XG-7100 & Unify console troubles: ix0, ix1, dhcp-kea & now sore head
-
@pfS_noob_cust what did you change from the working to the non working state: did you change the DHCP server from ISC to KEA? Did you change firewall rules?
In your last post "What's more scary is my actual implementation" you don't show the VLANs configuration so I have only the frist picture to go.
Let's narrow it down a bit (I'm a simple creature) and have a look at only one interface:
- OPT4_NGP4_STORAGE (opt4) -> lagg0.622 -> v4: 172.16.22.1/24
How are the clients connected to that port, using a switch? On pfSense VLAN 622 is configured only on port 4, in access port mode (called "native VLAN" on Unifi). The traffic will leave port 4 untagged and the switch would have to be configured accordingly.
The firewall rule for OPT4_NGP4_STORAGE allows everything, that can't be the show stopper.
-
@stephenw10 said in XG-7100 & Unify console troubles: ix0, ix1, dhcp-kea & now sore head:
Have you set the PVID in the switch ports tab to match the VLANs?
Let's see that tab then.
Or the output of
etherswitchcfg. -
@stephenw10 said in XG-7100 & Unify console troubles: ix0, ix1, dhcp-kea & now sore head:
etherswitchcfg
Here's the latter...
etherswitchcfgetherswitch0: VLAN mode: DOT1Q port1: pvid: 4090 state=8<FORWARDING> flags=0<> media: Ethernet autoselect (1000baseT <full-duplex>) status: active port2: pvid: 4091 state=8<FORWARDING> flags=0<> media: Ethernet autoselect (1000baseT <full-duplex>) status: active port3: pvid: 4091 state=8<FORWARDING> flags=0<> media: Ethernet autoselect (none) status: no carrier port4: pvid: 4091 state=8<FORWARDING> flags=0<> media: Ethernet autoselect (1000baseT <full-duplex,master>) status: active port5: pvid: 4091 state=8<FORWARDING> flags=0<> media: Ethernet autoselect (none) status: no carrier port6: pvid: 4091 state=8<FORWARDING> flags=0<> media: Ethernet autoselect (none) status: no carrier port7: pvid: 4091 state=8<FORWARDING> flags=0<> media: Ethernet autoselect (1000baseT <full-duplex>) status: active port8: pvid: 4091 state=8<FORWARDING> flags=0<> media: Ethernet autoselect (none) status: no carrier port9: pvid: 1 state=8<FORWARDING> flags=1<CPUPORT> media: Ethernet 2500Base-KX <full-duplex> status: active port10: pvid: 1 state=8<FORWARDING> flags=1<CPUPORT> media: Ethernet 2500Base-KX <full-duplex> status: active laggroup0: members 9,10 vlangroup0: vlan: 1 members none vlangroup1: vlan: 4090 members 1,9t,10t vlangroup2: vlan: 4091 members 2,9t,10t vlangroup3: vlan: 30 members 3,9t,10t vlangroup4: vlan: 40 members 4,9t,10t vlangroup5: vlan: 50 members 5,9t,10t vlangroup6: vlan: 60 members 6,9t,10t vlangroup7: vlan: 2112 members 7t,9t,10t vlangroup8: vlan: 80 members 8,9t,10tWhat's odd to me, is the last half, pertaining to vlangroup is way outdated.
It's odd, but in exact agreement with the switches vlan page.
In short, to answer your question, apparently I did not. oops.
I'll do that now. -
in. addition, here are the interface vlan & assignments pages...
now, nothing plugged into the 7100 switch works.
I did a reboot just I sent this, but after I "repaired" the Switch VLANs.I'll now do a full power off & restart to ascertain the results.
-
@pfS_noob_cust said in XG-7100 & Unify console troubles: ix0, ix1, dhcp-kea & now sore head:
Here's the latter...
You can format that kind of output with by adding a line before and after that contains only three "`" (Markdown syntax)
etherswitchcfg etherswitch0: VLAN mode: DOT1Q port1: pvid: 4090 state=8<FORWARDING> flags=0<> media: Ethernet autoselect (1000baseT <full-duplex>) status: active ...As for the VLANs, now they are numbered different, are you trying to confuse me ;)
In "Interfaces / Switch / VLANs", all the VLANs you define on "Interfaces / VLANs" do have to exist too.
For example, the VLAN 622/ngp4_storage is now VLAN 60 on the Switch / VLAN page but still VLAN 622 on the Interfaces / VLAN page.
Do you mind me asking, how well do you understand VLANs, tagged and untagged, access ports?
-
Yeah you haven't set the PVID on the switch. All the ports are still set to 4091 so no inbound untagged traffic will work. Except on LAN where it's still using 4091.
You need to go to Interfaces > Switch > Ports and set the correct PVID for each port.
-
Ah also the VLAN tags on the switch no longer match the VLANs you have added on lagg0. Previously they did. You'll need to set those back to match.
-
@patient0 sorry for being so confusing - not intentional.
Stephenw10 pointed out that I my Switch VLANS and Assignment VLANS were out of sync. So "I repaired" that. I believe there remains some mismatches in this area.To answer your last question on "my understanding" - pitiful little, apparently.
What I THINK (hoping?) I know is:
port 4 (allow all) devices should get 172.16.22.0/24
port 5 (allow known) devices should get 172.16.32.0/24
port 6 (allow all) devices should get 172.16.62.0/24static mapped "annabelle" as 172.16.62.5 via the port6 dhcp server page.
when the 7100 LAN (port 2) has its members identified as:
-
2,9t,10t : dhcp leases reports statically mapped annabelle is up on both the LAN & port 6. But annabelle reports a self assigned IP address. The port 4 device reports not being not connected.
-
2,3t,4t,5t,6t,7t,8t,9t,10t :
dhcp leases reports statically mapped annabelle is up on both the LAN & port 6. But annabelle reports a self assigned IP address.
The device on port 4 reports a port 5 address, and not one in the pool.
Sure seems like the VLANid assignments did not get re-implemented without leaving some conflicting garbage.
-
-
@pfS_noob_cust I'm sorry but I don't know what to do with these information.
I don't think taking about DHCP is necessary right now, first we have to establish if the VLANs are setup correctly.
Screenshots of "Interfaces / VLANs", "Interfaces / Switch / VLANs" and "Interfaces / Switch / Ports" please.
And then pick one LAN or VLAN to look at. Don't change any VLANs after you posted the screenshots.
-
@stephenw10 thanks!
I failed there too! Didn't understand the switch ports page. fixed that so they match now.
-
@patient0 I think it's fixed now.
-
Yup looks good.
Just for reference the PVID on port 7 doesn't matter because the VLAN there is passed tagged. It usually doesn't hurt to set it there though.
-
@stephenw10 thank you.
Your statement is based on the fact thatport 7 is assigned with that VLANid on interface ix0, right? OOPS, Not true.
Switch VLANs Group 7 members are are all tagged (7t,9t,10t), right? -
Yes exactly. Since all members of that VLAN are tagged it should never see untagged traffic so the PVID isn't used.
However worth baring in mind is that if the downstream device (a switch I assume) incorrectly sends untagged traffic to port 7 it will be tagged onto VLAN 1221. Now normally that's not a problem since the traffic could only ever be one way. Nothing on VLAN 1221 could ever respond. But if such rogue traffic turned out to be a broadcast flood for example that might start to affect something.
-
Thank you. I'll try to absorb what you just said.
@patient0,stephenw10,
I do want to express my gratidude for kindly pointing out my failures of execution in utilizing the GUI properly. I fully appreciate the difficulties of writing words that describe the intent of a GUI.
Again, Thanks.
