Trunking VLANs on interfaces
-
I must say, our Network Architect here has been very supportive and provided encouragement for what I was trying to do. He rises to guru level.
Quite the opposite of the negativity and flack I received here. Not one of you provided any suggestions config wise on how to set this up in pfSense. So called all knowledgeable Hero Members here could not put aside their personal preferences, their opinions, and address the question at hand, how to do this in pfSense on the router.
Trunking multiple vlans on a single interface from switch to switch is done ad nauseum all over and seems to be acceptable to Hero Members. But my God, trunking multiple vlans on a single interface from a router to switch is verboten to Hero Members, we dare not talk about that…
My NA explained to me that not doing layer 2 on routers is old school because routers are designed and are more efficient at layer 3. But doing layer 2 on routers is perfectly fine. Yes routers are not as efficient and if you need to extract every minute bit of performance you would not do layer 2 on routers.
But I'm not there. My 6 Intel 82583V interface i3 2.4GHz 16GB DDR4-2133 250G mSata router will never be taxed by the additional layer 2 work it has to do.
He also mentioned that if cost was no object you would never do layer 2 on routers. But being a public University and answerable to the tax payers compromises have to be made. When interfaces are needed on routers and money in not available you may have to do layer 2 vlans on routers. He personally wouldn't being a perfectionist but in our environment may have to.
Put aside your personal preferences, your opinions, think outside your old school ways, think outside of the box and help people do what they ask.
Not what you would do. What they ask.
He also did mention that the Juniper routers that we currently use and make up our backbone are also built on FreeBSD. Just like pfSense. That was encouraging information and furthered my belief that I should be able to do this.
And guess what? I was right. Can I be a Hero Member now too? I'll put on a better front here, especially to new members, by being more helpful and courteous.
-
I must say that I usually don't feed the trolls but… If you know what and how to do it, why the hell are you asking for help?
-
But my God, trunking multiple vlans on a single interface from a router to switch is verboten to Hero Members, we dare not talk about that…
Nope. We all do exactly that. All over the place. Everywhere. Every day. No days off.
If that is what you are trying to do, your descriptions do not match the project requirements.
-
Yes tagging your vlans to isolate them when they have to run over the same wire is exactly the correct way to do it… The whole point of 802.1q or any of the other older protocols VTP, ISL, DTP... MVRP, GRVP etc. etc.. etc..
There are whole standards and protocols on how to keep your layer 2 isolated from other layer 2 when they run over the same wire..
Thought you said you been doing this for 40 years?
-
See. We all use VLAN tags to our Layer 2. That is what they are for.
What you do NOT see here is VLAN 10 on three different interfaces because that is just, well, horrible design, and, in that case, everything on VLAN10 will not be in the same broadcast domain so the stated goals I have (possibly incorrectly) deciphered will not work.
Tag VLAN 10 to your switching infrastructure ONCE. Use the switching infrastructure to create/propagate that broadcast domain to the switches that require it.
 -
First I want to say thanks everyone for a more civil tone in your recent responses.
Hugovsky: Who are you referring to as trolls? Did you read this complete thread from the OP? Did you miss the part regarding me not knowing how to do it in pfSense? I know how to do it on Cisco switches but did not know how to do it in pfSense. After 3 days of trying every configuration I could think of I finally started to see the results I needed sometime between 00:00 and 03:00 today. Because there is no way to do it complete in pfSense's GUI. For one thing it requires a custom startup script for bridge configuration.
Derelict: Thanks, I didn't think I was doing something that outlandish. Yes that's all I was trying to accomplish, trunking a tagged VLAN to two other subnets/VLANs/segments that are untagged. In order for the Cisco managed switches with addresses on subnet 10 VLAN10 on subnet 20 VLAN20 and subnet 30 VLAN30 to be reachable for administration purpose. I apologize if I did not express that clearly enough.
johnpoz: Yes that's all I was trying to do was 1q tagging. Been doing computer mainframe management starting out in the IBM and DEC days for approaching 40 years. And all the ancillary things like database management before DBA's were a hot item. And networking Ethernet wise in the era of the thick coaxial backbone and thinnet days. Before the proliferation of routers and switches and CAT anything. Networking has never been my forte after that, I know enough to do what I need and learn it if I don't and more then ever be dangerous. I ask questions and I listen. Except to it can't be done. I will find a way.
Derelict: Once again that is your opinion. As with everything there are many ways to do things. I learned a long time ago my way is not the right way, it is only one way to do something. When you say it's bad and others say it's acceptable, who is right? (That's a rhetorical question.)
-
Bullshit. You are wrong. ONE layer 3 interface to VLAN 10. Period. It is up to your layer 2 to get where that needs to go. This is not opinion. This is fact.
if that is not the case then you actually have three different broadcast domains on three different layer 2s all tagged with vlan 10 and they cannot communicate with each other unless you do something retarded like bridge all those vlans on the different interfaces together at the firewall. Yes, "retarded."
-
So much for civilities. That didn't last long…
Here is my working config. Is it really breaking any rules and not just opinions?
em0 is wan, em1 and em5 are unused.
em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=4209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso>ether 00:e0:67:05:ab:06
hwaddr 00:e0:67:05:ab:06
inet6 fe80::2e0:67ff:fe05:ab06%em0 prefixlen 64 scopeid 0x1
inet6 2602:306:3b6f:6460:2e0:67ff:fe05:ab06 prefixlen 64 autoconf
inet 75.56.236.145 netmask 0xfffffff8 broadcast 75.56.236.151
nd6 options=23 <performnud,accept_rtadv,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
em1: flags=8c02 <broadcast,oactive,simplex,multicast>metric 0 mtu 1500
options=4209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso>ether 00:e0:67:05:ab:07
hwaddr 00:e0:67:05:ab:07
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect
status: no carrier
em2: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
options=4209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso>ether 00:e0:67:05:ab:08
hwaddr 00:e0:67:05:ab:08
inet6 fe80::2e0:67ff:fe05:ab08%em2 prefixlen 64 scopeid 0x3
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em3: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
options=5209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwfilter,vlan_hwtso>ether 00:e0:67:05:ab:09
hwaddr 00:e0:67:05:ab:09
inet6 fe80::2e0:67ff:fe05:ab09%em3 prefixlen 64 scopeid 0x4
inet 192.168.20.1 netmask 0xffffff00 broadcast 192.168.20.255
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em4: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
options=5209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwfilter,vlan_hwtso>ether 00:e0:67:05:ab:0a
hwaddr 00:e0:67:05:ab:0a
inet6 fe80::2e0:67ff:fe05:ab0a%em4 prefixlen 64 scopeid 0x5
inet 192.168.30.1 netmask 0xffffff00 broadcast 192.168.30.255
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em5: flags=8c02 <broadcast,oactive,simplex,multicast>metric 0 mtu 1500
options=4209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso>ether 00:e0:67:05:ab:0b
hwaddr 00:e0:67:05:ab:0b
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect
status: no carrier
lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
options=600003 <rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6>inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
inet 127.0.0.1 netmask 0xff000000
nd6 options=21 <performnud,auto_linklocal>groups: lo
enc0: flags=0<> metric 0 mtu 1536
nd6 options=21 <performnud,auto_linklocal>groups: enc
pflog0: flags=100 <promisc>metric 0 mtu 33160
groups: pflog
pfsync0: flags=0<> metric 0 mtu 1500
groups: pfsync
syncpeer: 224.0.0.240 maxupd: 128 defer: on
syncok: 1
em3.10: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
options=3 <rxcsum,txcsum>ether 00:e0:67:05:ab:09
inet6 fe80::2e0:67ff:fe05:ab09%em3.10 prefixlen 64 scopeid 0xb
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vlan: 10 vlanpcp: 0 parent interface: em3
groups: vlan
em4.10: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
options=3 <rxcsum,txcsum>ether 00:e0:67:05:ab:0a
inet6 fe80::2e0:67ff:fe05:ab0a%em4.10 prefixlen 64 scopeid 0xc
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vlan: 10 vlanpcp: 0 parent interface: em4
groups: vlan
bridge0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
ether 02:ba:df:b4:35:00
inet 192.168.10.1 netmask 0xffffff00 broadcast 192.168.10.255
nd6 options=1 <performnud>groups: bridge
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: em4.10 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 12 priority 128 path cost 20000
member: em3.10 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 11 priority 128 path cost 20000
member: em2 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 3 priority 128 path cost 2000000
ovpns1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
options=80000 <linkstate>inet6 fe80::2e0:67ff:fe05:ab06%ovpns1 prefixlen 64 scopeid 0xe
inet 10.168.24.1 --> 10.168.24.2 netmask 0xffffff00
nd6 options=21 <performnud,auto_linklocal>groups: tun openvpn
Opened by PID 18039</performnud,auto_linklocal></linkstate></up,pointopoint,running,multicast></learning,discover,autoedge,autoptp></learning,discover,autoedge,autoptp></learning,discover,autoedge,autoptp></performnud></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum></up,broadcast,running,promisc,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum></up,broadcast,running,promisc,simplex,multicast></promisc></performnud,auto_linklocal></performnud,auto_linklocal></rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6></up,loopback,running,multicast></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso></broadcast,oactive,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwfilter,vlan_hwtso></up,broadcast,running,promisc,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwfilter,vlan_hwtso></up,broadcast,running,promisc,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso></up,broadcast,running,promisc,simplex,multicast></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso></broadcast,oactive,simplex,multicast></full-duplex></performnud,accept_rtadv,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso></up,broadcast,running,simplex,multicast> -
Yeah. You had to bridge. That is just plain stupid compared to simply tagging that across the switching infrastructure.
But congratulations. You made a stupid design work.
-
You are entitled to your opinion. Is everything in the world you don't agree with just plain stupid too?
-
No, just idiotic network design.
