QinQ Vlan tagging - Is this what I need?
-
Hi Guys..
First of all, I love your new website.
I have small problem that turned into big problem.
We have two locations that are bridged by DSL modem from our service provider. The bridge works fine and communicating across the locations are no problem.
Last week we implemented a new billing system tied into our broadcast system and VLANs come into the fray now. So, I created the VLANs and set up the switches on both sides of the DSL bridge, but the only traffic I could get was DHCP.
After 3 days of troubleshooting, I found out that the service provider DSL bridge only supports a single VLAN. The one I'm using now.
The question is, how can I get around this? Is QinQ vlan tagging what I would need to implement?
Thanks..
Jits
-
Are you asking if you need Q-in-Q provided by your ISP?
If the modem supports only 1 VLAN, I doubt Q-in-Q will help, that just adds another IEEE 802.1Q tag to the already 802.1Q tagged packets.
I had a similar problem, my workaround was to lease a static I.P for site "Main" and build a site-to-site VPN, both sites have the same VLANs. The packets going over the VPN are Q-in-Q tagged, once they get through the VPN they are routed to the proper VLAN (without the extra Q-in-Q Vlan tag).
-
If you created new OPTX interfaces on the private side of pfSense on VLANs, they do not have any firewall rules on them by default so DHCP will work but no states will be able to be created. For starters, look at the rules on LAN and duplicate them for your new interfaces.
If you're really talking about tagging VLANs across your WAN circuit, you really need to ask your provider if that's even possible. I've only seen that capability on a couple Metro Ethernet services. Most don't support it since they're using VLANs to identify customer circuits.
-
okay, the DSL modems are in Bridge Mode and are connected to switches on both sides. LAN traffic passes fine.
LOCATION 1 LOCATION 2
[Internet] –-- [PFsense] –-- [Lan Switch 1] –- [Lan Switch 2] –- [DSL Modem] ======= [DSL Modem] –-- [Lan Switch] –- [PFsense] –- [Internet]
If I create VLAN in PFsense and configure switches, I can get DHCP traffic and connect to whatever node is connected to the same switch the dsl modems are plugged into on either side, and that's it. I can't reach the PFsense router at Location 1, so in a sense some VLAN traffic passes..
Why Q-in-Q? From what I read,
http://enterprise.huawei.com/ilink/usenterprise/download/HW_194945
QinQ, also known as stacking VLAN, is standardized by IEEE 802.1ad. QinQ encapsulates
the VLAN tag of a private network in the VLAN tag of the public network. Therefore, the
frame travels across the backbone network (public network) of a carrier with double VLAN
tags. Packets are forwarded based on their outer VLAN tags on the public network. Inner
VLAN tags of packets are transmitted as data on the public network. The QinQ is a flexible
and easy-to-implement Layer 2 VPN technique, which is an extension to Multi-Protocol Label
Switching (MPLS) VPN on the core network. QinQ can be used with MPLS VPN to form an
end-to-end VPN solution.So, I'm thinking that using Q-in-Q might be a way to overcome the single VLAN limitation of the DSL bridge…
-
I doubt it. Your traffic is probably being converted to ATM over the DSL network. I highly doubt layer 2 info like VLAN tags can survive the trip. But being a bridge it might. You really need to talk to your DSL provider. If nothing else, you will need to get your DSL bridge ports configured from untagged to tagged. Then you need to determine if your q-in-q tags make it across.
