Glad to hear it helped! I know I was totally lost not long ago and thanks to a whole lot of free time on my hands lately, I am learning alot and want to help others.
Regarding the 1G and 10G links, you can set the 1G link to be a backup link in case your 10G link goes down. I know it's easy to do on the switch using route metric (
Administrative Distance on Cisco devices), but not sure how to do it in OPNSense/FreeBSD/Linux.
Here's an example of how you would do this, atleast on the switch. This doesn't work too well without the route metrics set manually on your edge router, though, I'm pretty certain.
10G link on OPNSense: 10.10.10.0/31
10G link (physical port or ve if dealing with VMs) on Switch (ve 10): 10.10.10.1/31
1G link on OPSense: 10.10.10.2/31
1G link (physical port or ve if dealing with VMs) on Switch: 10.10.10.3/31
Switch manual routes:
Code:
ip route 0.0.0.0/0 10.10.10.0
ip route 0.0.0.0/0 10.10.10.2 5 (the 5 means lower priority than the default of 1 for static routes)
If the 10G link goes down, than the lower priority route over the 1G link takes precedence on the switch. As far as OPNSense....not sure how to set the route metric manually.
Another option is to use OSPF for dynamic routing and that
should update the route metrics appropriately and automatically on OPNSense.
EDIT: Just wanted to clarify that gateway weighting is NOT the same as the route metric. Weights are for load-balancing links such as Multi-WAN, but not a fail-over P2P situation like this.
EDIT 2: Regarding tips to your config....
It sounds like you're using a physical system as your edge router (OPNSense). I'm certainly no professional yet, so take my tips with a grain of salt, but I think it's a good idea to remove the VLAN where it's not needed and this would be one of those cases. The VLANs would be necessary for configurations with the edge router (OPSense/pfSense/VyOS, etc.) as a virtual machine.
Instead of making VLAN 10, adding a tagged port to it, then effectively untagging it with
dual-mode 10, just add the IP address to the interface itself.
Code:
no vlan 10
interface ethernet 1/2/1
port-name TRANSIT-10G
ip address 10.10.10.1 255.255.255.254
route-only
port security
enable
The
port security configration makes it so ONLY your physical router can connect to that port - not needed but a helpful security feature incase you mis-wire things in the future. It will auto-populate the secure-mac-address under port security with the currently-connected mac-address and can see it populated in
show running-config.