VLAN priority

phil.davis · Jan 13, 2017, 3:32 AM

Nothing seems to have changed in the related pfSense code that saves the priority to the config, retrieves it and sets up the underlying FreeBSD VLAN interface. I just tried it on a 2.4-BETA VM and "ifconfig" gives me:

em1_vlan832: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        options=3 <rxcsum,txcsum>ether 08:00:27:ca:55:b1
        inet6 fe80::a00:27ff:feca:55b1%em1_vlan832 prefixlen 64 scopeid 0x7
        nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        vlan: 832 vlanpcp: 6 parent interface: em1
        groups: vlan</full-duplex></performnud,auto_linklocal></rxcsum,txcsum></up,broadcast,running,simplex,multicast>

So the "6" is getting through to "vlanpcp".

So first check with "ifconfig" to see that that part works. Then I guess there is some underlying issue with the VLAN interface actually respecting that setting at run time.

Guest · Jan 13, 2017, 10:34 AM

Thanks Phil good place to check and yes I confirm if i issue a ifconfig I get


igb0_vlan832: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
	options=3 <rxcsum,txcsum>ether 00:0d:b9:42:e1:2c
	inet6 fe80::20d:b9ff:fe42:e12c%igb0_vlan832 prefixlen 64 scopeid 0x9 
	nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
	vlan: 832 vlanpcp: 6 parent interface: igb0
	groups: vlan</full-duplex></performnud,auto_linklocal></rxcsum,txcsum></up,broadcast,running,simplex,multicast>

So does that suggest I ned to go over to the FreeBSD forums and raise this ?

phil.davis · Jan 13, 2017, 10:37 AM

I don't know if there is any special pfSense mods in that area.
@jimp should wake up soon and look through the forums - I will let him answer if it should be referred upstream.

Guest · Jan 13, 2017, 7:03 PM

Thanks Phil @jimp let me know if you need anymore info

happy to run traces etc

jimp · Jan 16, 2017, 2:37 PM

I am not too familiar with the OS code where that happens. At one point in time it was a patch that let us set the VLAN PCP in outgoing packets but I am not sure where that stands on 2.4. The GUI didn't change, but if the pf syntax was invalid I'd expect it to fail loading the rules, not produce the wrong type of packets.

The rules are loading OK? What does that rule look like in /tmp/rules.debug ?

Guest · Jan 17, 2017, 10:30 PM

Thanks Jimp I'm travelling for a couple of days

As the 2.4 version is on my test rig I don't have remote access

Back tonight so will pull the file then

Guest · Jan 17, 2017, 10:54 PM

@jimp

attached the /tmp/rules.debug file from both 2.3 and 2.4

Both look the same to me

rules_2_4.txt
rules_2_3.txt

jimp · Jan 17, 2017, 11:20 PM

I don't see any rules in either one that would change the VLAN priority for traffic. It should have a "ieee8021q-setpcp" keyword on one of the rules.

Guest · Jan 17, 2017, 11:54 PM

Your correct there is no such keyword in either file

However at 2.3.3 the wireshark capture correctly shows the VLAN PRI set as 6
At 2.4 it is failing to recognise the PRI setting

Anywhere else I can check, dump ?

Guest · Aug 1, 2017, 8:57 AM

Sorry to resurrect this but its still an issue at 2.4

@jimp should this go to the FreeBSD team ?

I can raise it there if you think thats the best way

Guest · Aug 1, 2017, 2:43 PM

Been doing a little more digging and it appears to be FreeBSD 11 changes over FreedBSD 10

I had a play with the file etc/inc/filter.inc and used system patches to modified the rule

pass out quick on $WAN proto udp from any port = 546 to any port = 547 tracker 1000000563 label "allow dhcpv6 client out WAN"

to

pass out quick on $WAN proto udp from any port = 546 to any port = 547 tracker 1000000563 label "allow dhcpv6 client out WAN" ieee8021q-setpcp ic

this gets a syntax error because it appears form this patch https://reviews.freebsd.org/D6786 that the syntax is now

pass out quick on $WAN proto udp from any port = 546 to any port = 547 tracker 1000000563 label "allow dhcpv6 client out WAN" set prio 6

I re-patched using that syntax the rule now is accepted. I then wireshark traced a dhcp6c solicit request over VLAN 832 which should have inserted the PRIO into the VLAN header. It did NOT

Interestingly at pfSense 2.4 if I create a new firewall rule in the GUI and set "VLAN Prio Set" under the advanced settings the GUI builds a rule using the "ieee8021q-setpcp" syntax which of course generates a syntax error

So I'm reaching the assumption that PfSense 2.4 is not working with 802.1Q correctly which would also explain why setting the PRIO of the VLAN using the GUI may also be failing.

jimp · Aug 1, 2017, 3:51 PM

I've opened this for the syntax error: https://redmine.pfsense.org/issues/7744

I also pushed a fix a few moments ago for that.

I can't comment on whether or not setting the priority can/should work depending on the context though.

If we're setting the pf syntax right, the rest of that code seems to be OK and should be doing the job. Something else in the IP stack could be changing it though.

How are you checking the priority? You'd have to capture on the parent NIC and see what shows there.

Guest · Aug 1, 2017, 4:16 PM

Thanks jimp

I'm checking the NIC by connecting my Mac to the WAN port of the pfsense box and simply running a wireshark capture. I see the pfsense box issue the dhcp6c solicit cmd on the correct VLAN but with priority 0 in the header.
At 2.3 the VLAN priority is being set cirrectly (6 in this case) at 2.4 its not

Anything else I can grab for you to review ?

I will try your patch shortly just in case

jimp · Aug 1, 2017, 4:18 PM

No that should be fine, especially if it worked on 2.3.x

Guest · Aug 1, 2017, 10:31 PM

Thanks Jimp - I can confirm that patch fixes the syntax error issues

However the underlying issue with the VLAN Header and priority setting persists

I have a 2.3 and a 2.4 PF sense system

On both systems I created a VLAN 832 with Priority 6 (first attachment)

Ifconfig on both 2.3 and 2.4 shows the VLAN prio set as I would expect for the VLAN 832 (attachments 2 & 3 respectively)

However I wireshark trace of the dhcp6c request issued over the VLAN shows that at v2.3 the priority is set to 6 (attachment 4) as expected but 2.4 the PRI is 0 not 6 (attachment 5)

![Screen Shot 2017-08-01 at 23.12.12.png](/public/imported_attachments/1/Screen Shot 2017-08-01 at 23.12.12.png)
![Screen Shot 2017-08-01 at 23.12.12.png_thumb](/public/imported_attachments/1/Screen Shot 2017-08-01 at 23.12.12.png_thumb)
![Screen Shot 2017-08-01 at 23.08.20.png](/public/imported_attachments/1/Screen Shot 2017-08-01 at 23.08.20.png)
![Screen Shot 2017-08-01 at 23.08.20.png_thumb](/public/imported_attachments/1/Screen Shot 2017-08-01 at 23.08.20.png_thumb)
![Screen Shot 2017-08-01 at 23.13.20.png](/public/imported_attachments/1/Screen Shot 2017-08-01 at 23.13.20.png)
![Screen Shot 2017-08-01 at 23.13.20.png_thumb](/public/imported_attachments/1/Screen Shot 2017-08-01 at 23.13.20.png_thumb)
![Screen Shot 2017-08-01 at 22.59.08.png](/public/imported_attachments/1/Screen Shot 2017-08-01 at 22.59.08.png)
![Screen Shot 2017-08-01 at 22.59.08.png_thumb](/public/imported_attachments/1/Screen Shot 2017-08-01 at 22.59.08.png_thumb)
![Screen Shot 2017-08-01 at 23.14.01.png](/public/imported_attachments/1/Screen Shot 2017-08-01 at 23.14.01.png)
![Screen Shot 2017-08-01 at 23.14.01.png_thumb](/public/imported_attachments/1/Screen Shot 2017-08-01 at 23.14.01.png_thumb)

Guest · Aug 2, 2017, 7:55 AM

Crated a bug https://redmine.pfsense.org/issues/7748

Hope that is the correct way to proceed

jimp · Aug 2, 2017, 11:17 AM

Yeah that's the next step, thanks for taking the time to test and gather that detail.

The only other thing I might be curious to see is if that can be reproduced on stock FreeBSD. If it can, it may need reported upstream to the FreeBSD project.

Guest · Aug 2, 2017, 3:56 PM

Ok I'll see if I can recreate something in native FreeBSD, although I'm not familiar with FreeBSD outside of pfSense