VLAN - DHCP/Gateway Issue - Assign Hardwired Devices to specified VLAN

[Mark_the_Red]

Need some help.  I exhaustedly tried Claude and ChatGPT to solve this, but I can't seem to figure it out.  I cannot assign a physically ethernet connected device to the VLAN under any circumstances.  VLAN interface is working great.

Topography is as follows

OPNSENSE router -> Switch with POE+ -> Unifi U6E Access point -> no problem assigning devices to VLAN (IoT) via wifi (works chef's kiss perfectly)
                                    |
                                    -> LAN connnected devices -> will not under any circumstance assign to VLAN (IoT) PROBLEM

I followed this helpful guide to get the Unifi set up (NAT, VLAN Interface, etc.).  I confirmed the Unifi device is 100% NOT doing anything with DHCP (even warns me in the controller software its doing nothing) and OPNsense is, and its working perfectly. The switch is passing VLAN tags along perfectly as it works for the AP so its not a switch issue:
https://www.youtube.com/watch?v=CmC_AuoAmvs

All the DHCP VLAN ranges are set up correctly, because the access point is assigning them in that range.

Is there a "MAKE THIS god dam @#$@!#%@# device / MAC address move to this VLAN!!!"  hidden setting somewhere in the DHCP menu?  DHCP lease time has no effect.  I tried assigning static ip addresses (Host) to the devices on the VLAN DHCP range and it never works.  It makes an entry but the device NEVER moves over.  I even disabled the LAN network it is currently assigning these devices to incorrectly, and the devices would rather get NO connection then go to the VLAN one.  I know its a DHCP issue but I looked at every menu setting and nothing seems to be applicable to this.  Do I need to create a distinct Gateway for physically connected devices? 

I am certain I am missing something obvious.  Anyway, appreciate the help.

 

[Patrick M. Hausen]

You need to assign the switch port the device is connected to to the particular VLAN for this device. The end devices are oblivious of VLANs, this is all managed by the network infrastructure.

[pfry]

[...]Is there a "MAKE THIS god dam @#$@!#%@# device / MAC address move to this VLAN!!!"  hidden setting somewhere in the DHCP menu?[...]

Just to clarify, where are you looking to have the VLAN tag assigned, and by what mechanism? I'd generally expect that to be via a managed Ethernet switch, either by port or by MAC (or possibly other differentiators depending on your hardware, but I stick to "port").

[Mark_the_Red]

Thanks for the response.  OPNsense is assigning the VLAN tag to the devices.  The Unifi access point is just passing it along per the AP, but to be honest I am not exactly sure how the access point is doing it.  It specifically says in the unifi interface that the VLAN tagging is being done by the router. 

If ONLY the switch can assign the device to a VLAN, then I guess I have my answer.  I just thought since the unifi access point is making OPNsense do this, there would be a way in OPNsense to say this IP address or MAC address should always be on the VLAN subnet at this IP address.

[Patrick M. Hausen]

If ONLY the switch can assign the device to a VLAN, then I guess I have my answer.  I just thought since the unifi access point is making OPNsense do this, there would be a way in OPNsense to say this IP address or MAC address should always be on the VLAN subnet at this IP address.

The AP is a switch in that regard. And the AP "assigns" the VLANs via different SSIDs, not OPNsense. And yes, only a managed VLAN capable switch can do that for wired devices.

[dseven]

OPNsense is assigning the VLAN tag to the devices.

No, it's not (assuming by "device" you mean things like PCs, phones, etc.)

VLAN is a way to take a single physical LAN and logically divide it into multiple virtual LANs. "devices" are usually connected to the LAN via either an ethernet switch or a wifi access point. The devices themselves are not "assigned to" a VLAN, but the switch port or the wifi network to which they are connected is. Using VLANs in this way requires a "managed" switch - i.e. one with some sort of management interface which you can use to configure things like VLAN associations for each port.

Say you plug a PC into a switch port configured for VLAN 100. When the switch receives ethernet frames from the PC on that port, it will tag them with VLAN 100 before forwarding them on. This includes things like DHCP requests. When OPNsense receives ethernet frames tagged with VLAN ID 100, it processes them with its VLAN interface with that ID. The DHCP service would then respond accordingly for that interface (e.g. offering a lease for an IP address on the associated subnet). The DHCP response would be sent back through the same VLAN interface, and would be tagged with VLAN ID 100 and send back to the switch. The switch would strip the tag and forward it on to the PC.

In the case of a wifi device, it would connect to a specific "wifi network" (by SSID). The access point would be configured with associations between wifi networks (SSIDs) and VLAN IDs. When it receives frames for given wifi network, it will tag them with corresponding VLAN ID before forwarding them on, etc.

That's all simplified a bit, but hopefully it helps explain why OPNsense can't "assign a device to a VLAN".

[nero355]

Switch with POE+

Also UniFi or something else ?!

And how were you planning to assign the correct VLAN :
- Manually configure Tagged/Untagged a.k.a. Native VLAN assigned to the Switchport.
- Perhaps RADIUS Authentication ?!