Can't pass Vlan traffic to Lan adapters.
-
Been testing the implementation of two PfSense routers each with dedicated vlan adapters on each router. Both Vlan ID's are 20 & in same IP subnet different from all other adapters. Routers linked by four chained L2 switches. Router facing switch ports set to U on Vlan20 & E on Vlan1. All other switch ports Vlan20 set to T & Vlan1 set to U. Have pass all rule between Lan & Vlan20 adapters.
With this I can ping between Vlan20 adapters & at each router can ping between Lan & Vlan adapter. But cant ping between Lan (router A) & Vlan20 (router B). Rebooted both routers, same results. Below is full detail packet capture by router B during successful router A ping of router B's IP address. Dont see any vlan header which supports the fact that changing facing switch port from U to T breaks Vlan<>Vlan ping. All indications are PfSense is not tagging packets with Vlan ID 20.
Any ideas why I have to tag packets at facing switch port because its apparently not happening at PfSense router's Intel I-350 adapter? And why cant I get rules to allow pinging between router A Lan & router B Vlan20 or for that matter Lan <> Lan via Vlan20? Thanks.
–--------------------------------
192.168.6.10 > 192.168.6.20: ICMP echo request, id 28805, seq 0, length 64
11:04:58.681750 a0:36:9f:03:9b:6e > a0:36:9f:24:c8:98, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 25549, offset 0, flags [none], proto ICMP (1), length 84)
192.168.6.20 > 192.168.6.10: ICMP echo reply, id 28805, seq 0, length 64
11:04:59.683601 a0:36:9f:24:c8:98 > a0:36:9f:03:9b:6e, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 8657, offset 0, flags [none], proto ICMP (1), length 84) -
Router facing switch ports set to U on Vlan20
Why?
If you use V20 in pfSense it gets automatically tagged when leaving the interface. -
If PfSense was tagging the packet the router facing switch port would work with a tagged switch port, instead it only works with an untagged switch port. So no PfSense isn't tagging the packet.
-
If you have assigned eth0_vlan20 to an interface and are sending traffic out that interface, it is either:
1. dot1q tagged for VLAN 20
2. Your NIC/driver/etc is defective. (Which is not generally the case with i350)Router facing switch ports set to U on Vlan20
If you are using igbX_vlan20 interfaces on pfSense, those switch ports need to be TAGGED for VLAN 20, not untagged.
 -
…So no PfSense isn't tagging the packet.
If you say so. I must have done something wrong through the last decade when working with VLANs on pfSense then. ::)
Once you define a VLAN in pfSense all packets egress on that interface are tagged. Remember it's an additional interface on the parent-IF which you have to enable, assign IP & DNS, etc.
And you can still have untagged traffic on its parent-IF as well. -
Think u nailed it Jahonix. After reading Derelict's reply I was poking around around and noticed this morning the adapter was assigned to igb0 not "Vlan20 on igb0". Didn't expect another adapter to be created since I was assigning to a dedicated adapter. Not questioning your knowledge, just trying to gather troubleshooting tips & replying my observations. Still not working but likely needs a reboot with an adapter change. Will report back tomorrow if it fixed. Really appreciate everyone's help on this. First whack at Vlans for me.
What would really be helpful is if PfSense would popup a "reboot recommened" message when changes are made that would likely require it.
-
That doesn't likely require a reboot.
That's why there is no reboot prompt.
Check your switch.
The only thing I have seen recently when adding interfaces like that is sometimes dhcpd needs to be bounced to start serving addresses on the new interface. But even then no reboot necessary.
-
Your right Derelict, reboot & no change. Set facing switch adapters from tagged to tagged/trunked & no change either. Appears the vlan is working, but I'm not passing traffic between adapters properly. Just as in my first post in this thread, I can ping between Vlan20 adapters & at each router can ping between Lan & Vlan adapter. But cant ping between Lan (router A) & Vlan20 (router B) or Lan to Lan. In each router I have a temporary rule on the Lan to pass any traffic to the Vlan20 adapter & vise versa so traffic should pass Lan to Lan between routers but no go. Since both Vlan adapters are in the same subnet & associated with the same link number in the Route table they shouldn't need a gateway or new route. Any ideas?
-
Since both Vlan adapters are in the same subnet & associated with the same link number in the Route table
What? Why are two VLAN adapters in the same subnet?
-
Ya I mentioned that in 1st post. Read it somewhere they had to be. No good huh?
-
Changed Vlan20 adapters to x.x.10.1 & the other x.x.20.1. Can now ping Lan to Lan, a solid step in the right direction. Thanks Derelict. I'll see where this takes me.
-
Frustrating! Turns out there was a device on the network that was assigned the same IP as one of the Vlan adapters so its a do-over. Most I get after changing IP's is packets hitting the near-side switch Mac table, but no return packet from far end. Same with the far end router/switch.
Three questions;
Does the Vlan adapter need its MTU adjusted from 1500 to 1528 to tag packets or is it done behind the curtain?
Does the dedicated parent adapter need to be created and enabled then a virtual Vlan adapter added so that I have both a Lan2 & Vlan20 adapter or should the Vlan adapter work with itself as the parent adapter?
If both a Lan2 & Vlan adapter are needed for the Vlan adapter to tag packers properly, what should the parent adapter's MTU be set too 1500 or 1528?Thanx…
-
Does the Vlan adapter need its MTU adjusted from 1500 to 1528 to tag packets or is it done behind the curtain?
Not 100% sure but never had to do it with any of my setups.
Does the dedicated parent adapter need to be created and enabled
No.
I usually leave the parent alone since I avoid having tagged and untagged traffic on the same interface.
When I started this (mixing T & U) was strictly a no-go. Nowadays it is supposed to be ok - but I still don't feel comfortable with it.If both a Lan2 & Vlan adapter are needed for the Vlan adapter to tag packers properly, what should the parent adapter's MTU be set too 1500 or 1528?
not needed, don't mess with it.
