Moving LAN from ETH2 to ix1 on XG-7100-1U

stephenw10

If you set LAN to be a VLAN on ix1 then that VLAN has to be configured correctly on whatever is connected to ix1. I assume a switch?

Whenever doing something like this I strongly recommend enabling some other way to access the webgui so you don't get locked out. That might be via the WAN (with limitations) or enabling a management interface on the Eth ports for example.

afd1219

@stephenw10 Stephen thanks for the quick reply. How come I am able to connect to the firewall on ETH2 when its on a vlan tied to lagg without putting the VLAN tag on my device and not when its on a vlan tied to ix1?

stephenw10

Because the built-in switch is configured to handle that VLAN. By default VLAN 4091 is tagged on the internal lagg0 link and untagged on Eth ports 2-8. That allows a client to connect to those ports withiut needing to be aware of the VLAN tagging.

afd1219

@stephenw10 Understood. Let me mess around with my switch now and I'll update the thread.

afd1219

@stephenw10 Hey Stephen, so for my case using the ix1 port, my clients must always be tagged. I just want to make sure I'm thinking about it correctly. I changed the VLAN ID from 4091 so its more organized and got my switches/clients connected.

Now I have another question. If I want to use ix1 and ix0 both to carry the same VLANs can I make this happen? I want to have ix1 connected to switch 1 and ix0 connected to switch 2.

stephenw10

The clients themselves would not normally have to be tagged because the switch would be untagged on the VLAN on the port it's connected to.

You can create the VLAN interface on ix1 and ix0 but that would be two separate interfaces in pfSense. ix0.100 and ix1.100 for example. They would not be in the same network segment.

If you want them to be in the same segment you would be better off connecting sw2 to sw1 directly. If they are stacking switches you may be able to do a split lagg between them from ix0 and ix1.

afd1219

@stephenw10 Hi Stephen, thanks for you help! I am configuring an MLAG between the switches, not a stack so I wanted to see if this was possible with the ix0 and ix1 ports to somehow combine them. I have ix1 already configured with the VLANs and they are working. The ix1 port only sends out tagged VLANs correct? Because when I connect directly I get nothing unless I specify the VLAN tag which sounds like the correct method.

stephenw10

The ix ports don't have to be tagged. You can assign the port directly without any VLAN tagging.

If the switches can do mlag then I would expect that to work with the ix0/1 ports. I'm not sure I've ever seen that on non 'stacked' switches though. You would certainly need some sort of sync connection between the switches.

afd1219

@stephenw10 Interesting, I seem to not be getting anything unless I specify a VLAN tag. I am running a Hyperv testing environment, on the VSwitch I specify the VLANID and I'm up and running and then on the VM level as well. If I do not do this I am not getting any IP from pfsense coming from the ix1 port and I have DHCP enabled.

So in regards to my switches, yes I have an IPL link so they are connected to each other, but each config is configured independently since they are not using the traditional stacking method.

Is it suggested to not use the ix0 and ix1 ports this way? I just did not want to go from switch to switch since there is a point of failure. I wanted to go from firewall, one cable to each switch.

stephenw10

How do you have the port assigned? How does the interface show in Interfaces > Assignment?

afd1219

@stephenw10
See below, the reason I have LAN on 4091 is because I used it to connect so I didn't lose connection when messing with the other ports.

Interface || Network port
WAN || VLAN4090 on lagg0 (WAN)
LAN || VLAN4091 on lagg0 (LAN)
OPT1 || 1x0 (00:08:a2:12:ca:50)
LANix1 || VLAN 5 on ix1 (LANix1)
Fin || VLAN 20 on ix1 (Fin)
AP || VLAN 21 on ix1 (AP)
UP || VLAN 22 on ix1 (UP)
TESTING || VLAN 23 on ix1 (TESTING)

stephenw10

Ok so you don't have the untagged ix1 NIC assigned. It's only assigned as VLAN tagged. Thus you can only connect to it using traffic tagged with one of those VLANs.

If you assign ix1 as an interface you could connect a host to that directly without any VLAN tagging.

I would expect to be able to get mlag working to ix0/1 if the switches support it.

afd1219

@stephenw10 So since ix0 and ix1 are on different interfaces, and VLANs can only have one parent interface, I don't see a way to do this on pfsense unless somehow we can create a bridge between both interfaces. I was reading this forum post, https://forum.netgate.com/topic/170174/same-vlans-on-both-ix0-and-ix1/13

stephenw10

You can bridge the VLANs across the two interfaces but you really shouldn't!

If you can configure an mlag with one link on each switch then you can just add the VLANs on to the lagg and they should be available in both switches.

afd1219

@stephenw10 Stephen, thanks for all your help!