Proxmox & Opnsense VLAN Configuration

W

whyme

New Member
Jan 27, 2025
3
0
1
Hello everyone,

I am currently trying proxmox with opnsense as a VM and trying to understand more the VLAN functions und firewall rules. I have made a config and it is working but I am asking myself why some things work and some don't. Maybe one of you can answer them.

1. Why am I able to connect to the firewall and proxmox when my PC on switch port 5 is VLAN 10 untagged but the port 2 (Switch -> proxmox) is tagged VLAN 10?
2. When I put VLAN 10 untagged on port 2 and tagged vlan 20 & 30, I can't connect to the firewall or proxmox anymore.
3. I want to add new WLAN SSIDs called Users (e.g VLAN 11) and Guest (VLAN 12) on the access point. Do I need to add new linux bridges and linux VLANs? If so, do I need to make the bridge vlan aware? And on the opnsense VM: I would have to add the bridges to the network settings and add a VLAN tag (VLAN tag 11 and 12) to them right?
4. In the 192.168.178.0/24 network, the firewall is reachable with its WAN ip-address 192.168.178.254. Isn't this a security risk since it's reachable from the 192.168.178.0/24 network?
5. How does my current setup work when the opnsense VM doesn't have VLAN tag 10,20,30 assigned in the network settings?

This is my whole setup:

1763916636047.png

This is my proxmox setup:

/etc/network/interfaces
auto lo
iface lo inet loopback
iface enp1s0 inet manua
liface wlp2s0 inet manual
auto enp1s0.10
iface enp1s0.10 inet manual
#LAN VLAN 10
auto enp1s0.20
iface enp1s0.20 inet manual
#WAN VLAN 20
auto vmbr0
iface vmbr0 inet manual
bridge_ports enp1s0.20
bridge_stp off
bridge_fd 0
#WAN → no IP-Adress
auto vmbr1
iface vmbr1 inet static
address 192.168.100.2
netmask 255.255.255.0
gateway 192.168.100.1
bridge_ports enp1s0.10
bridge_stp off bridge_fd 0
bridge_vlan_aware yes
bridge_vids 2-4094
#LAN → Management-Access

1763917302927.png

opnsense VM network config:

1763917376199.png

1763917411996.png

1763917428149.png

opnsense interface config:

1763917622466.png

DHCP Config in opnsense:


I have no VLANs in opnsense.

This is my switch VLAN tagging:

1763916919362.png

If you need any more information, let me know. Thank you for any help :)
 

Attachments

  • 1763918012115.png
    1763918012115.png
    43.2 KB · Views: 1
1. Why am I able to connect to the firewall and proxmox when my PC on switch port 5 is VLAN 10 untagged but the port 2 (Switch -> proxmox) is tagged VLAN 10?
Click to expand...
The switch receives the packet on port 5 and it knows that it's coming from VLAN 10. And as it has VLAN 10 tagged on port 2, it then sends the packet out on port 2 with a VLAN 10 tag added to the packet.
2. When I put VLAN 10 untagged on port 2 and tagged vlan 20 & 30, I can't connect to the firewall or proxmox anymore.
Click to expand...
That's because firewall and Proxmox are connected to vmbr1 and incoming connections from external systems need to have VLAN tag 10 attached in order to communicate with systems on vmbr1. That's what you have configured by connecting vmbr1 to enp1s0.10.
3. I want to add new WLAN SSIDs called Users (e.g VLAN 11) and Guest (VLAN 12) on the access point. Do I need to add new linux bridges and linux VLANs? If so, do I need to make the bridge vlan aware? And on the opnsense VM: I would have to add the bridges to the network settings and add a VLAN tag (VLAN tag 11 and 12) to them right?
Click to expand...
First of all, what is your goal with these new SSIDs? Does "Users" mean that systems in LAN should be reachable while "Guest" should allow access to the internet?
4. In the 192.168.178.0/24 network, the firewall is reachable with its WAN ip-address 192.168.178.254. Isn't this a security risk since it's reachable from the 192.168.178.0/24 network?
Click to expand...
This depends on your requirements regarding security and the setup you're planning. But basically, if "reachable" means accessibility via HTTPS, I wouldn't expect that this is needed. This is something that you could disable in OPNsense and only allow HTTPS on the LAN interface.
5. How does my current setup work when the opnsense VM doesn't have VLAN tag 10,20,30 assigned in the network settings?
Click to expand...
In your setup, VLAN tagging is handled by Proxmox and the switch and VLAN tagging is only used between these two. E.g., if the PC sends a packet to the OPNsense, the switch adds a VLAN 10 tag to the packet and forwards it to Proxmox. Proxmox removes to tag and sends it to OPNsense.
 
Hey, thank you for your helpful answers. Now I finally understand how this all works. Both LAN and Guest Users should have access to the internet. For the guest Users, I don't plan having WPA for the SSID and the guest will get only up to like 20 mbit/s bandwidth. The LAN clients (192.168.178.0/24) shouldn't have access to the switch or firewall, only internet without any limit at bandwidth. I know, guest SSID isn't neccessary but I just want to try it out a bit, maybe I will delete it later. What I also have done is change the ip address of the switch to one from VLAN 30 management so it isn't in the LAN network anymore. I also added a rule in opnsense where LAN clients (192.168.178.0/24) cannot connect to the firewall via TCP or ping it. What would you say, is it better to have a different WAN address rather than the current one (192.168.178.254) so it isn't in LAN net anymore? Or is it good enough that I blocked traffic from LAN net to the firewall wan adress with my new added rules?
 
You must log in or register to reply here.
Top Bottom