What is the correct VLAN mode on managed switch?

cmonty14

Well-Known Member
Mar 4, 2014
343
5
58
Hello,

my ISP (Vodafone cable) provides two internet access points:
- standard (like any ISP offers)
- static IP

The router (here: AVM Fritz!Box 6490 cable) basically works like any other Fritz!Box with only one exception:
1 port is configured for using the static IP.
I guess one could call this passthrough.

Anyway, this means that I have the following port configuration with this Fritz!Box:
Port 1 - LAN
Port 2 - LAN
Port 3 - static IP passthrough
Port 4 - Guest LAN

The other network device is a managed switch (here: D-Link DGS-1100).

The use case regarding Proxmox VE is this.
On a VM I want to setup OPNsense as a router and firewall.
Having 5 ethernet ports on the Proxmox VE host, OPNsense VM will use 2 ports with PCI passthrough; eth0 for WAN (= static IP) and eth1 for LAN.
The other 3 ports are planned for this usage:
eth2+eth3: bond0
eth4: Management Network (VLAN)

In addition I want to setup different VLANs, e.g. a for Smarthome network, DMZ and PVE Guest network.
I also consider a VLAN for Fritz!Box LAN and Fritz!Box Guest LAN.

As a result the following VLANs would be available:
1 - Default
10 - Management network
20 - Fritz!Box LAN
30 - Fritz!Box Guest LAN
40 - OPNsense LAN
50 - Smarthome network
60 - DMZ
70 - PVE Guest network

Now the question is how to configure the VLAN on the managed switch?
Means, what VLAN should be used?
My current understanding is that 802.1Q is the preferred mode when using multiple VLANs on a single port.
And with 802.1Q there are different VLAN modes: Access Port, Trunk Port and Hybrid Port.
On the other hand one can configure port-based VLAN for the port that is connected to Fritz!Box Port 1 and Port 4 respectively.
But my managed switch allows either port-based VLAN or 802.1Q VLAN, and not a combination.

Can you please advise what is the recommended configuration on the managed switch, in particular the recommended VLAN mode?
What should be tagged? What should be untagged?

THX
 
Last edited:
Port based VLAN is basically the same as an access port in 802.1q, so 802.1q is what you need.
If you want only one vlan on the cable -> access port (VLAN will be untagged).
If you want more than one vlan on the cable -> trunk port (native vlan [or PVID] will be untagged, every other VLAN has to be tagged).
Some cheap switch manufacturers allow setting more than one VLAN as untagged. Never do that!

I would consider passing the static address port to your firewall as WAN and vmbr0 (vlan-aware!) as LAN. Then you define the same VLANs in your firewall and in your switch and off you go.
 
Port based VLAN is basically the same as an access port in 802.1q, so 802.1q is what you need.
If you want only one vlan on the cable -> access port (VLAN will be untagged).
If you want more than one vlan on the cable -> trunk port (native vlan [or PVID] will be untagged, every other VLAN has to be tagged).
Some cheap switch manufacturers allow setting more than one VLAN as untagged. Never do that!

I would consider passing the static address port to your firewall as WAN and vmbr0 (vlan-aware!) as LAN. Then you define the same VLANs in your firewall and in your switch and off you go.
There are 2 routers in my network: Fritz!Box and OPNsense.
Each router provides a LAN.
Fritz!Box does not support VLAN, this means any traffic is untagged.

Creating a WAN and LAN interface in OPNsense is simple, and in my understanding the LAN is untagged.

Now I have 2 LANs, both are untagged.
How can I avoid collisions?
Or is this irrelevant for this use case?

THX
 
Your two routers are basically two WAN connections for OPNSense, no need for a vlan here.
If you connect clients directly to Fritzbox LAN, what do you need the opnsense for, then?
LAN for OPNSense is just a name. It can be tagged as well.
 
Last edited:
Actually there's only 1 WAN connection, and this is the PCI passthrough to Fritzbox port 3 with static IP.

There are different clients connected to the 2 different LAN, e.g. any Wifi device will be connected to Fritzbox LAN, and any server and PC will be connected to OPNsense LAN.
 
Well, together with OPNsense you'll have three routers, then. I don't want to say that's impossible to set up but my impression from your answers is that this beyond your capabilities for now.
Start with one router and educate yourself about VLANs and how to set them up. This would make a lot of things clearer for you. Just clicking together what someone tells you in a forum should not be the way to go, since you don't know about possible implications or a way out if something goes wrong.
Please don't get me wrong, this is no offense towards you, but no one would try to craft furniture with only a jigsaw. You have to have the right tools and the knowledge.
 
  • Like
Reactions: birdy
Well, together with OPNsense you'll have three routers, then. I don't want to say that's impossible to set up but my impression from your answers is that this beyond your capabilities for now.
[...]
I'm curios:
what is the 3rd router?
 
Waah, sorry, now you got me. You already counted OPNSense as one router. Well, then you indeed only have two.
In this light my answer with two WANs is of course incorrect.
 
I am also thinking about/planning to change my network setup. Maybe we can help each other?

As I set up my Proxmoxserver a while ago I also changed my setup regarding the Internet (DSL-1und1). Did use a Fritz!Box (7590) for that but I wanted to create a DMZ for my KiwiSDR receiver and couldn't do that with the F!B.

So I got me a Draytek Vigor 130 (Modem-only mode) and connected it with one of the 4 1Gb/s interfaces on my server. In OPNSEnse I had to use a PPPoE-interface to connect to the Internet. So it looks like this:

Proxmox

Schermafdruk van 2021-07-21 13-41-40.png

OPNSense

Schermafdruk van 2021-07-21 13-43-51.png

It worked ok but, and now I'm getting on-topic ;), I wanted a little bit more flexibility. For that reason I ordered me a managed switch (Cisco SG350-28).

This is how I plan to set it up:

- Passthrough the WAN/Internet directly to OPNSense (either one of the 1Gb-ports or I'll buy a USB-to-Ethernet device because I only have a 16Mb/s line).
- Connect the remaining 3(or 4) 1Gb/s interfaces to the switch using LACP
- Configure in Proxmox bonds/bridges for the VLANs
- Configure the rest of the switch interfaces with the proper VLAN and connect my devices which are now connected directly to the server or unmanaged (LAN) switch

I think this will give me most flexibility (and performance). Anyone on Pros/Cons?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!