Trying to figure out VLANs, 3 LAN's, 1 Ubiquiti AP
-
Well be happy to duplicate your tests for sure.. Looks like the switch should be here tues.. I can fire up something and test current setup. I have Pro, LR and lite I can test.. I make out my 80mbps internet connection.. So I haven't tested what I see normally wifi to wired.. But pretty sure last time I tested it was over 400mbps..
Just had to grabe the 3rd underworld - we were going to watch the last one and seems we missed the one in 2012 ;) Sunday Funday and all..
-
I have not connected another switch down there yet but tested throughput across the MoCA bridges yesterday. Was getting a solid 750-800Mbit/sec between my Mac Mini and MBP using iperf3 TCP. Errors were not incrementing in any relevant manner during the tests.
I think these switches might be counting something as an error that the beefier switches understand even though there is really nothing wrong. STP perhaps?
I watched a mirror port off the dlink for a while and didn't see anything obvious.
-
I think these switches might be counting something as an error that the beefier switches understand even though there is really nothing wrong. STP perhaps?
That makes sense. Googling finds that there are other people having the same issue (BadRxPackets with VLAN enabled on SG-108E).
http://forum.tp-link.com/showthread.php?83046-High-RxBadPkt-on-TL-SG108E -
It would not surprise me if all of these crappy little switches used the same basic chipset.
All of the guis basically look the same.
I just cracked a DGS-1100-08 and it's under a heatsink. It was only $35 but I don't feel like burning it.
-
So I swapped to a zyxel GS1900-8HP and all is working without errors and BadRxPackets (almost).
Now I can access clients across VLANs (and subnets).
There are 4 VLANs on the switch and 2 on pfSense (I'm fairly certain this has nothing to do with pfSense config but I thought I'd mention just in case).
VLANs:1: Default - SWITCH
10: Guest - SWITCH + PFSENSE
20: IoT - SWITCH + PFSENSE
99: UNUSED - SWITCHAll used ports are UNTAGGED on VLAN 1
Ports 3 (WAP) & Ports 1+2(PFSENSE, [LACP LAGG]) are TAGGED on VLAN 10 and VLAN 20
All unused ports are UNTAGGED on VLAN 99
What am I doing wrong here? Should I not TAG the LACP LAGG to pfSense and just TAG port 3(WAP) traffic?
-
You didn't say what isn't working. All you said is everything is working.
-
Now I can access clients across VLANs (and subnets).
Sorry, I should have clarified.
This is what I meant.
The main reason I want VLANs is to segregate traffic.
Right now I can access clients in VLAN 20 while connected to a client on VLAN 10.
My understanding is that I shouldn't be able to cross VLANs? So I'm assuming that I'm messing up the configuration on this.I also took a look at my State Table.
If I connect to my Guest Wifi (VLAN 10) and try to connect to a client on my IoT subnet (VLAN 20) I can.
When I go to the Guest interfaces firewall rules, and click the state table for the allow any any any rule there is a state between the two clients crossing subnets and VLANs. -
Without reading all the history of this long thread, I will just say that you need to look at the rules on each VLAN interface in pfSense.
If you have a "pass all" rule on an interface, then the firewall will allow all traffic originating on that interface - going to "the public internet" and to other subnets/VLANs/real LANs/… that are local to the firewall.
If you want to stop the local connections and allow public internet access, then you will need to have a smarter rule set. e.g. put a block rule with source any, destination "the local subnets you want to block from reaching". Then have a "pass all" rule after it to let everything else out.
-
hmm, I didn't think a pass all rule on an interface would allow traffic to route between different VLANs and Subnets.
I also didn't really think of this traffic as "originating" at the interface. It has to first pass through the switch which is assigning VLANs before it can get to the pfSense interface. I've pretty much just thought of the pfSense firewall interface as the last place traffic goes before heading either to the internet or a different interface.
What's the point of VLANs or subnets then? From my understanding I could have two(or many more) VLANs, an allow any rule for each of them but not have any of them be able to contact one another so long as they were all on separate VLANs.
I also expected most if not all of this client to client traffic on my network to be happening at the switch, not the firewall/router.
This doesn't seem correct but it's late, and I obviously am having issues understanding this anyway. I'll head to bed and see if this makes more sense tomorrow.
-
"hmm, I didn't think a pass all rule on an interface would allow traffic to route between different VLANs and Subnets. "
What did you think it would do exactly? ???
If you don't want vlan A talking to vlan B, then put in the rules to stop that..
"I also expected most if not all of this client to client traffic on my network to be happening at the switch, not the firewall/router. "
Do you have a L3 switch doing the routing? Then how would vlan A talk to vlan B without routing - that is not done at a switch that is done at a router.. If you need to route at the switch then you need an L3 switch (router)..
You can allow or block whatever traffic you want between your vlans - but you have to create the rules to do so, any any is just routing not firewall..
Rules are evaluated as traffic enters an interface, first rule to trigger wins no other rules are evaluated. If you don't want vlan A talking to vlan B, then on vlan A interface block A from going to B.. Its that simple!!
"LACP LAGG to pfSense"
What exactly are you trying to accomplish with your lag? Are you really worried about cable/port failing that you need failover? Lagg is not 1+1=2, its just 1 and 1.. You seem to have a lack of basic understanding of layer 2 and 3.. So I am thinking your not actually sure what lacp does either.. Or when it makes sense to lag.. I find it almost impossible to consider this something you would need to do in a home setup.. How many clients do you have exactly? Your internet connection is how fast? Why would you need/want to lag into pfsense??
-
I also didn't really think of this traffic as "originating" at the interface.
Technically you are correct. I could have worded it a bit better - "traffic originating from a client device downstream of/attached to the interface" might be clearer?
And what @johnpoz says.
There has to be a way for the firewall admin to allow traffic between 2 local interfaces (whether separate physical ethernet ports or VLANs). A "pass all" rule is one way to achieve all of that quickly.
-
Well, unsurprisingly I completely and fundamentally misunderstood(stand) how all of this works and the experienced users on the forum pointed me in the right direction.
Thank you to all of you for your help. I already posted the "Thank you" for the thread but applauds for all, haha!
I adjusted the firewall rules and all is well.
-
"hmm, I didn't think a pass all rule on an interface would allow traffic to route between different VLANs and Subnets. "
What did you think it would do exactly? ???
If you don't want vlan A talking to vlan B, then put in the rules to stop that..
"I also expected most if not all of this client to client traffic on my network to be happening at the switch, not the firewall/router. "
Do you have a L3 switch doing the routing? Then how would vlan A talk to vlan B without routing - that is not done at a switch that is done at a router.. If you need to route at the switch then you need an L3 switch (router)..
You can allow or block whatever traffic you want between your vlans - but you have to create the rules to do so, any any is just routing not firewall..
Rules are evaluated as traffic enters an interface, first rule to trigger wins no other rules are evaluated. If you don't want vlan A talking to vlan B, then on vlan A interface block A from going to B.. Its that simple!!
**"LACP LAGG to pfSense"
What exactly are you trying to accomplish with your lag? Are you really worried about cable/port failing that you need failover? Lagg is not 1+1=2, its just 1 and 1.. You seem to have a lack of basic understanding of layer 2 and 3.. So I am thinking your not actually sure what lacp does either.. Or when it makes sense to lag.. I find it almost impossible to consider this something you would need to do in a home setup.. How many clients do you have exactly? Your internet connection is how fast? Why would you need/want to lag into pfsense??**
Thank you for your reply!
As for the LACP LAGG, I have no use for it now. I really just tried to turn it on my Tp-Link switch just bto mess around with something new. It didn't work on the TP-link switch so I tried it again on this switch and it worked right away.
There's nothing on my network that would make use of an LACP LAGG right now, and there may not ever be. I may very well just put it back to one port. It was really just messing around.
As far as my current understanding of how the LACP LAGG works, I'll write it out here because I wouldn't be the least bit surprised if I was wrong.
LACP LAGG would balance load between two Full Duplex Ethernet ports creating one etherchannel from the switch to pfSense. The benefit would only be local as I don't have a >gigabit WAN and would probably very rarely if ever be realized on a small home network.
About the only time I could think of it being utilized would be multiple clients transferring large files to/from a NAS that also had a LACP LAGG configured on it. So that basically more than 1 client could get full gigabit speeds at a time.Is that description even close? If not please set me straight.
Again, I only set up the LAGG out of curiosity and likely won't keep it enabled because at this point all it's doing (in my understanding) is keeping power applied to two ports that I don't need on. Even with a high speed NAS I doubt I would get significant improvements on an LACP LAGG on my small home network.
-
Pretty close ;)
But yes if your nas had a lag to the switch.. And then you had multiple clients all talking to the nas you could leverage and get more than 1 gig from the NAS spread across the lagg. But can your NAS push more than 1 gig? SSD drives?
1 client would never be able to leverage it.. And its quite possible even multiple clients would all use the same path and have to share the 1 gig. As you increase the number of clients talking to the nas you would get them spread across your 1 and 1 links. But its very hard to say if you would get a even distribution..
If your really wanted more bandwidth your nas it would prob be better to try and bump that to 10ge to your switch via a fiber connection. This can be done fairly cheap. Depending if you can put in a card in your nas. And if your switch supports sfp modules. The new 802.3bz is coming which will allow for 2.5 and even 5gpbs over existing copper connections.
While you can play with it on some of these "smart" switches - if anything its just going to complex up the network and cause you more grief than any sort of performance gains. If you want to play with you would want to get a full managed switch that has full support, etc..
-
OK, that makes sense. Thanks!
For now I'll probably just disable the LAGG the next time I get around to it. I was really just curious how difficult it would be to get working, I have no intention of using it now. It seemed easy enough to implement it so I gave it a shot the first time I got a smart switch (the tp-link) and it didn't work for me.
So when I replaced it with the zyxel I tried again out of curiosity and sure enough it works just fine.
-
So did you pull one of the cables during a transfer? The one that was being used to see how fast it moved over to the other path?
-
So did you pull one of the cables during a transfer? The one that was being used to see how fast it moved over to the other path?
No I didn't do any actual testing. What I meant by that was that the network functioned. When I set it up on the TPlink my network just went down completely.
I'm the stands on the zyxel for lacp it has the option to set a time limit of 30s or 1 sec. It looks like this is the frequency it checks to see if all ports of the lacp are working? I left it at 30 sec since I'm not actually using it now.
Would the test you mentioned work with just one client or would I need to use multiple clients transferring files to see the difference when I unplug a cable?