VLANs with OPNSense, Brocade ICX 6450 and xcp-ng VM not "working"

[jak4]

Hi,

I can't get VLANs to work. What I currently have:

1) OPNSense as Firewall which defines a VLAN100-Network (192.168.100.1) incl. DHCP
2) Ethernet-Connection to a Brocade ICX6450 flashed with the latest version in Router-Mode. From the Brocade-Terminal I can ping the VLAN 192.168.100.1 defined on OPNSense
3) In XCP-NG I have created a Pool-Network VLAN 100 and assigned to my VM.

Problem is, the VM does not see the DHCP or really anything from the VLAN. I'm certain that I have to configure the Switch, but I don't know how. I have tried creating a VLAN 100 on the Switch with the Port 1/1/4, tagged, with or without dual mode, but as soon as I do this I loose the connection to xcp-ng. Which is not suprising since the default "VLAN" is then not routed any more. Although I thought the dual mode fixes this.

I would be very grateful for pointers in the right direction.

Best regards
jak4

 

[klui]

If you can ping from your switch to FW's VLAN interface then your tagged interface is defined correctly. Dual mode is only relevant if you're passing tagged and non-VLAN 1 untagged traffic on ICX6000-series interfaces. You typically don't want to use VLAN 1 for your untagged data traffic so dual mode is used for configuring untagged non-VLAN 1 for a tagged interface.

Your problem most likely resides in XCP-NG. Maybe look at VLAN Trunking in a VM | XCP-ng Documentation

 

[ciree8]

I had the same setup but a different firewall. You'll need to change the MTU size to get trunking to work. As @klui said, use the website linked.

In XPC-ng docs:

List all your networks
xe network-list

Set MTU on the relevant network(s)
xe network-param-set uuid=xxx MTU=1504

Reboot your XCP-ng host to apply the MTU change on the physical network cards

 

[klui]

Interesting because the driver doesn't support tagged VLANs is why the MTU needs to be changed.

 

[jak4]

Thanks for the help. I have finally figured it out. I had to configure the ICX6450 switch. The three ports (1/1/1 - Uplink to FW; Ports 1/1/3 and 1/1/4 to the XCP-NG hosts) had to be tagged with VLAN 100 and put into dual mode. I can't say for certain if I had to change the MTU on the hosts. I did change the MTU to 1504, but after that change I still could not connect from the VM with the VIF VLAN100 to the VLAN100 defined by the OPNsense server.

The commands for the brocade ICX6450 config are (after the ICX6450 login):

1) enable
2) configure terminal
# create vlan
3) vlan 100
# if 1/1/1 is your uplink you will loose connectivity to the switch at this point, which means nothing will work anymore. So before you do this, ensure that you are connected to the switch on another port!
# put ports into vlan 100, this removes the ports from the default VLAN 1, which results in the connection loss
4) tagged ethernet 1/1/1
5) tagged ethernet 1/1/3 => here you will loose connectivty to the host-machine connected to this port
6) tagged ethernet 1/1/4 => here you will loose connectivty to the host-machine connected to this port
# configure ports and put them into dual mode (cisco: trunk mode), those ports will carry traffic tagged with VLAN 100 and all untagged (VLAN 1) traffic
7) interface ethernet 1/1/1
8) dual-mode 1
9) interface ethernet 1/1/3
10) dual-mode 1
11) interface ethernet 1/1/4
12) dual-mode 1
13) write memory

Which helped a lot was this site: Dual-mode VLAN ports

Thanks again!