New to VLANs, help testing a setup

I am trying to understand VLANs and have a OpnSense VM setup on another machine where I am playing with VLANs - goal is to eventually move to that being my primary router and use the Omnia as a switch. I want to test 2 different things and could use some help or an example of how to setup the switch settings on the Omnia to try them.

My current setup is that I have the Omnia as my network router, with the radios disabled, and I have 2 separate APs on LAN ports 1 and 4. The APs are VLAN capable, but none are setup currently. On LAN 0 I have a Proxmox VE host with the OpnSense VM running. The host has one built-in NIC and I added a 4-port NIC as well for future use, but currently it just gets to the network via enp3s0. There are also 3 bridges created - vmbr0 is the bridge connecting all the VMs and the port, and the OpnSense VM has it’s WAN port on this bridge. The OpnSense VM also has a LAN port on a bridge, vmbr2, which is just internal and connected to another VM for testing and accessing the Web UI. vmbr2 is VLAN aware and the LAN port in OpnSense has 3 VLANs defined: 10, 50, and 100, which I want to use to isolate different network devices based on the type of access they’ll need. Sorry for all the details, but I’d rather provide too much info than not enough.

What I want to try is to begin testing putting some devices on these VLANs via different SSIDs. I know the PVE part is out of scope of this forum but does it make sense to get all 3 of those VLANs to go back “out” through the main vmbr0 / enp3s0 interface to the Omnia?

Then what I want to test is possibly creating a few APs on the Omnia that are attached to each VLAN that’s coming from the OpnSense VM - I found this topic which is similar How configure 3rd Wifi-SSID for incoming external VLAN? but I’m not exactly sure about the switch port matrix and tagged/untagged ports. Is it correct that I would be creating 3 more interfaces, where each would have a wifi interface and a port like eth0.10 or eth0.100 attached?

I would also like to test just passing all these VLANs on to the 2 APs and see if I can configure the extra SSIDs through them. I’m not sure what that switch configuration looks like as I want to continue using them as-is with the Omnia currently providing the routing to them, but also make 3 more VLANs appear on them so I can test connecting various devices to them as I want.

Eventually, I’ll connect my WAN into the OpnSense VM router through a port on the 4-port card and use another port as LAN which will go into the Omnia which will serve as only a switch at that point, but I want to be able to figure out how different devices will behave being isolated, etc by running both at the same time for now.

I hope that’s not too convoluted and thanks in advance for any advice or config examples!

1 Like

I didn’t exactly get all your issues entirely, though I try to help with one question.

If you want to assign several VLANs to the eth-ports, this is possible of course. You may also mix untagged and tagged VLANs at the eth ports. A comfortable way to configure the basic VLAN configuration is in LuCI via menu ‘Network’ → ‘Switch’.
An Omnia ‘switch’ configuration with mixed untagged / tagged VLANs may look like this (example):

Port 6 is incoming “WAN” port (VLAN-2 untagged)
Port 4 is bridged to port 6 (VLAN-2 untagged)
Port 0-2 are outgoing LAN ports with VLAN-1 untagged
Port 3 is connected to another VLAN switch and port 3 contains VLAN-1 untagged (outgoing) / VLAN-10 tagged (outgoing) / VLAN-3 tagged (incoming from other router’s guest-LAN), VLAN-3 incoming is used only to provide an external guest-VLAN with the Omnia’s Wifi-device (extra SSID).

1 Like

OK - I am going to start with something simpler and I’ve been reading many posts about how to set this up and I’m still confused by the way eth0 and eth2 connect to ports LAN0-3 and LAN4, and if I need to configure my VLAN in the switch UI or the interface UI.

Let’s say I currently have no VLANs defined, but have 2 AP’s that can set different VLANs for each SSID, and they are connected to ports LAN0 and LAN1. I also have a VM host at LAN4. I want to create a new SSID, on VLAN 5, but I don’t want to affect how everything else works without any VLANs. I want this new SSID to be able to access a VM on my host, so I need VLAN 5 to exist on ports LAN0, LAN1, and LAN4, but also to be able to setup rules to allow access to the regular existing LAN for, say DNS. What do I need to do? Can this be done through UI or do I need to edit /etc/config/network?

It looks like the documentation says I need to change the ‘lan’ interface config to remove eth0 and replace it with eth0.1 first of all. Then would I add a switch_vlan section for VLAN 5 as tagged on ports 0, 1, and 4? but also do I need to tag both CPU ports 5 and 6 or just 5? Or do I just define it as a bridge interface and imply it through eth0.5 ifnames? Would this also leave my regular lan traffic untagged on all ports?

Just wanted to come back and answer this in case anyone finds it in the future. I got my original idea working with passing the VLAN back through from my OpnSense VM to the Omnia and on to the APs. (I failed to mention, I’m on Omnia v3.x earlier, I didn’t realize there have been changes since then) It helped to draw everything out on paper!

I just stuck with VLAN1 for “regular” traffic currently on br-lan and tagged that on to the PVE Host, and both APs, and also tagged CPU port 5 so I could specify Eth0.1 in the br-lan interface instead of Eth0. Then I added a tagged VLAN5 on the APs and PVE Host as well. I added an interface for it too, but I’m not sure if that’s even needed if the Omnia isn’t handling the routing - but at least that let me tcpdump on the interface during some troubleshooting of DHCP coming from the APs.

My switch matrix looks like this:

and my new interface was setup as “unmanaged” on Eth0.5.

In Proxmox, I setup an OVSwitch with a port connected to the physical port connecting to the Omnia, and an OVSIntPort for an internal port for management IP. Each VM connects to that switch with the VLAN tag specified on the VM’s network interface. The OpnSense VM has 2 - one tagged VLAN1 which is its WAN port and one tagged VLAN5 which is its LAN port. I suppose I could have just used one trunk interface and let OpnSense handle the tagging but I read somewhere else that it’s more efficient to let the host tag the interfaces.

I think I’ll eventually end up adding more VLANs and stop tagging VLAN1 since some switches use it internally, so I’ll move my “full access” VLAN to some other number or use that as management VLAN.