Unable to move off VLAN 1 as default
I'm not an expert, just trying to learn by doing. I read it is recommended to move off VLAN 1 which is used by default. Sadly I've spent the last few days trying and I've only learned how to consistently get the network back to a working state. Would appreciate if anyone can break it down barney style for me. ChatGPT and Copilot have not been any help either. Truthfully, I don't even know how to monitor any of it. Only way I know its working is by the IP assigned with DHCP.
Here is my setup:
Opnsense and Omada Software Controller on Proxmox
Switch: TL-SG3428XPP-M2
vnet0: SFP+ to switch (VLANs)
vnet1: SFP+ to modem
vnet2: Backup NIC (THANKFULLY!! This has saved my tail. Although, I can get into Opnsense, but I can't access anything on any of the VLANs problem for a different day)
VLAN10: Management (Networking/Servers)
VLAN20: Trusted
VLAN30: IoT
VLAN40: Guest
All devices/servers/switches are added as static to Opnsense.
Worth noting, but I haven't got to these just yet.
1. 1 port goes to a smart switch in my office. I want to be able to have my work laptop on the Guest VLAN while my PC is on the Trusted leveraging DHCP. From what I gather, the port connecting the 2 switches neeed to be a trunk port. Guest and Trusted VLANs need to be tagged.
2. Proxmox will have some VMs on different VLANs and leverage DHCP for the VM.
I'm getting it to work consistently by doing the following:
vnet0 assigned to Management network (not as a VLAN)
VLAN 20-40 set with vnet0 as Parent
On the switch, I left the Default interface and added VLANs 20-40
Here's what I've tried in different combinations with 0 success:
1. Tried setting Default interface with VLAN 10 and unassigning vnet0. Only having vnet0 assigned as Parent with all VLANs assigned.
2. Tried creating a Trunk port by creating a 'Blackhole' VLAN99 on the switch with it as untagged and all other VLANs as tagged. I lose connection to the switch even though plugged into its port.
3. Created a 'Default' on Opnsense assigned it to vnet0 while VLANs have it as a parent. I think the switch was getting assigned to the default vlan rather than Management
4. I tried setting up LAGG because I was considering picking up a 4 port NIC, but couldn't get it to work at all. Not with vnet0 assigned or unassigned as Parent to all 4 VLANs
Hi @iPenguin
Thank for posting here.
Regarding the statement "It is recommended to move off VLAN 1 which is used by default": I would like to state sth:
1. Why do some people recommend avoiding VLAN 1?
VLAN 1 is the default VLAN defined in the IEEE 802.1Q standard, and all ports initially belong to VLAN 1. Here are the common reasons for "avoiding VLAN 1":
- Security risks:
- VLAN 1 typically carries control protocol traffic (e.g., CDP/LLDP, STP, DTP), which attackers could exploit for sniffing or spoofing.
- If not properly isolated, VLAN 1 could become a stepping stone for cross-VLAN attacks (e.g., VLAN hopping).
2. Is avoiding VLAN 1 really necessary?
Not necessarily, depending on actual needs and configuration. Here are the counterpoints:
- Modern device improvements:
- Risks can be significantly reduced with proper port configuration (e.g., explicitly assigning all ports to non-VLAN 1).
- More effective alternatives:
- Strictly isolate VLAN 1: Use it only for device management (e.g., switch management IPs), not user traffic.
- Disable unused ports: Prevent default VLAN 1 exposure.
- Use Private VLANs (PVLANs): Further restrict communication within VLAN 1.
- Increased complexity:
- Completely removing VLAN 1 requires restructuring the entire network (e.g., reassigning Native VLAN, adjusting trunk configurations), which may introduce human error.
- For small networks, the benefits may not outweigh the risks (e.g., misconfiguration causing outages).
Recommendations
- If you still want to avoid VLAN 1:
1. Create a new management VLAN (e.g., VLAN 10) and migrate all management interfaces (switches, routers, APs).
2. Change the switch’s Native VLAN (e.g., to VLAN 10) and ensure trunk ports match.
3. Disable all user ports on VLAN 1, keeping only necessary protocols (if needed).
Please refer to this guide to finish the configuration:
How to configure Management VLAN in Omada SDN Controller (v4.4.4 - v5.8.4)
- If keeping VLAN 1:
1. Use it only for device management, not user devices.
2. Ensure trunk ports have a matching Native VLAN to avoid VLAN hopping.
Avoiding VLAN 1 is a security best practice, but not an absolute requirement. The key is reducing risks through proper configuration, not blindly removing VLAN 1.
Hi @iPenguin
Thank for posting here.
Regarding the statement "It is recommended to move off VLAN 1 which is used by default": I would like to state sth:
1. Why do some people recommend avoiding VLAN 1?
VLAN 1 is the default VLAN defined in the IEEE 802.1Q standard, and all ports initially belong to VLAN 1. Here are the common reasons for "avoiding VLAN 1":
- Security risks:
- VLAN 1 typically carries control protocol traffic (e.g., CDP/LLDP, STP, DTP), which attackers could exploit for sniffing or spoofing.
- If not properly isolated, VLAN 1 could become a stepping stone for cross-VLAN attacks (e.g., VLAN hopping).
2. Is avoiding VLAN 1 really necessary?
Not necessarily, depending on actual needs and configuration. Here are the counterpoints:
- Modern device improvements:
- Risks can be significantly reduced with proper port configuration (e.g., explicitly assigning all ports to non-VLAN 1).
- More effective alternatives:
- Strictly isolate VLAN 1: Use it only for device management (e.g., switch management IPs), not user traffic.
- Disable unused ports: Prevent default VLAN 1 exposure.
- Use Private VLANs (PVLANs): Further restrict communication within VLAN 1.
- Increased complexity:
- Completely removing VLAN 1 requires restructuring the entire network (e.g., reassigning Native VLAN, adjusting trunk configurations), which may introduce human error.
- For small networks, the benefits may not outweigh the risks (e.g., misconfiguration causing outages).
Recommendations
- If you still want to avoid VLAN 1:
1. Create a new management VLAN (e.g., VLAN 10) and migrate all management interfaces (switches, routers, APs).
2. Change the switch’s Native VLAN (e.g., to VLAN 10) and ensure trunk ports match.
3. Disable all user ports on VLAN 1, keeping only necessary protocols (if needed).
Please refer to this guide to finish the configuration:
How to configure Management VLAN in Omada SDN Controller (v4.4.4 - v5.8.4)
- If keeping VLAN 1:
1. Use it only for device management, not user devices.
2. Ensure trunk ports have a matching Native VLAN to avoid VLAN hopping.
Avoiding VLAN 1 is a security best practice, but not an absolute requirement. The key is reducing risks through proper configuration, not blindly removing VLAN 1.