VLANs and PFsense

frater

As I wrote already it works with only a "few" vlans
I have 2 NICs
1 NIC I'm using for the WAN-connections and the other NIC is for all the LAN-connections.

Many LAN-connections don't work until I turn off vlan hwtagging with the command "ifconfig igb0 -vlanhwtag"
It's this way for 3 years on different hardware.
Each time I change hardware I'm secretly hoping it is working without turning that off.

On the WAN side I have about 5 VLANs.
The latest one I added was the 50 Mbit fibre connection.
I was having performance problems on that which went away if I directed the traffic to a 6 Mbit ADSL-line.
Very strange…
I had 6 Mbit throughput on that ADSL-line, but only 0.5 Mbit on the 50 Mbit line.
I attached a laptop to the core switch where I had that VLAN untagged and got my 50 Mbit without any issues.

Then I used that same trick on the WAN-NIC and all of a sudden I have 50 Mbit throughput...
It's as if that vlan is performing less because it is later created....
Again... no problems if vlanhwtagging is off

I fail to understand why this could have anything to do with my switches.
As I said it's working as I want it as long as I have hardware vlan tagging turned off.

I'm using a Netgear GS724T as my core-router and many GS108T's for distributing the VLANs in a campus-like situation.

Most GS108T's are configured like this
On port 1 they receive all the VLANs tagged and on port 2 they give all the VLANs to the next GS108T minus the ones that are meant for that appartment-block

I have little room for testing as many people depend on this router.
I'm now again hoping it will work on the Netgate motherboard with 4 NICs that's getting released on february.

Today I tried an update to 2.2 but then it has the same behaviour as with vlanhwtagging turned on.
So my trick doesn't work on 2.2 anymore.
If this is a FreeBSD issue I don't know.

jahonix

Sorry, I'm out.
I'll never touch Netgear Prosafe switches again, as I've seen too much odd behavior up to complete fails with those devices in the past.

@frater:

I'm using a Netgear GS724T as my core-router …

Those switches are L2 only, hence it can only be your core-switch. pfSense does the routing for you, right?

@frater:

Most GS108T's are configured like this
On port 1 they receive all the VLANs tagged and on port 2 they give all the VLANs to the next GS108T…

Are those ports 1 & 2 configured as Trunk-ports?

Do you use LACP and Jumbo-frames in your setup somewhere?

How many GS108Ts are in your setup?

mikeisfly

That switch can only have up to 64 VLANs according to https://forum.pfsense.org/index.php?action=post;topic=87222.0;last_msg=480875 This may be the cause of some of your issues.

edit: forgot to add 24 port based Vlans

Derelict

@mikeisfly:

That switch can only have up to 64 VLANs according to https://forum.pfsense.org/index.php?action=post;topic=87222.0;last_msg=480875 This may be the cause of some of your issues.

edit: forgot to add 24 port based Vlans

Nice catch.

OP - have you tried another switch?

I know it seems like it HAS to be the vlanhwtag on the interface, and you've tried multiple hardware on pfSense.  That might point you in a direction other than the hardware you keep changing out to something that you haven't.

There was just a bug fixed in captive portal for 2.2.1 that didn't raise its ugly head until 117 VLANs were attached to the same CP.  And that was because the rule was getting too long.

Do you have any of those old systems that also exhibited this behavior?  Maybe you can get something going on the bench to test it.  I know.  It's a lot to build.  I'm trying to think of a good way to do it.  Probably some perl scripting to generate the configs, two pfSenses and a Cisco 3550.

If I do get a wild hair and decide to lab this up, what is the exact behavior you're seeing?  Is it something straightforward like not being able to ping the pfSense VLAN interface IP address at all or is it more nuanced like slow performance intermittently?  Are you running any limiters, shapers, captive portals or anything else it might also be?  Any virtualized pfSenses?  I don't think I have any igb(4) nics.  It'll be em(4).

frater

@jahonix:

Sorry, I'm out.
I'll never touch Netgear Prosafe switches again, as I've seen too much odd behavior up to complete fails with those devices in the past.

How could these Netgear switches be involved with this issue?
You seem to be missing that it's working without a problem as long as I disable "hardware vlan tagging" on the NIC.
This is about the NIC interfacing with FreeBSD.

Furthermore it works fine and full throttle if I untag that fibre vlan to a specific port and have a laptop connected to it.

I'm not denying any issues around Netgear, but I think I've already identified the culprit.

According to specs I have 128 static VLANs
I have no reason to believe it's less. Especially because I'm able to define these.

I just went through the trouble of adding another 36 bogus vlans on my switch.
I got this message when trying to define the 129th vlan.

Derelict

Are you going to answer my questions or not?

You're the one who came here for help.  I'm labbing this thing up as we speak.

Here's the deal. You have a layer 2 problem. You are using shit switches, apparently daisy-chained. Doesn't take a genius to start going in the right direction.

What, exactly, are you seeing?

If I do get a wild hair and decide to lab this up, what is the exact behavior you're seeing?  Is it something straightforward like not being able to ping the pfSense VLAN interface IP address at all or is it more nuanced like slow performance intermittently?  Are you running any limiters, shapers, captive portals or anything else it might also be?  Any virtualized pfSenses?

doktornotor

@frater:

This is about the NIC interfacing with FreeBSD.

So talk to FreeBSD guys…

As a side note, the cron job is just completely wrong workaround, use shellcmd to run this on boot, as noted on the bug.

kejianshi

I see you tried updating to 2.2 now.  Sorry.  Have you tried fresh install?

I'm not aware of pfsense having vlan issues.  Mine never has.

frater

If I don't enable that cronjob that turns off vlan hardware tagging I'm getting this behaviour.

My office is in vlan100 and I have assigned 10.0.0.138 to pfsense.
I start pinging the router.
I do a reboot of the pfsense system. It comes up and for a short while I'm able to ping the router as it's creating the vlans.
Then this stops.
If I walk to the console of the pfsense I'm having an Internet connection and am able to ping addresses on the Internet.
I can't ping anything in the vlan100 office LAN.

If I invoke ifconfig igb0 -vlanhwtag it starts working.

And the whole network is then working.
I don't have full performance on my fibre network though. I need to invoke ifconfig igb1 -vlanhwtag for that…

But why being this defensive?
It seems it's all focused on getting any other culprit than the pfsense system.

Derelict

WHAT VERSION OF PFSENSE?

Derelict

That's because if there was a VLAN HW TAGGING problem in FreeBSD everyone would already know about it, bro.  Google it.  It doesn't exist.

WE have to help YOU figure out what's wrong in YOUR network so we can help YOU unwrong it.

frater

@Derelict:

That's because if there was a VLAN HW TAGGING problem in FreeBSD everyone would already know about it, bro.  Google it.  It doesn't exist.

WE have to help YOU figure out what's fucked in YOUR network so we can help YOU unfuck it.

As I said…
You've already found the culprit....
This is exactly what made the challenger explode....

And you probably didn't notice I helped myself 3 years ago by finding that solution.

If this is the attitude with which you are offering help I like to pass on that...
I'm offering you feedback, I guess you're blind for that.

kejianshi

Complaints I've seen recently that I know are not true.

Pfsense can't VLAN
Pfsense can't NAT
Pfsense can't resolve
Pfsense can't route

Look deep enough, long enough and you will always find OP is making a simple mistake.
So, just need to go ahead and drop the idea that pfsense can't or won't vlan and find where the user error is.

frater

@kejianshi:

Complaints I've seen recently that I know are not true.

Pfsense can't VLAN
Pfsense can't NAT
Pfsense can't resolve
Pfsense can't route

Look deep enough, long enough and you will always find OP is making a simple mistake.
So, just need to go ahead and drop the idea that pfsense can't or won't vlan and find where the user error is.

You are paraphrasing me.
I have a network here that's working in full as long as I turn off vlan hardware tagging.

3 years ago I had a working setup with hardware I can't remember exactly what it was.
That hardware broke down and I replaced it with a dual NIC atom board that was introduced at the time. Something with DCC2500…
I took the config.xml of the previous router and was unable to get it working again.
... until I turned off vlan hardware tagging...

frater

@kejianshi:

So, just need to go ahead and drop the idea that pfsense can't or won't vlan and find where the user error is.

Why don't you, with your eternal wisdom, explain me how this fucked up system I've created suddenly starts working when I turn off vlan hardware tagging?

doktornotor

Have you, for one - tried to replace the Netgear shit with some else - if anything, just for eliminating that as a possible cause? You know, this feels like Troubleshooting 101. Certainly also a whole lot more productive that producing rants about apparently rare issue noone else can reproduce.

Yeah, sure, every NIC out there has faulty vlanhwtag. Just Netgears are perfect.

Derelict

Dude.  I just created 100 VLANs on pfSense 2.2 on a realtek with HW TAGGING through a cisco 3550 to a Cisco 2811 and a Cisco 2610 with 100 VLAN interfaces defined.  I can't get it to fail.

What, exactly, should I try that is failing for you?


Derelict

Actually, I happen to have an awesome Netgear GS108PE sitting here on the shelf because it's a complete piece of shit not worthy of my TiVo.  I replaced it with a d-link, if that says anything.  Maybe tomorrow I'll put it between the 3550 and the 2800s and see what happens.

Dude.  Layer 2 matters.

doktornotor

Just as an example: have a UBNT managed PoE switch here. When you place that POS between cable modem and pfSense and start using VLANs there, it breaks DHCP on WAN. Go figure. (You know, the idea was to use the PoE switch feature to remote cycle the firewall when things fsck up, since the box is ~1000 km away. Sadly, did not work, and instead broke things badly.)

frater

@doktornotor:

Have you, for one - tried to replace the Netgear shit with some else - if anything, just for eliminating that as a possible cause? You know, this feeling like Troubleshooting 101. Certainly also a whole lot more productive that producing rants about apparently rare issue noone else can reproduce.

Yeah, sure, every NIC out there has faulty vlanhwtag. Just Netgears are perfect.

You all are the ones with tunnel view. Pfsense is perfect.

I've never defended Netgear in a way you are implying.
Given I've found a solution by turning off vlan hardware tagging doesn't really point the direction at my Netgear, nor the cables to my fibre switch, the fibre switch, the Netgear switch there nor the ISP.
I went through all that.

When I attach a laptop to my Netgear core switch I can download a test file with 50 Mbit/s
This traffic then goes through the 2 switches with no performance loss.
If I do the same behind pfsense I'm getting slow performance.
If I tell that traffic to use an ADSL-connection I will get its full 6 Mbit/s speed (through pfsense).
The traffic will then go through the same wiring and the same 2 Netgear switches.

If I turn off vlan hardware tagging on the igb1 interface I get my full 50 Mbit/s

So you tell me to swap the switches based on this behaviour?