VLANs and PFsense
-
Actually, I happen to have an awesome Netgear GS108PE sitting here on the shelf because it's a complete piece of shit not worthy of my TiVo. I replaced it with a d-link, if that says anything. Maybe tomorrow I'll put it between the 3550 and the 2800s and see what happens.
Dude. Layer 2 matters.
-
Just as an example: have a UBNT managed PoE switch here. When you place that POS between cable modem and pfSense and start using VLANs there, it breaks DHCP on WAN. Go figure. (You know, the idea was to use the PoE switch feature to remote cycle the firewall when things fsck up, since the box is ~1000 km away. Sadly, did not work, and instead broke things badly.)
-
Have you, for one - tried to replace the Netgear shit with some else - if anything, just for eliminating that as a possible cause? You know, this feeling like Troubleshooting 101. Certainly also a whole lot more productive that producing rants about apparently rare issue noone else can reproduce.
Yeah, sure, every NIC out there has faulty vlanhwtag. Just Netgears are perfect.
You all are the ones with tunnel view. Pfsense is perfect.
I've never defended Netgear in a way you are implying.
Given I've found a solution by turning off vlan hardware tagging doesn't really point the direction at my Netgear, nor the cables to my fibre switch, the fibre switch, the Netgear switch there nor the ISP.
I went through all that.When I attach a laptop to my Netgear core switch I can download a test file with 50 Mbit/s
This traffic then goes through the 2 switches with no performance loss.
If I do the same behind pfsense I'm getting slow performance.
If I tell that traffic to use an ADSL-connection I will get its full 6 Mbit/s speed (through pfsense).
The traffic will then go through the same wiring and the same 2 Netgear switches.If I turn off vlan hardware tagging on the igb1 interface I get my full 50 Mbit/s
So you tell me to swap the switches based on this behaviour?
-
Ok, so you never bothered with basic debugging, such as replacing the switch. (One of examples how switches fsck up things noted just above your post.) Enough for me to not waste any more time here. Funny that you complain about "tunnel view", yet suffering from it yourself.
-
"Dude. I just created 100 VLANs on pfSense 2.2 on a realtek with HW TAGGING through a cisco 3550 to a Cisco 2811 and a Cisco 2610 with 100 VLAN interfaces defined. I can't get it to fail."
Have you tried it with his switch? haha.
-
Netgears are utter shit. Maybe they get better up in the managed, stackable range, but I will never, ever buy another one. Ever.
-
You all are the ones with tunnel view. Pfsense is perfect.
Look at redmine. You will quickly see that is not the case.
Dude. I just created 100 VLANs on pfSense 2.2 on a realtek with HW TAGGING through a cisco 3550 to a Cisco 2811 and a Cisco 2610 with 100 VLAN interfaces defined. I can't get it to fail.
What, exactly, should I try that is failing for you?
Well, what should I try?
-
Here is what I would do:
Try different NICs.
Try different switch.
Try this on a fresh install, of course.
I really do understand that buying new hardware here and there is hard to do so I can understand it may be impractical.
For future builds, always go to the forum, find someone who is doing exactly what you want to do already.
Then find out what hardware he is using and as much as possible, buy exactly that.
Probably cheaper also because usually old used hardware is sold for dirt cheap.
What you are trying to do would probably cost me $60 and a bit of searching around on ebay.
-
I hope to get this Netgate 4 NIC motherboard soon.
I already planned to use 1 NIC for this 50 Mbit/s fibre connection and the other 3 for all these vlans.
This way I will have only 30-ish vlans per NIC.I am of course curious how it handles my current config.
Especially with vlan hardware tagging turned on.I didn't ask for this discussion and blame-gaming.
Someone just defined many vlans on pfsense and said that's working fine.
Hardly any proof. I'm able to define these vlans as well, but I also have interfaces on it that need to be connected to the Internet.
And even then… Is he using the same NICs?I gave up on getting help regarding this issue 3 years ago.
Just came back to this forum that it also was giving a performance issue.
I'm sure a solution will be found one day.Would have liked an option in the webif to turn off vlan hardware, so I didn't need to resort to this cronjob thing.
-
And again…
I have full 50 Mbit/s throughput when I use this Netgear switch tagging and untagging the vlan that's connected to fibre-switch.
I'm not giving this switch a hard job and probably these switches have issues, but it's proving it doesn't have an issue doing this basic job.I have ruled out pfsense in this situation and am getting full performance.
Why should I blame Netgear and not pfsense if turning on/off hardware tagging on the pfsense makes the difference?
-
Throwing new layer 3 gear at the problem when your real issue is at layer 2 is not going to help.
You have an attitude problem. We are perfectly willing to help you figure out where your issue is but YOU insist it's pfSense and vlanhwtag.
That tech is moving so many terabytes and so many millions, if not billions or trillions of dollars every day that it is probably not the case.
It sounds to me like you have a completely hosed switching layer. Perfectly happy to help you straighten it out, but that might involve you admitting to a design mistake or two. Sometimes that happens when a network grows. We've all been there.
I really don't think your problem is vlanhwtag on em(4) and igb(4) NICs.
-
Layer 2 is working as I expect it to.
When I first encountered this problem (3 years ago) I had this Atom board.
The first router suddenly broke down and I replaced it with scrap hardware. That was running like its previous one.I tried to use the working config of this scrap router and couldn't get it to work on this atom-board with 2 Intel NICs.
I did notice it loads the first interfaces quite fast, pauses and then loads the other interfaces at a slower pace.I made a small test setup around that Atom-board and started experimenting.
Turning off vlan hardware tagging turned out to be the key to get that working.I then replaced the scrap router (layer 3 and working) with this Atom based system which worked with that same config (as long as I turn off hw vlan tagging).
It's working for 3 years that way. Replaced the router another time and sold the 2 Atom systems (one was a spare one).
Both these Atom systems work fine, but they only have 4 or 5 vlans.Never got an answer how hardware assisted vlan tagging could make a difference on my layer 2 setup….
-
Perhaps your problem is being imported over and over with this config you keep re-using?
-
Perhaps your problem is being imported over and over with this config you keep re-using?
Yes….
If I receive this Netgate motherboard and it doesn't work out of the box (with the imported config.xml) I will try to make a new setup.
In this setup I can of course replace the Netgear switch with another brand. -
Wow there has been a lot of back and forth since I left the message to look at the switch. First I never meant to say or imply that Netgear switches are not a worthy switch. I just wanted to bring to light that all switches have limitations in both the number of static VLANs they can create and also the number of Tagged VLANs that can have per port. I just wanted to do that bit of home work. If we think back to the basics when you add a tagged vlan to a port you are extending the size of the packet I think 4 Bytes but someone please correct me if I'm wrong here. At some point your equipment will not like the size of the packet and reject it but there are work arounds like reducing the payload size to accommodate the larger header information. Seems to me that you are getting close because if you connect a computer to your switch on a untagged port (No Vlan info in the header) everything is all good. You could try to do a packet capture of the interface and see what's going on at layer 2. You might be at the point in your network size where a multi-layer switch fabric and possible a multi layer routing network would give you better performance. When I first commented last night (I'm in the blizzard of 2015) there were only a few replies but now we are on page three so I don't remember if there was a diagram of your network. Can you please provide a diagram. I would really like to get to the bottom of your issue. Remember that this issue you are having can help many people out if we all just work together to solve it. Just as a side not and performance issue, with that many vlans you may want to think about using a layer-3 switch, I think you said you were using atom grade hardware so your routing performance is not going to be as good as a switch with custom asics doing the same job (Hell a i7 isn't going to do as good a job a layer-3 switch). Also how many users do you have on your LAN? When you have HWtagging on at what point are you seeing a failure (how may vlans).
Again I would like us all the remain civil I know it can get frustrating when we want to help but we are not getting the information that we want. This seems like a interesting issue.
I'm going to go on the record and say Netgear is not shit, there are tools for a job and sometimes the job gets so big you need another tool. Ebay is a great place to get enterprise grade gear really cheap. I got 2 48 port PoE gigabit Broacade Layer-3 switches with a 10GBps Interface (Not included) for $250. I have had the switch for about 6 months now no issues what so ever. before that I got a few HP-Procure 24 port Gigabit switches with a 48Gbps back plane for $200 bucks and went good for me until some caps exploded due to the temp of my commroom 2.5 years later. I replaced them which cost me $.75 and the switch is going strong today.
-
Do my best to duplicate dude's setup with what gear I have on hand and all I get is, "that isn't good enough."
And still utter refusal to answer specific, pointed questions so I can duplicate his environment as closely as possible.
And, yes, the GS108 is shit. I have one. It's no longer on my network. And that's just my house.
-
Test the entire config in a virtual environment.
-
Has OP ever explained how he is tagging through 85 VLANs on a switch that
only supports 64? Looks like his does 128 and the GS724Tv4 does 256. The GS108T only does 64 through. But with careful application it should be doable as long as no more than 64 go out any "core" switchport.I finally got my stupid ProSafe utility running again. Had to spin up a new VM to do it. My GS108PE stops me from tagging VLANs on ports at 32. About to put it inline between pfSense and the 3550.
-
I was unable to attempt to debug this because all I have is good switches…. Layer 8 getting to you again?
-
I can't get it to fail with an re(4) even. Something in dude's environment must be wonky.
I'd examine /conf/config.xml to see if there's anything different about any of the VLANs or interface definitions.
pfSense (192.168.$vlan.3) <-> GS108PE <-> Cisco 3550 <-> 2 Cisco routers with 100 dot1q interfaces each. (192.168.$vlan.[12])
Seems to just work, with the expected limitation that I can only pass VLANs 2 - 32 through the netgear. 33-100 fail.
