proxmox and opnsense create a LAG with Linux bond

P

pr777

New Member
Jan 5, 2025
11
0
1
HI

im trying to create a virtual connection trank vlans using only one fisical port in proxmox for all my vlans that goes into my unifi switch

In Proxmox
1 i create a bond with lacp which work with my unifi switch
2 i create a management vlan which is a linux bridge vmbr2 , (vlan aware, bridge port bond0)
3 create all the vlans vmbr2.xx
bond.png
linux bridge.png
In opnsense

I create all the vlans with parent interface vtnet2
assign all the interface VLANS enable it ,create the networks in (service dhcpv4) and firewall rules for each individual vlan so they can go in internet
leave it unassigned the vtnet2


opnsense.png
On my unifi switch
I create all the mirror vlans

Do i need to create also a lag connection to my opnsense to work ?
at the moment this setup it doesnt work i have no connection betwen vlans and not internet

what i have missed to configure
 
Last edited:
Hi,

how come you want to use a LACP bond with only single physical port. This doesn't make sense. Bonds are meant for combining multiple physical interfaces to gain redundancy and/or throughput.
In the configuration leave out the bond first place.
Just create the Linux VLAN interfaces for all the vlan you need, in the field Name use enp4s0.<vlanid>
e. g. like this

vlan.jpg

All the configured vlan will be send through your physical port enp4s0.
For configuration of opnsense and the unify device I have no expertise.
 
Last edited:
fba said:
Hi,

how come you want to use a LACP bond with only single physical port. This doesn't make sense. Bonds are meant for combining multiple physical interfaces to gain redundancy and/or throughput.
In the configuration leave out the bond first place.
Just create the Linux VLAN interfaces for all the vlan you need, in the field Name use enp4s0.<vlanid>
e. g. like this

View attachment 81803

All the configured vlan will be send through your physical port enp4s0.
For configuration of opnsense and the unify device I have no expertise.
Click to expand...

Thanks FBA for the reply

i only want to pass all my vlans with 1 ethernet cable to my unifi switch and from there managed all
reading from other tutorial you need a lag to do so,1 ethernet cable can bring only 1 vlan, but maybe im wrong
im removing the bond and create 1 vlan bridge with all the vlans and subnet
i have tried this before but i hade no internet in each vlan.maybe is something to do with opnsense??
 
As you have only a single physical port, a LAG seems wrong to me. It is meant for link aggregation. For passing multiple VLAN between switches trunk ports are used. This spares individual configuration of allowed vlan ids and is used between switches only.
I dont know how it is done with Ubiquiti UniFi switches. Usually you can configure a switch to work with multiple tagged VLAN on a single port, either by specifying individual vlan ids or by providing a range of vlan ids. The switch port must also be configured to accept tagged traffic.

Is the opnsense a vm on the Proxmox node or is it running on separate hardware? If it is a vm, would you like to share the vm configuration by screenshot or output of command qm config <vmid> on Proxmox node Shell?
 
fba said:
As you have only a single physical port, a LAG seems wrong to me. It is meant for link aggregation. For passing multiple VLAN between switches trunk ports are used. This spares individual configuration of allowed vlan ids and is used between switches only.
I dont know how it is done with Ubiquiti UniFi switches. Usually you can configure a switch to work with multiple tagged VLAN on a single port, either by specifying individual vlan ids or by providing a range of vlan ids. The switch port must also be configured to accept tagged traffic.

Is the opnsense a vm on the Proxmox node or is it running on separate hardware? If it is a vm, would you like to share the vm configuration by screenshot or output of command qm config <vmid> on Proxmox node Shell?
Click to expand...
root@pve-main:~# qm config 100
agent: 1
bios: ovmf
boot: order=scsi0;ide2;net0
cores: 4
cpu: x86-64-v2-AES,flags=+aes
efidisk0: APP-STORAGE:vm-100-disk-0,efitype=4m,pre-enrolled-keys=1,size=1M
ide2: none,media=cdrom
machine: q35
memory: 8192
meta: creation-qemu=9.0.2,ctime=1737713033



that is my config file i have masked with x the mac address
name: OPNSENSE
net0: virtio=xx:xx:xx:xx:xx:xx,bridge=vmbr0,queues=4
net1: virtio=xx:xx:xx:xx:xx:xx,bridge=vmbr1
net2: virtio=xx:xx:xx:xx:xx:xx,bridge=vmbr2
net3: virtio=xx:xx:xx:xx:xx:xx,bridge=vmbr3
numa: 0
onboot: 1
ostype: l26
scsi0: APP-STORAGE:vm-100-disk-1,iothread=1,size=40G
scsihw: virtio-scsi-single
smbios1: uuid=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
sockets: 1
startup: order=1
vmgenid: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
 
The opnsense vm needs an ip address in every single vlan, if it shall do the routing for the attached networks.
This requires assigning a network interface for every single vlan you want it to handle to the vm.
IMHO this is the easiest way to configure it, because it spares the configuration of vlans in opnsense. With a certain amount of vlans this will get cumbersome nevertheless.
 
fba said:
The opnsense vm needs an ip address in every single vlan, if it shall do the routing for the attached networks.
This requires assigning a network interface for every single vlan you want it to handle to the vm.
IMHO this is the easiest way to configure it, because it spares the configuration of vlans in opnsense. With a certain amount of vlans this will get cumbersome nevertheless.
Click to expand...
hi
i did so
i create for every vlan in opnsense an interface from the menu interface assign, an ip from the menu dhcpv4 (including ip range for the dhcp, server dns and gateway)
then for each vlan i create a firewall rule to accessing internet.
I also in proxmox i have assigned the ip cidr for every vlan is this correct or i need to specify the ip and range only from opnsense?
vlan cid.png


Also in opnsense do i need to include the vmbr2 as an interface or can be unassigned ?
 
Last edited:
The bridge doesn't need an ip assigned.
If you assign the vmbr2 directly, you would need to create the vlan-interfaces inside of your opnsense. I would skip that for the moment.
 
fba said:
The bridge doesn't need an ip assigned.
If you assign the vmbr2 directly, you would need to create the vlan-interfaces inside of your opnsense. I would skip that for the moment.
Click to expand...
in proxmox I dont need to assign the ip cidr for the linux bridge with vlan aware vmbr2 right? i need to assign the ip only for each vlans.

vlan bridge.png

in opnsense i created parent vlans wich are vlans connected to vbmr2.
But I dont need to assign an interface for vmbr2 but just for the vlan ?
 
Last edited:
There is no need to assign any ip to the vmbr2.x bridges.
IPs should be assigned to the VMs, which are connected to the vlan bridges. And this should be done by the opnsense (via dhcp), which is connected to the same vlan bridges.
 
  • Like
Reactions: pr777
fba said:
There is no need to assign any ip to the vmbr2.x bridges.
IPs should be assigned to the VMs, which are connected to the vlan bridges. And this should be done by the opnsense (via dhcp), which is connected to the same vlan bridges.
Click to expand...
Hi Chris

In Proxmox i remove all the IPs from the bridge interface vmbr2 and in every signle vlan created from it.

In opensense I detached the vmbr2 interface and assigned only the vlans as interface and in the vlans device menu
I then modify the service dhcpv4 for all the vlans.( assign a dhcp range, set a dns server, and remove the gateway).
i can manage to combine interface with the firewall rules give them appropriate firewall rules.

all my vlan have access to the internet now.

thanks for the support.

Regards
 
Last edited:
You must log in or register to reply here.
Top Bottom