination via the failover gateway, so it shouldn't be causing the issue.

At the moment, this VLAN isn't used on Omada — due to the problems, I've kept the setup at the bare minimum. I'm using an unmanaged switch between OPNsense and the VM/AP, which I know isn't ideal, but all other existing VLANs (10, 30, 40) work normally. The problem only appears on newly created VLANs after updating to OPNsense 26.x.

Even with a static IP on a VM or a physical machine, I cannot ping the gateway of the new VLAN, and packet captures on the interface show no traffic at all.

In short, this looks like a Layer 2 issue that doesn't seem to depend on firewall rules or DHCP.

[pfry]

[...]Parent interface: igc1[...]

Code Select Expand

igc1: flags=1028943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC,LOWER_UP> metric 0 mtu 1500
    description: vlan1_lan (lan)
[...]
    inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
[...]

I do not configure the main interface that I use for VLANs, as it doesn't fly at all when using bridges. I can't say if it's your issue, though - too many differences in our setups.

[abranca]

Hi everyone,

I'd like to summarize my recent experience with VLANs on OPNsense, hoping it might help others.

Scenario:

• I have several VLANs configured: some older (created on 25.x) and some new (created on 26.x).
• The older VLANs work perfectly.
• The new VLANs did not pass any traffic, even with a static IP. I did not use DHCP for testing.
• Firewall rules and routing seem irrelevant: packets didn't reach the OPNsense interface at all.
• Packet captures on the VLAN interface and client NICs showed no traffic, even though pings from LAN to the VLAN gateway responded.
• Tested on both a Proxmox VM and a physical machine.

Actions taken:

• Migrated DHCP from ICS to dnsmasq (already working for about 20 days).
• Transferred firewall rules from the old format to the new one (a few days ago).
• Upgraded OPNsense from 26.1.4 to 26.1.5.
• After each migration and upgrade, I always rebooted, but the new VLANs still didn't work.
• Created a new VLAN: completely non-functional.
• Tried restoring a previous backup (26.1.3): VLAN still not working.
• Restored the latest backup (26.1.5) and rebooted OPNsense: the new VLANs started working.

Observations:

• The issue affects only new VLANs created after the 26.x upgrade.
• Older VLANs continue to work normally on the same NIC.
• No clear logical explanation: it could be some internal state or cache that gets cleared by a full reboot.
• The setup uses unmanaged switches; VLANs are handled by OPNsense/Proxmox/Omada controller.
• The fact that previous reboots didn't solve the issue suggests some anomalous internal condition in OPNsense was interfering with the new VLANs.

If you encounter new VLANs not passing traffic, try doing a full reboot of OPNsense after restoring the latest working configuration.
No changes to firewall rules or switches were necessary.