1

So, I'm new to OPNsense and networking in general, so I apologize if I'm missing something obvious.

I'm running OPNsense and created my first VLAN on interface ix3 and have that going to a managed QNAP QSW-M2106-4C. On ix3, I have the CIDR as 192.168.185.1/24 and created a VLAN on ix3 with the tag 3 and have that CIDR as 192.168.165.1/24. On the QNAP, I have the router going to one of the 10G ports untagged, and the three other ports are for 10G devices tagged as 2.

They're receiving the IP address within the 192.168.185.1/24 range, which is what I want. On the QNAP managed switch, I then have one of the 2.5g ports tagged as VLAN ID 3, and in OPNsense, I have created the VLAN with the tag 3, assigned it an interface, and setup DHCP. I also created a firewall rule to let anything out of that VLAN (basically the same default rule for LANs).

So, from the managed QNAP, I have it going to an unmanaged TP-Link TL-SG108-M2 2.5g switch with it tagged as VLAN 3. However, when I connect my Windows machine to the switch, it still grabs an address from the 192.168.185.1/24 range, not in the 192.168.165.1/24 range as I thought it would.

I'm new to managed switches and VLANs, so I was curious if I was doing something wrong or if VLAN IDs don't get passed through unmanaged switches (which would really suck).

Do all my switches need to be managed if I want to separate my network using VLANs? Am I doing something wrong in OPNsense?

Any help would be greatly appreciated!

(By the way, I followed the instructions on how to setup a VLAN in OPNsense from https://homenetworkguy.com/how-to/configure-vlans-opnsense/)

Addendum: QNAP Port Management: https://postimg.cc/ZBjS4Y9N

QNAP VLAN Setup (trying to get VLAN 3 to work): https://postimg.cc/PvxkxGZR

Port 7 is coming from the router with 192.168.185.1/24 and is sharing that on VLAN 2. On VLAN 3, I have in OPNsense that VLAN 3 comes in on that interface but with the IP CIDR 192.168.165.1/24, but my Windows machine doesn't pull a valid IP (something random like 169.254..)

Improve this question
9
  • To make matters more interesting, I added a static DHCP lease on the VLAN and in OPNsense it shows the machine with the IP 192.168.165.25 (what I created) but in Windows the IP address it shows is 192.168.185.27, which isn't in the list of DHCP leases in OPNsense.
    – AJ Tatum
    Commented May 25, 2023 at 21:07
  • Don't add further information in a comment, add it to the question :p also, that guide is 5 years old, couldn't you find a newer guide?
    – Jaromanda X
    Commented May 25, 2023 at 23:07
  • 1
    have a read of this answer
    – Jaromanda X
    Commented May 25, 2023 at 23:13
  • 1
    Unmanaged switches aside, it feels like you're confusing what "tagged/untagged" means in context of ports and VLANs. Can you show the full VLAN settings on your switch, for all of the ports involved?
    – grawity_u1686
    Commented May 26, 2023 at 13:40
  • 1
    That doesn't quite seem to match the description... Which ports have which devices? I'm guessing the Windows PC is on port 1, but what's on ports 7, 8, and LAG 1 (I assume that's 9+10 aggregated)?
    – grawity_u1686
    Commented May 26, 2023 at 15:57

1 Answer 1

Reset to default
2

On the QNAP, I have the router going to one of the 10G ports untagged, and the three other ports are for 10G devices tagged as 2.

It sounds like you're assuming that an "untagged" port can carry all VLANs combined while a "tagged" port belongs to one specific VLAN. That's not how it works – it's almost the exact opposite of how it works.

The "tags" are not something that is assigned to whole ports; rather, they're inserted into the individual Ethernet packets (frames) that leave the switch. (This is exactly how VLAN IDs are carried through unmanaged switches.)

So the first thing to take away is that "tagged/untagged" is an additional setting on top of the port's VLAN membership.

(Notice that you have three options in the VLAN screen – "tagged", "untagged", and "nothing". That's because both "tagged" and "untagged" make the port a member of that VLAN, only in slightly different ways.)

That is, a port that belongs to just one VLAN (such as a computer) should be "untagged" for that specific VLAN – meaning it's still a member of that VLAN but outputs frames without any tag inserted, and similarly expects to receive ordinary frames without a tag.

Meanwhile a port that needs to belong to multiple VLANs – e.g. port 7 that's facing your VLAN-capable OPNsense router – may be "untagged" for one specific VLAN (not just "untagged" in general!) but needs to be "tagged" for all others. This results in the port generating (and expecting) the frames to carry VLAN ID tags.

I'm new to managed switches and VLANs, so I was curious if I was doing something wrong or if VLAN IDs don't get passed through unmanaged switches (which would really suck).

They do pass through unmanaged switches, though such a switch cannot do any useful filtering on them.

In fact, "tagging" in your VLAN configuration refers specifically to the mechanism by which the VLAN IDs are passed – the 802.1Q VLAN tags that are inserted to each Ethernet frame.

However, the problem is that something needs to understand (and generate) those tags on the other end as well, and a typical Windows PC does not1. Any DHCP Request packets coming from your PC will be untagged, and the PC will not (usually2) accept tagged responses coming back.

(This is why OPNsense isn't seeing the DHCP requests on VLAN 3 like you were expecting – the PC's port has VLAN 3 tagged, but the PC isn't adding any VLAN tags, so the DHCP requests instead belong to whichever untagged VLAN the port has.)

This means that the PC needs to be connected to a port that has only one 'untagged' VLAN and no 'tagged' VLANs – and with an unmanaged switch you can't do that on a port-by-port basis. The best you can do is to put the entire unmanaged switch in an 'untagged' VLAN, all the way back on the QNAP.

1 (Well, you actually might be able to configure a VLAN tag in the NIC's Device Manager "Properties" window, but that needs to be done manually.)

2 (Windows 7+ has a weird relationship with VLAN-tagged frames; it relies on the NIC drivers to perform filtering, so with a typical Intel NIC – whose drivers do process tags, but don't actually filter tagged frames for some reason! – it will accept tagged frames as if they were untagged. That is another reason for to avoid putting multiple VLANs on an unmanaged switch.)

from OPNsense router goes to QNAP port 7. From there, port 8 goes to a 10g/multi-gig unmanaged switch and ports 9 & 10 are a LAG to a Synology NAS. They're all running correctly on the 192.168.185.1/24 network. Port 1 is my first attempt at creating and utilizing a VLAN with that going to an unmanaged 2.5g switch. The only thing plugged into that switch right now is my Windows PC. This may

From this description, your QNAP configuration should look like this:

VLAN Port 1
(PC)		 Port 7
(OPNsense)		 Port 8
(Unm.switch)		 LAG 1
(NAS)
VLAN 1 - Untagged - Untagged
VLAN 2 - Tagged - -
VLAN 3 Untagged Tagged Untagged -

For port 8 (unmanaged switch), it strongly depends on what devices will be connected to it. Normally, unmanaged switches are assigned to one untagged VLAN and that's it.

If all devices on the switch can do their own VLAN tagging, then the switch can have a bunch of tagged VLANs on it (assuming you also trust the devices, as they're now in control of which VLANs they're in). For example, Linux/BSD systems, or Hyper-V/ESXi hosts, or multi-SSID access points (e.g. UniFi), can handle their own tagging just fine.

However, any devices on this switch that don't understand VLAN tags will have to share the same "untagged" VLAN (of your choice).

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .