VLAN 255 and SIP bug?
-
https://www.reddit.com/r/PFSENSE/comments/7rko7s/sip_dual_invites_on_wan_single_on_lan/
Basically VLAN 255 seems to be getting caught in a default deny rule, yet traffic is flowing on a different VLAN. Tested version 2.4.2-P1.
I realize I have not reset to defaults and tried just adding VLAN 255 only and seeing what happens. I hope to do that tomorrow but wanted to post this anyway.
Scenario:
Phone is on VLAN 2.
pfSense has VLAN 2 interface, IP structure, rules, outbound NAT, etc.
Everything shows there is no weird switch funkiness or VLAN issues on the LAN side of pfSense. Pfsense sees VLAN 2. Sees the phone mac/proper IP in VLAN 2 interface, etc.
Phone can register with provider.
Phone can receive calls.
Phone cannot make calls - pcap on LAN side - VLAN 2 interface - on pfsense shows single invite, yet on WAN side, shows dual SIP messages (INVITES, OKs, ACKS, etc, same call-id) so the provider is rejecting due to overlapping requests.
Other VLANs in 2xx exist on the pfSense box.When a call is made, an examination of the default filter shows that inbound sip traffic is being blocked on interface bce1.255. Yet…none of the traffic goes to/from VLAN 255. For some reason, the traffic is entering the WAN, and getting associated with 255 instead of 2, where the phone is. Changing VLAN 255 to another VLAN #, everything works properly.
Possible bug?
-
almost certainly not a bug, but a configuration error. If traffic is being blocked it is because it is being blocked.
Sounds like your layer 2 is hosed. VLAN2 traffic should not be arriving tagged with 255.
-
If the switch was sending VLAN 2 as 255, then pfsense would block it regardless, since my rule for that VLAN 255 interface has no rules - so default deny. So why is some communication getting out then? Also, the only config change I make to get the phone to work is on pfsense to change the interface tag from 255 to something else (100 is what I tested with) so I don't think that's it.
I have a few more things to explore tomorrow help narrow down what is going on. I'll reset to defaults and just try to setup a single VLAN 255 - and also snag a new POE switch - and see if the problem occurs. I'll also drop LLDP-MED and do some hard coding of VLANs on the phone. However, I don't think that's it since the switch and pfsense do see the phone in VLAN 2 as expected.
I do agree that it's probably a configuration error - but where remains to be seen! I'll be sure to report back if I figure out what is going on, or if there was a bone headed thing I did without realizing it.
Thanks for your reply.
-
Definitely some weird layer 2 issues going on.
When I mirror the trunk port on the Dell N2024P switch that goes to pfSense I see one SIP message from VLAN 2 (correct) and immediately after VLAN 255 (incorrect). So something is splitting traffic up.
Strange bug on the Dell side of things. I'll continue to investigate, but it makes sense as to what pfsense was seeing now.
edit
Two solutions, that I'll raise with Dell:
Disable ip routing solves the problem
Also leaving ip routing enabled, but removing the switches default gateway also fixes it.
