[SOLVED] VLANs (OPNsense, Proxmox, VMs, VLAN1 limitation)

P

Pawel_B

New Member
Sep 24, 2025
5
0
1
Hello,

I am very new to this.

I aim to establish the following configuration (VLANs can be updated as I gain more knowledge). It's nothing super ambitious - I'd like to have decent backup NAS and an owncloud drive. Plus some security/traffic and flexibility.

I have Aoostar WTR Pro.
LAN1 - PCIe passthrough to OPNsense - OK.
LAN2 - for my home network.

OPNsense acts as a firewall and router (and VLAN router), unbound DNS in the future for an owncloud.
There is a limitation with my switch: VLAN 1 is set to be management and cannot be changed.
I have not considered a dedicated 'router' machine; I hope this is achievable with this single mini PC.

A diagram of what I aim to do:
1758715641791.png

Using LLMs as a guide, I had the following setup.
Interfaces on Proxmox:
Code: 
...
iface eno1 inet manual #LAN1

iface enp3s0 inet manual #LAN2

auto vmbr1
iface vmbr1 inet manual
    bridge-ports enp3s0
    bridge-stp off
    bridge-fd 0

auto vmbr1.1
iface vmbr1.1 inet static
    address 192.168.1.4/24
    gateway 192.168.1.1

An LLM told me that OPNsense manages VLANs, so that works. Then, led by LLM, I set a trunk port on my switch in the following way:

Code: 
interface xe1/10
switchmode port trunk
switchport trunk native vlan 4000
switchport trunk allowed vlan add 1
switchport trunk allowed vlan add 12
switchport trunk allowed vlan add 22
switchport trunk allowed vlan add 32

The VLAN4000 acts as a sacrifice VLAN.

And, one of the other ports serves as an access port for VLAN 1.

Surprisingly, this works - I can see 802.1Q packets while pinging devices. All is fine.
Code: 
# bridge vlan show
port         vlan-id
enp3s0      1 PVID Egress Untagged
vmbr1       1 PVID Egress Untagged
tap100i1    1 PVID Egress Untagged
And here is the first puzzle. If VLAN 1 is untagged, where does all the 802.1Q traffic come from? I can imagine that the switch releases tagged packets, but Proxmox, when pinging OPNsense, also sends tagged frames.

The "ip a" shows nothing suspicious.

So, I prepared another VM - just a small Debian system for the console for testing (I set VLAN1 for testing purposes). Right after I started this machine, it went into eternal hunting grounds.
Proxmox UI displays 'Guest not running' on client1-vlan1.

The Proxmox console still allows me to ping OPNsense, but the switch (so local LAN) can no longer access anything. Proxmox cannot reach out the laptop in VLAN1

The "ip a" shows now a number of new entities:
  • tap101i0 (a new vm interface I suppose)
  • vmbr1v1 ( what's this?) - link/ether - to LAN2
  • enp3s0.1@enp3s0 (huh - vlan1 device I think) - link/ether - to LAN2
  • fwbr101i0 (?)
  • fwpr101p0@fwln101i0 (?)
  • fwln101i0@fwpr101p0 (?)
Code: 
# bridge vlan show
port         vlan-id
enp3s0      1 PVID Egress Untagged
vmbr1       1 PVID Egress Untagged
tap100i1    1 PVID Egress Untagged
tap101i0    1 PVID Egress Untagged
vmbrv1      1 PVID Egress Untagged
enp3s0.1    1 PVID Egress Untagged
fwbr101i0   1 PVID Egress Untagged
fwpr101i0   1 PVID Egress Untagged
fwln101i0   1 PVID Egress Untagged

And tcpdump on tap101i0 shows 'ethertype ARP' - so no VLANs....

So I am trying a different approach, brand new interfaces:
Code: 
...
iface eno1 inet manual #LAN1

iface enp3s0 inet manual #LAN2

auto vmbr1
iface vmbr1 inet manual
    bridge-ports enp3s0
    bridge-stp off
    bridge-fd 0
    bridge-vlan-aware yes
    bridge-vids 1,12,22,32
    bridge-pvid 4000

auto vmbr1.1
iface vmbr1.1 inet static
    address 192.168.1.4/24
    gateway 192.168.1.1

Here - I can ping Proxmox from VLAN1 laptopt and vice versa but not the OPNsense itsel.
Code: 
# bridge vlan show
port         vlan-id
enp3s0      1
            12
            22
            32
            4000 PVID Egress Untagged
vmbr1       1
tap100i1    1 PVID Egress Untagged
            2
            3
            ... all vlan tags here

Then, having executed command
Code: 
bridge vlan add vid 1 dev tap100i1
- I can ping OPNsense IPs.
So, I start VM101, and I can see it starts in ProxmoUI. Nothing breaks. All pings work.
Code: 
# bridge vlan show
port         vlan-id
enp3s0      1
            12
            22
            32
            4000 PVID Egress Untagged
vmbr1       1
tap100i1    1 PVID Egress Untagged
            2
            3
            ... all vlan tags here
tap101i0    1 PVID Egress Untagged
fwbr101i0   1 PVID Egress Untagged
fwpr101i0   1 PVID Egress Untagged
fwln101i0   1 PVID Egress Untagged

Code:
Still untagged VLAN1 - but tcpdump lists '802.1Q'. Do not get this at all.

The "ip a" shows now a number of new entities:
  • tap101i0 (a new vm interface I suppose)
  • fwbr101i0 (?)
  • fwpr101p0@fwln101i0 (?)
  • fwln101i0@fwpr101p0 (?)

In the case you have read up to this moment, I'd appreciate a recommendation on how to improve it.

I've read that
Code: 
bridge vlan add vid one dev tap100i1
can be included in the Proxmox startup procedure, but at the moment, I don't like it - it doesn't seem clean. Not to mention that the interfaces of the new VM still show 'Untagged,' which is unusual. For example, if I set VLAN1 on the switch to default on a trunk port, it strips the 'vlan' marker from packets.

I can see two options - but I feel I am hitting the wall:
  1. Manual setup of VLANs in Proxmox (so enp3s0.1 and vmbr1.1)
  2. Reconfigure VLAN1 to be untagged
  3. Any other recommendations?
    1. How to configure tap100i1 (from OPNsense or Proxmox) so that it respects the default VLAN as the 4000 one.
Kind regards,
Pawel
 
Last edited:
I have made progress (but unsure why this works). It looks logical, but intuition is not a good sign.

fw interfaces are Proxmox firewalls (I did not uncheck firewall in VM configuration *)

SO, the Proxmox interfaces file:
Code: 
iface enp3s0 inet manual

# VLAN-aware bridge on enp3s0
auto vmbr1
iface vmbr1 inet manual
    bridge-ports enp3s0
    bridge-stp off
    bridge-fd 0
    bridge-vlan-aware yes
    bridge-vids 12,22,32
    bridge-pvid 1

# VLAN 1 sub-interface for Proxmox management (untagged)
auto vmbr1.1
iface vmbr1.1 inet static
    address 192.168.1.4/24
    gateway 192.168.1.1
    bridge-pvid 1

# VLAN 12 for VM network
auto vmbr1.12
iface vmbr1.12 inet manual

# VLAN 22 for VM network
auto vmbr1.22
iface vmbr1.22 inet manual

# VLAN 32 for VM network
auto vmbr1.32
iface vmbr1.32 inet manual

Then, on the switch, for the trunk port:
Code: 
interface xe1/10
switchmode port trunk
switchport trunk allowed vlan add 12
switchport trunk allowed vlan add 22
switchport trunk allowed vlan add 32

Then, on OPNsense:
  • I deleted vlan0.1 completely
  • I configured IP address for vtnet0 (+DHCP +firewall)
  • I retained vlan0.12, vlan0.22 and vlan0.32
I still need to check whether this works with the TP-Link access point (and it looks like this is hopefully internet-ready)
The "bridge vlan show" still cryptically displays PVIDs, but it works:
portvlan-id
enp3s01 PVID Egress Untagged
12
22
32
vmbr11
12
22
32
tap100i1
(OPNsense one)		1 PVID Egress Untagged
2
3
....
4094
tap101i032 PVID Egress Untagged

*Huh, maybe it all got screwed up previously because I did not uncheck the firewall checkbox on Proxmox. I will recheck.
 
Disabling fwnnXXXiX in the configuration:

So, making VLAN1 tagged.
  1. The version with a non-VLAN-aware bridge (where all traffic passes through to OPNsense) becomes unstable after an additional VM is started.
    This is logical, I presume. It may be fixable by manually adding a VLAN1 tag.
  2. The version with a VLAN-aware bridge:
    1. OPNsense is initially unreachable
    2. However, another VM (virt. net. card has vlan 1 set) is reachable (pings are successful).
    3. This can be fixed using the "bridge vlan add vid 1 dev tap100i1" command - OPNsense becomes 'pingable' from LAN.
Re 2. - vlan-aware-bridge
The thing that I cannot comprehend is that 'bridge vlan show' displays:
Code: 
port     vlan-id
tap100i1  1 PVID Egress Untagged    //so the OPNsense related one
          2
          ...
          4094
tap101i0  1 PVID Egress Untagged    // another VM related one
There is no difference on VLAN1, but somehow OPNsense does not respond until tag1 is explicitly added.

And the huuuge list of VLAN tags on tap100i1 is weird (given that interfaces provide an explicit list of tag ids (and OPNsense also has explicitly provided numbers).
This gets me crazy.
 
I had an idea yesterday. I added VLAN 2 for Proxmox access, OPNsense, the switch, and the EAP610.
However, I was unable to make the switch available in VLAN 2. Likely lack of skills (or did not set the Hybrid port properly).

Anyway, I returned to the working solution. And another peculiarity.
LAN2 - Switch, so my xe1/10 in switch (trunk port):
  • Default VLAN: 1
  • Tagged VLAN: 12, 22, 32
But, ge1/1 (the one I use to power and run the TP-Link access point) trunk port:
  • Default VLAN: 4000
  • Tagged VLAN: 1,12, 22, 32
This makes me ponder the sense of life, but it works - the EAP610 management vlan is set to 1.
Still, I think VLAN1 is a peculiar being.

Perhaps I'll give the VLAN2 idea a chance, so keep the switch in VLAN1 (and make the interface available from VLAN2 somehow).
 
Last edited:
Blah.

I have found another promising parameter, vlan-id:
Code: 
auto vmbr1.1
iface vmbr1.1 inte static
    address 192.168.1.4/24
    gateway 192.168.1.1
    vlan-id 1

Then OPNsense tap100i1 still shows:
Code: 
1 PVID Egress Untagged
2
3
....
4094

This looked promising, as OPNsense VM became pingable.

Then I grew tired of this, even though it started to look like a light at the end of the tunnel.

I created dedicated vNICs: enp3s0.1, enp3s0.12, enp3s0.22, enp3s0.32
I added vmbrs - vmbr1 on enp3s0.1, vmbr12 on enp3s0.12, etc., etc.

I added all four of these interfaces to OPNsense. I reset OPNsense. This works out of the box - traffic on the enp3s0 level is tagged.
I can now focus on firewall rules.

SO - a problem is solved differently by finding a working, still decent workaround.
 
Last edited:
You must log in or register to reply here.
Top Bottom