Question regarding netgate sg-5100 running opnsense feeding ER-X running openwrt

my netgate appliance running openwrt will have the following interfaces

port 1 - lan 10.1.1.0/24,
-vlan 10 10.1.10.0/24,
-vlan 20 10.1.20.0/24

i would like my ER-X to allow if possible

port0 - lan
port1 - lan
port2 - lan
port3 - vlan10
port4 - vlan20

trying to utilize my hardware in a mildly different way, i had a few different variations of this config active previously but want to know if its possible to have it be regular switching with 2 ports vlan switching

config device
        option name 'br-lan'
        option type 'bridge'
	list ports 'eth0'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'
	list ports 'eth4'

config interface 'vlan10'
        option device 'br-lan.10'
        option proto 'static'
	option ipaddr '192.168.10.2'
        option netmask '255.255.255.0'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'eth0:t'
        list ports 'eth1:u*'
        list ports 'eth2:u*'
        list ports 'eth3:u*'
        list ports 'eth4:u*'

One of these ports needs to be a trunk. Which one is that? It looks like eth0 is setup as a trunk based on VLAN 10.

What exactly do you man by this? You want ports eth0-eth2 and then eth0 (trunk) - eth3 and eth0 to eth4 to behave just like a normal VLAN aware switch? If that's what you're looking for, absolutely... that is what will happen.

oh geeze i realize my error

yes port 0 is my trunk

i want to be able to use my regular lan on ports 1 and 2, vlan 10 on port 3 and vlan20 on port 4

Yeah, no problem there. It will work just like you want once configured.

would the following config be correct?
port 0 trunk from firewall appliance, management on lan, normal lan functioning from the br-lan and the 2 vlans setup, dhcp set to option ignore for all interfaces, firewall, ophcd, and theres one other item set to disabled.

is there any performance penalty to this method? i believe not due to the fact that it has a switching chip correct?

config device
        option name 'br-lan'
        option type 'bridge'
	list ports 'eth0'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'
	list ports 'eth4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
	option ipaddr '10.1.1.2'
        option netmask '255.255.255.0'

config interface 'vlan10'
        option device 'br-lan.10'
        option proto 'none'

config interface 'vlan20'
        option device 'br-lan.20'
        option proto 'none'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'eth0:t'
        list ports 'eth3:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'eth0:t'
        list ports 'eth4:u*'

my other thought was setting up my netgate appliance as a transparent gateway, setting up unbound and traffic shaping on it, and then using the ER-X as my router with hardware offload enabled. i think this would simplify everything the more i think about it, no trunking needed point the wan at the gateway ip and setup the ports as subnets with a couple vlans for wifi segmentation

Either configuration is fine, depending on which one you want to do the primary routing.

That said, you don't appear to have configured the main lan on your ER-X config... vlans 10 and 20 look fine, but the main lan needs a bridge-vlan, too.

Here, I'm making the assumption that the main lan is untagged on the trunk:

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'eth0:u*'
        list ports 'eth1:u*'
        list ports 'eth2:u*'

Then edit the lan interface to use br-lan.1:

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '10.1.1.2'
        option netmask '255.255.255.0'

Ahh got it, I thought I was missing something! Thank you for filling in the blanks there!

You're welcome.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile: