Network problem with Intel 82580
-
Thanks for the link, I'd read this before posting this topic and added those two lines to my /boot/local.conf.local "kern.ipc.nmbclusters="131072"
hw.igb.num_queues=1".I notice that one of your lagg groups has an IP directly and other one doesn't. Usually you do not want the VLAN host interface (in this case your lagg1) to have an IP.
Are you using static IPs throughout?Yes it's because I'm not using my LAGG1 yet. It corresponds to my LAN network and I decided to plug a direct cable between my switch and my server on the interface bce0 (broadcom) to have the webconfigurator and the SSH access. I plan to integrate this lagg when I'll be sure Intel's interfaces works correctly.
For the other interfaces, I'm using only static IPs, not DHCP.Which NICs are not working? Have you just added the I340 to a previously working setup?
There are only Intel's NICs which don't work.
The I340 where already plugged into the server when I received it. I haven't install another OS on the server yet to test if it's the Intel's cards which don't work, if it's a freeBsd compatibility/configuration problem or a switch problem. I'll install a Debian on the second server to test it this afternoon.If you have a mix of cards in each lagg they may have different features resulting in unpredictable behavior
Nop, I'm only use Intel's NICs for the LAGG (ideally, I'll have 4 port for a frontend, 4 port for a backend [the 8 Intel ports) and the 2 broadcom port for the pfsync link between my two firewall).
Thanks for your advance, I'll restart all from the beginning (again ^^). If I find the solution, I'll post it.
By the way, if anyone have an idea, don't hesitate to post.
Regards,
Vincent
-
Just to confirm then all your igb NICs are Intel I340 cards?
I do remember reading about some people having problems with VLAN on lagg. Probably best to have a good look through the forum.
The way to approach a problem like this is to implement it one step at a time. For example. Start off by assigning each NIC as a seperate interface. Check you can connect correctly to each one.
Then re-assign two of them as a lagg group. Check you can connect to it (with the appropriate switch config).
Assign all the NICs to the two lagg groups. Check you can connect to each one.
Then try adding VLANs into the mix and check again.
It will soon be obvious which stage is causing the problem.Steve
-
Hi,
Yes I confirm that my cards are Intel I-340 T2 (dual port) with controller intel 82580.
I tried to plug a computer on one intel port (igb1), without vlan and it works.
I can ping both sides. (the server and the computer).
When I try with vlan, it doesn't work. When I configure my switch without trunk but with vlan, it's the same thing, ping command returns to me Host is down…I think it's a problem vlan not supporting by the card. I continue my investigation around the world (it could be a good name for a song by the way ^^)
-
After reinstall pfSense on my two firwall and debugging switch part and network part, it works.
I think it was a switch's configuration trunk problem. I tested without vlan and lagg and add fonctionality progressively.
I have a last problem now. My configuration don't allow IP forwarding between two of my network configured. I've try many things but nothing works… I think it's a NAT problem but I can't determinate how can I resolve it...
-
Ah OK.
So in terms of actual addressable interfaces you have 4 VLAN interfaces (10,1010,20 and 1020) and LAN?
What are you wanting to happen between each interface in terms of routing or NAT?Steve
-
you have 4 VLAN interfaces (10,1010,20 and 1020) and LAN?
Yes it's true.
The VLAN 10 is for the production network of a frontend (where the client come from Internet), the VLAN 20 is for the production network of the backend (for exemple my Apache come from the frontend to access to the storage in backend). So I must have an IP forwarding between those two zone.VLANs 1010 and 1020 are the administration network for the two zone. (I must have IP forwarding between those too)
I've made 4 VIPs in CARP mode (to have redundancy between my two firewall like it's explain on the doc and on the official site), one in each VLAN. Those VIPs will be gateway for client in each VLAN.
At this moment, from a private network connected to the frontend, I can access to the 10 and 1010 VLANs.
I add route to my VLAN 20 and 1020 like thatroute add -net 192.168.2.0/24 192.168.1.254where 192.168.1.254 is my VLAN 10 VIP.
I can access to my two VIP in VLAN20 and VLAN1020 but I can't go further.
I've leave the Outbound NAT in automatic mode and the other NAT parameter to default configuration.Regards,
Vincent
-
Hmm, I think we are going to need a diagram here. I'm confused. :-\
You should not need to add a route between the VLANs as long as clients on those subnets are using the pfSense box as a gateway. pfSense will route by default as long as you have firewall rules in place to allow it. With NAT set to auto NAT will take place beween interfaces that have a gateway set (which are treated as a WAN) and those that don't (LANs).
If you are using CARP which interface is pfsync using?
Steve
-
Hi,
I made this diagram to help you to understand my architecture (in attachement).
If you are using CARP which interface is pfsync using?
I'm using the two broadcom NIC on a LAGG failover for pfsync.
The 8 other Intel NIC (named 'igb') are used for my backend and frontend. (4 on each part) on two lagg with two vlans on each lagg.
For the pfSense 01 : LAGG0 contained igb1+3+5+7 and is connected to the frontend (IP 192.168.1.1)
LAGG1 contained igb0+2+4+6 and is connected to the backend (IP 192.168.2.1)
LAGG2 contained bce0+1 and is used for pfsync (10.1.0.1)For the pfSense 01 : LAGG0 : igb0+2+4+6 : frontend (192.168.1.2)
LAGG1 : igb1+3+5+7 : backend (192.168.2.2)
LAGG2 : bce0+1 : pfsync (10.1.0.2)From my client (a network connected to the frontend by a gateway) I can ping all my interfaces (on each network and each pfsense) and my VIP. But I can't go further the VIP backend to ping a switch or server in backend for example.
On each network, the rule is "allow all protocol from all source to all destination".
-
Check the subnet mask on the pfSense interfaces. By default they are /32 when you first enable them. They obviously need to have a bigger mask such as /24. Normally it becomes obvious when you try to enable DHCP but if you're not using that it can be easy to overlook.
Steve
-
I've verified and all my submask are on /24….
-
Hi,
The problem is resolved.
It was a problem of route missing in backend to access to frontend. Now, it's works.This post can be marked in "resolved".
Thanks to Steve to your advices and your patience to help me.
Regards
Vincent
