I am interested in introducing VLAN to my home network. However, I couldn’t get an IP address on the VLAN. The cause of the issue was the firewall on the network device of my OPNsense VM on proxmox.
My setup
Here is an overview of the relevant part of my home network for this VLAN setup. I run OPNsense as a Proxmox virtual machine (VM) and use a Ubiquiti managed switch. On the switch, I configured one port to tag traffic as VLAN 10.
In OPNsense, I set up a VLAN (VLAN10) with NAT rules and a DHCP server. Although I won’t describe the configurations in detail, everything was correctly set up, so I knew the issue wasn’t with the VLAN configuration.
Diagnosing the Issue
When I connected a PC to the VLAN-tagged port as a DHCP client, I expected to receive an IP address in the VLAN10 subnet (10.10.20.x). However, the DHCP requests timed out.
After several hours of troubleshooting, I realized the issue was specific to how OPNsense was running on Proxmox.
My OPNsense VM had two network devices: net0 and net1. These were mapped to vmbr0 and vmbr1 on my Proxmox host. I discovered that Proxmox applies a firewall to the network interfaces of VMs. When I disabled the firewall for the LAN interface (in this case, net0/vmbr0), the DHCP server in OPNsense started assigning IP addresses correctly to clients on VLAN10.
Explanation
The VLAN configuration in both OPNsense and the switch was correct. A DHCP server was running on VLAN10, and the DHCP client’s traffic successfully reached the Proxmox server.
However, the firewall on the Proxmox host interpreted the VLAN traffic as external and unrelated to the OPNsense VM. As a result, it dropped the packets. This prevented the DHCP server from receiving requests, and no IP address was assigned to the client.
Disabling the firewall for the relevant network interface resolved the issue.