VLANS - Do I need to TRUNK my switche/s? Plus another Q

Finally had a quick look at VLANS.

Managed to get the VLANS stuff setup within OPNSense and a Second Network started in UniFi management for my AP’s
i figured i would start with a kids network first before i move onto a IOT network.
I can see the network however the IP address never gets handed out even though I have DHCP setup within OPNSense.

I have done a bit of googling and I think I may need to set up Trunking in a managed switch? Would this be the final piece of the puzzle?

Lastly, is it possible to basically have a few wifi networks running from my UniFi Ap’s with half of them hidden. I am thinking of having a kids network (hidden), guest network (not hidden), IOT network (hidden but switchable to add devices), Normal network (mainly for me lol)? Are there downsides to doing something like this?

Trunking is just Cisco speak. A β€œtrunk” can be a single Ethernet link or multiple links and cable runs using a link aggregation protocol such as LACP. Depending on how much traffic you expect to go over the trunk, plan accordingly for number of and speed of links.

For my home, I just run two Ethernet links and use LACP to my main switch. So far the bandwidth has been sufficient as I currently don’t have any 10GbE devices. When I go 10GbE, then I will probably upgrade the trunk to 2x10GbE links.

There’s no downside to using multiple SSIDs and putting them on their own VLANs.

I have three SSIDs, one for general WiFi devices, such as cell phones, tablets and IoT devices, one for my office and one more for guests. Each of these are on their own VLAN and are isolated from each other.

1 Like

So i have done link aggregation before to combine my 4 port ethernet of my unraid nas device to my switch as one. I only have 1 output from OPNsense box to the switch so i dont really need to combine from the router to the switch… I have a feeling i might be missing the boat here, do i need to combine the traffic with the using LACP even though its one cable?

I have quite an old DLINK managed switch however am thinking of upgrading to a Unifi Managed switch just for ease of use.

Correct. Unfortunately, the barrier to entry for vlans is primarily confusing terminology.

A β€œtrunk” in this case is just a connection that is β€œtagged” with all of the vlans you want to pass through it. β€œTagged” essentially means β€œallowed.” Switches often also use the term β€œuntag” which confusingly means to assign an interface to a particular vlan.

If you created a vlan10 for instance, and set a port on your switch to be untagged vlan10, whatever you plug into that port will be a member of vlan10 be default. No host configuration is necessary. The switch adds the vlan10 header to untagged traffic coming from that port.

Compare this with β€œtagging” a port vlan10 where you can plug a host into that port and configure it to use vlan10. In that case the host adds the vlan tag to its traffic and the switch allows it in.

But in any case, yes you need a managed switch that can handle vlans.

You can do this, but hiding an SSID doesn’t protect you from anything. It’s trivial to detect it for anyone savvy enough to be a threat to you. The only real reason to hide it is to keep the available wifi list short and tidy. If you are living/working in a densely populated area, this is futile and there really is no point.

No. Link aggregation is for combining physical connections like you did with Unraid. There is no reason for you to do this between your gateway and switch.

If you get a Unifi switch, you want to configure the vlans by adding β€œvlan-only” networks in the Unifi interface. Since you are controlling routing/dhcp/etc outside of Unifi, it can get confusing otherwise.

1 Like

I am not super experienced, but from my understanding, your ports are primarily either access or trunk. Access would be assigned a vlan and a trunk carries multiple vlans to another networking device. So in this case, yes, I think you should set up the line going to the WAP as a trunk.


That’s correct. Access is more Cisco terminology (same as untagged). There are more options than that though. For instance, if you have a server that needs to be on multiple, but not all, networks, you can tag select vlans and untag another in which case it is something between an access and trunk.


Cheers for this.

VLANS was always one of things i would get to later… I just hadn’t attempted to dive in until now, knowing how much mucking about it was going to be i just let it be lol.

The hiding the SSID was mainly to not spam my house/neighours with unecessary visible networks no one will be able to connect too. I am in a suburban area and dont see too many other networks but they will definitely see mine lol and my plan was to hide/unhide as necessary to add devices to a specific one.

I didn’t think that was the correct track i was going there but needed to clarify in case i was wrong.

1 Like

I started writing and posted before seeing your response, that was far more helpful and accurate than mine. Tagged and untagged were the terms that I was trying to remember, but I just pulled access and trunk from the top of my head. I think that I am going to enjoy this forum.


This place is great there are some really knowledgeable people here.


That is entirely reasonable.

1 Like

It still has a SSID, it just does not broadcast/advertise it. You don’t need to unhide the SSID to join the network, you just need to know the SSID.

I also like to hide some SSIDs just to avoid spamming the neighborhood.


In suburban areas your wifi networks will likely not be visible 50m away, and most devices sort on signal strength anyway.

You should avoid configuring laptops and phones for hidden SSIDs because of security issues… and I wish this stopped being a feature.

Your devices will go around town asking β€œhey network little-pony are you there” and a nefarious evil person with a small portable wifi thing hidden in their backpack will have configured it to reply to such things as, β€œyes I’m little-pony connect here with no password, or any password, and I’ll happily be your ISP”… at that point if your portable device has any vulnerabilities in any app that pulls anything from the internet, the nefarious attacker own it forever.

HTTPS and various VPNs make this a lot harder thankfully, but all you need is one of your apps to slip up… and you probably weren’t going to have your kids phone on VPN on a home network.

Also, from a practical perspective battery will last shorter, because they’d be looking for these hidden networks asking if they’re around all the time.

There’s a other ways of putting devices into VLANs - at least on OpenWRT and mikrotik, you can do it by mac address and you can have different passwords while at it, even without using wpa2 enterprise… which you should if your end device supports it. Unifi might only support wpa2 enterprise, I’d have to check.

1 Like

What model of switch are you using?

1 Like

                                                             Switch port 1 - OpnSense             Switch Port Unifi                   Switch Port Private Device

                                                             VLAN 1 - Untagged                     VLAN 1 - Untagged                   VLAN 100 - Untagged - PVID 100
                                                            β–²                                    β–²                                   β–²
                                                            β”‚VLAN 10 - Tagged - KIDS             β”‚ VLAN 10 - Tagged - KIDS           β”‚
                                                            β”‚                                    β”‚                                   β”‚
                                                            β”‚VLAN 20 - Tagged - IOT              β”‚ VLAN 20 - Tagged - IOT            β”‚
                                                            β”‚                                    β”‚                                   β”‚
                                                            β”‚VLAN 100 - Tagged - NON WIFI        β”‚                                   β”‚
                                                            β”‚                                    β”‚                                   β”‚
   β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”                      β”Œβ”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”
   β”‚  Opnsense                  β”‚                      β”‚    β”‚                                    β”‚                                   β”‚         β”‚
   β”‚                            β”‚                      β”‚  β”Œβ”€β”΄β”€β”     β”Œβ”€β”¬β”€β”                      β”Œβ”€β”Όβ”€β”    β”Œβ”€β”¬β”€β”                      β”Œβ”€β”Όβ”€β”       β”‚
   β”‚                            β”‚                      β”‚  β”‚   β”‚     β”‚ β”‚ β”‚                      β”‚ β”‚ β”‚    β”‚ β”‚ β”‚                      β”‚ β”‚ β”‚       β”‚
   β”‚                            β”‚                      β”‚  β””β”€β”¬β”€β”˜     β””β”€β”Όβ”€β”˜                      β””β”€β”΄β”€β”˜    β””β”€β”Όβ”€β”˜                      β””β”€β”΄β”€β”˜       β”‚
   β”‚                            β”‚                      β”‚    β”‚         β”‚                                   β”‚                                    β”‚
   β”‚                            β”‚                      β””β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
   β”‚                            β”‚                           β”‚         β”‚                                   β”‚
   β”‚          LAN - bg0         β”‚Opnsense ethernet bg0      β”‚         β”‚                                   β”‚
   β”‚                        β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜         β”‚                                   β”‚
   β”‚ KIDS -   OPT1 - vlan10     β”‚                                     β–Ό Switch Port 2 - PC                β–Ό Switch Port IOT device
   β”‚                            β”‚
   β”‚ IOT -    OPT2 - vlan 20    β”‚                                       VLAN 1 - Untagged - PVID 1          VLAN 20 - Untagged - PVID 20
   β”‚                            β”‚
   β”‚                            β”‚
   β”‚                            β”‚

As the other guys said, you need to configure your switch to accept VLAN traffic, that requires:

  • A VLAN capable switch (duh)
  • a VLAN list
  • A mapping of what devices you want to participate on which VLAN
  • A distinction between VLAN aware devices (OPnsense, Unifi) and clients (your laptop, an IOT wired device, a homelab server)

Your VLAN-enabled switch will default everything to default VLAN 1, and all ports will be set to VLAN 1 Untagged, PVID 1 (PVID is the default VLAN ID an access port (untagged vlan client) is assigned to when VLANS are not configured, some switches need you to set this together with the untagged VLAN when it is different than the default)
From there, you will need to know which devices are coneccted to which ports on the switch and what their purpose on your network will be

From there, it should be a matter of accessing the switch GUI/cli and configure the port accordingly …

In this example I have created three VLANs in addition to the default 1 … two of them routed through OPNsense (IOT, KIDS) , one (NON WIFI) local to the switch (the difference will be that OPNsense will not know it and will not be able to provide DHCP for it until you configure an additional OPT interface tagged with VLAN 100)

1 Like

Happy days, thanks… I have been browsing all day for USW-24’s which seem to be insanely popular but i will keep this thread for my future reference hopefully in a couple weeks when i can snag a better switch

The Ubiquity switch will be handled through the Ubiquity controller, and the GUI will hide all of this tagging, trunking, accessing behind checkboxes and select dropdowns
If you don’t want to really undertsand what is going on behind the scenes (and are prepared to pay a premium for the β€˜integration’ between the switch and the APs) then it will be more than fine.
If you’re more into learning how it works, and want to save a couple hundred bucks, then a Mikrotik CSS326-24G-2S+RM equivalent will get you there, but you’ll need to configure it manually …

1 Like

If i was in the mikrotik ecosystem i would have probably kept going that way… (and i did look very recently when i grabbed the wifi 6 unifi ap) at the moment i have 3 unifi AP’s so figured may as well keep it similar. Currently i have a old dlink managed switch i think its a DSG-3100 and its a bit of a pain and there seems to be something wrong with the management interface access… it still works fine but need to swap it out

1 Like