At my wits end with my hardware request advice on new!
-
Hmm looks ok. There have been reported some issue with 1.2.1 and vlans so make sure to have the latest version or you could try with 1.2
-
Hehe, I have already downgraded to 1.2 for that reason. If you think it looks ok I will give it another go tonight by booting off the live CD. Unfortunately I can only do this when I get home from work and I'm already shattered but if you think I'm heading up the right direction I'll try again.
I am correct in that I should be creating a vlan0 tag1 and using that for my LAN? (In my proposed setup)
Cheers
-
Yes I would surely try with a live cd before doing anything else.
I am correct in that I should be creating a vlan0 tag1 and using that for my LAN? (In my proposed setup)
Yes you can use vlan0 (nic) as lan.
-
I would dedicate vlan tag 1 for only configuring the switch and create new vlans for WAN and LAN.
-
Right I booted from the 1.2.1 live CD and WOHOO! I worked out of the box no changes to the switch at all. Ping and DHCP worked but I could not (for love nor money) get the pfsense web interface up.
So I then did a fresh full install of 1.2 and this time everything worked again but the web interface was REALLY slow. I restored the original config rebooted and changed the physical interface mappings of my restored config to the new vlan mappings. All is/was working fantastic and everything feels so much more zippy. with two exceptions!!!!
The pfSense web interface is Sooooo slow from the LAN its barely usable and the same with OpenVPN and I think the problems are related! On most vlan aware kit it gives you the option to set the management vlan (the vlan the management will bind to) this is why my 7760 and procurve web interface don't have an issue but pfsense does. Openvpn doesn't give you the option either to tag the sudo openvpn interface. In fact I'm surprised the two work at all.
What I'm left with is I can ping everything with a <1 ms ping, DHCP works even the openvpn tunnel comes up but the router web interface is slow but usable and I can't map shares or RDP over vpn, ping will work one in 10.
Any help much appreciated as I'm so close and on the whole quite pleased!
EDIT: To add ifconfig dump
# ifconfig re0: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500 options=1b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging>inet6 fe80::230:18ff:fea2:eab5%re0 prefixlen 64 scopeid 0x1 ether 00:30:18:a2:ea:b5 media: Ethernet autoselect (1000baseTX <full-duplex>) status: active re1: flags=8802 <broadcast,simplex,multicast>mtu 1500 options=1b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging>ether 00:30:18:a2:ea:b6 media: Ethernet autoselect (10baseT/UTP) status: no carrier pflog0: flags=100 <promisc>mtu 33208 enc0: flags=0<> mtu 1536 lo0: flags=8049 <up,loopback,running,multicast>mtu 16384 inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 pfsync0: flags=41 <up,running>mtu 2020 pfsync: syncdev: lo0 syncpeer: 224.0.0.240 maxupd: 128 vlan0: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500 inet 192.168.100.254 netmask 0xffffff00 broadcast 192.168.100.255 inet6 fe80::230:18ff:fea2:eab5%vlan0 prefixlen 64 scopeid 0x7 ether 00:30:18:a2:ea:b5 media: Ethernet autoselect (1000baseTX <full-duplex>) status: active vlan: 1 parent interface: re0 vlan1: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500 inet6 fe80::230:18ff:fea2:eab5%vlan1 prefixlen 64 scopeid 0x8 inet 82.16.215.154 netmask 0xfffffc00 broadcast 255.255.255.255 ether 00:30:18:a2:ea:b5 media: Ethernet autoselect (1000baseTX <full-duplex>) status: active vlan: 11 parent interface: re0 vlan2: flags=8842 <broadcast,running,simplex,multicast>mtu 1500 ether 00:30:18:a2:ea:b5 media: Ethernet autoselect (1000baseTX <full-duplex>) status: active vlan: 22 parent interface: re0 vlan3: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500 inet 192.168.101.254 netmask 0xffffff00 broadcast 192.168.101.255 inet6 fe80::230:18ff:fea2:eab5%vlan3 prefixlen 64 scopeid 0xa ether 00:30:18:a2:ea:b5 media: Ethernet autoselect (1000baseTX <full-duplex>) status: active vlan: 33 parent interface: re0 tun0: flags=8051 <up,pointopoint,running,multicast>mtu 1500 inet6 fe80::230:18ff:fea2:eab5%tun0 prefixlen 64 scopeid 0xb inet 192.168.102.1 --> 192.168.102.2 netmask 0xffffffff Opened by PID 414 #</up,pointopoint,running,multicast></full-duplex></up,broadcast,running,simplex,multicast></full-duplex></broadcast,running,simplex,multicast></full-duplex></up,broadcast,running,simplex,multicast></full-duplex></up,broadcast,running,simplex,multicast></up,running></up,loopback,running,multicast></promisc></rxcsum,txcsum,vlan_mtu,vlan_hwtagging></broadcast,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging></up,broadcast,running,simplex,multicast>
-
Scratch That!!!
For shits and giggle I remotely upgraded to 1.2.1 due to this post http://forum.pfsense.org/index.php/topic,12200.0.html that said vlan's had been fixed in 1.2.1. Following the reboot I lost OpenVPN altogether but everything else seemed to be up.
When I got home I confirmed the fault and made these changes - I removed all references to vlan1 and changed it to vlan77 both on the router and the switch. I disabled both realtek NIC's and installed 1 Intel pro/1000XT and following a reboot EVERYTHING is working fantastic and I am so chuffed. The modem works at full speed, the web interface to the router is responsive and all vlans are working great.
Things I learnt (the hard way)
1. A vlan switch is far better than a bunch of NIC's, there are no IRQ issues and it is what it was designed to do.
2. An Intel 1000 base NIC is far more stable under freebsd.
3. You can use a 64Bit PCI card in a 32Bit slot :P
4. There are some people on this forum who really know their beans.
5. DON'T USE VLAN1 FOR ANYTHING its just not worth the grief.A BIG, BIG thank you to David and Perry for helping me get this sorted.
-
You're Welcome
Things I learnt (the hard way)
;D IHTSITYSBITYS ;D
I Hate To Say I Told You So But I Told You So -
Thanks for the info. Yeh I understand that architecture is more important than speed or head room. A Cisco router may not have the fastest CPU or the most amount of RAM but thanks to its proprietary hardware architecture and IOS tailored for known hardware they are where they are.
I just had to reboot a Cisco 1841 router at work. It's set up as a basic NAT router for public internet, and the DNS and/or DHCP services on it keep crapping out. The $2500+ Foundry switches are a little more reliable, but not much more. And considering the number of command structures that change between minor changes, I don't have much positive to say regarding them.
Of course, the routers that cost $100k+ are a different story. ;)
-
This has been a good thread for many reasons.
Firstly - thank you for thanking me; it means a lot to have that acknowledgement. I'll always try to offer an intelligent answer when I can.
I agree wholeheartedly with your conclusions - and hopefully this thread will help to encourage others to take the same route of VLANs and quality NICs rather than wasting time and money on NICs that tend to be troublesome on FreeBSD and pfSense.
You are much better off without cheap NICs - Intel Gigabit is the way to go if you're buying a NIC, though my experience is that Broadcom Gigabit server NICs (as used on many Dell server motherboards) are also fine. A server NIC is best; if you are using a PCI based system that probably means a PCI-X (64 bit) card. So long as you have enough room for the longer PCI-X card in your case, it will work fine in a 32 bit PCI slot (this is not necessarily true, but it does hold for the major brands of NIC in all but the most ancient PCI motherboards). PCI Express is the way ahead, and tends to be so much simpler in use, but it will take a long while for PCI Express to become ubiquitous.
Clearly you've bought an Intel Gigabit Server NIC, which is the best choice.
VLANs are also the way ahead - as you say, they're designed for what many people try to use a bunch of NICs for. With the HP Procurve 1800-8G available so cheaply, there's little reason not to use VLANs.
You can do so much with VLANs - for example, I can pass all my networks from switch to switch using a single link and tagging, rather than a bunch of cables (in fact, I use multiple connections trunked together for bandwidth reasons, but the principle still holds). With VLANs, you can use a single port NIC on your firewall rather than needing multi port NICs, with the associated IRQ issues and the high expense of a quality multi port NIC (a quad port Intel Gigabit Server NIC costs serious money…).
With VLANs you can easily switch a port from one network to another from your browser - also you can use the advanced features of your 3Com 7760 access point where different Virtual Access Points are on different VLANs, and, if you set up a RADIUS server, you can allocate a VLAN depending on the credentials used to authenticate to the RADIUS server with. Indeed, I recommend setting up a RADIUS server if at all possible; the security is better than with PSKs and you have much more control over the system. I do maintain the FreeBSD port of FreeRADIUS, but not the pfSense FreeRADIUS package, so I'm not sure exactly what the package can and can't do.
Now that you've set up your VLAN based system, you will probably find yourself understanding the answers to the more complex VLAN features you were asking about earlier. You can experiment with them - though make sure that you have a way to get the switch back to its working state first. At the very least, take a copy of your pfSense configuration and, if you can save it to your computer, your switch's configuration before experimenting - also make sure that you have a way of returning the switch to that configuration.
It's also worth making yourself a few notes about the purposes of each VLAN, and the addressing structure used on each one, so that future changes are easy to get right.
-
Clearly you've bought an Intel Gigabit Server NIC, which is the best choice.
I didn't even have to buy it, that's the irony. When I looked hard I had three spare Intel Server pro/1000XT NIC's lying around at work in an old F840 Netapp filer. Once I checked that the card would work fine in a 32Bit slot there was no stopping me.
It's also worth making yourself a few notes about the purposes of each VLAN, and the addressing structure used on each one, so that future changes are easy to get right.
That's why I do my pretty pictures so that I can keep track of it all, but looks cool too. The whole setup is much more professional and if you look at my picture it looks like the switch is 'in-front' of the router (although logically its not), its mind boggling.
Vlaning is definitely the way forward and I'm definitely converted.
