VLAN 0 and pfSense
-
I've been giving a bit of thought to VLAN 0 today. As I understand it, the purpose of VLAN 0 is to provide priority support to native LAN frames. If I understand this correctly, that means the only difference between VLAN 0 frames and others is the VLAN tag, with things like IP subnet, gateway addresses etc., the same as other frames. Is this sort of thing supported in pfSense, in that it will accept VLAN 0 frames for things like DHCP requests, IP forwarding, etc.? If so, I assume I'd have to configure the VLAN 0 interface exactly the same as the native LAN interface.
Has anyone tried something like this?
PfSense running on Qotom mini PC
i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
UniFi AC-Lite access pointI haven't lost my mind. It's around here...somewhere...
-
Yes, you are correct, conceptually, VLAN 0 basically does allow the priority bits to be transmitted on native VLAN frames, but the device that is receiving the frame has to understand this and deal with it. It appears to me to be a "hack" to allow some specific type of networking gear found in process and power system automation to support priority, and probably predates DSCP.
I have no clue as to whether or not the NIC drivers will handle this, nor how it will pass the packets up the stack. I suggest you dig around in FreeBSD forums for that.
In the interim if you're only looking for the priority part, DSCP is a much better alternative, as it is supported on both tagged and untagged frames, and pretty much all modern networking equipment supports it. -
I am aware of diffserv and and even used it. However, since that's layer 3, it would have no effect at layer 2. So, it could be used for priority through routers, but it wouldn't do anything at the Ethernet level. One of the reasons for using a VLAN for VoIP is to give it priority over other data.
However, this is more wondering about it, rather than having a need at the moment.
-
@jknott said in VLAN 0 and pfSense:
I've been giving a bit of thought to VLAN 0 today. As I understand it, the purpose of VLAN 0 is to provide priority support to native LAN frames. If I understand this correctly, that means the only difference between VLAN 0 frames and others is the VLAN tag, with things like IP subnet, gateway addresses etc., the same as other frames. Is this sort of thing supported in pfSense, in that it will accept VLAN 0 frames for things like DHCP requests, IP forwarding, etc.? If so, I assume I'd have to configure the VLAN 0 interface exactly the same as the native LAN interface.
I just came across this:
VLAN 0 Priority Tagging Support
"VLAN 0 Priority Tagging and Priority Values
When VLAN 0 priority tagging is configured on the interface, the 802.1P priority bits are retained on ingress for the VLAN 0 tagged Ethernet frames. To retain the 802.1P priority bits of the VLAN 0 Ethernet packets on egress, the egress interface must be in trunk mode, and the native VLAN should not be the same native VLAN as the ingress interface. When these frames are received at the destination, the header is stripped off and the frame is processed as per the configuration of the 802.1P priority bits. If the VLAN ID has a nonzero value, the header is retained and the frame is transmitted to the specified VLAN. High priority frames are sent ahead of low priority frames."
If I'm reading this right, then the switch handles the priority, according to the tag, and then strips off the header when sending out a native LAN port configured to not pass the header. The output of that port will have the priority frames first, followed by non-priority frames.
-
@jknott, yep... if you look at what those devices are that are referred to in the "VLAN 0 Priority Tagging Support" document, you'll notice that these are the Cisco IE series or Industrial Ethernet which are typically used in manufacturing and process control. To my earlier point that this appears to be more a niche use case than spec.
I've seen some pretty unusual L2 stuff on industrial networks, and frequently these are in validated environments, meaning if it works leave it alone.Its cool to dig around in some of the darker corners of networking, you never know what'll you'll uncover, but if I need L2 priority, then I'll do it with tagged VLANs > 0, that way it will work as expected with all managed switches without issue.
Alternatively, if tagging frames isn't an option, most managed switches have enough intelligence to set ingress priority based on source or destination IP and/or port using some sort of ACL mechanism which will generally get job done as expected. -
@awebster said in VLAN 0 and pfSense:
Its cool to dig around in some of the darker corners of networking, you never know what'll you'll uncover, but if I need L2 priority, then I'll do it with tagged VLANs > 0, that way it will work as expected with all managed switches without issue.
Alternatively, if tagging frames isn't an option, most managed switches have enough intelligence to set ingress priority based on source or destination IP and/or port using some sort of ACL mechanism which will generally get job done as expected.I'll have to try it when I can get my hands on a managed switch to play with (not my TP link switch, as I know it doesn't do VLANs properly). One of these years, I'm planning on getting a Cisco SG200-8 switch for my home (currently have a Cisco SD216 unmanaged switch). Perhaps I'll give it a try. I agree, it's hard to imagine a situation where it would be needed, but I like to experiment and dig into things. That's really the way to thoroughly learn about something. For example, the DHCP server. Could pfSense hand out the same address range to native and VLAN? Perhaps by bridging interfaces? One way to find out.
The only example I can think of where it might be useful is with hosted PBX, where the phones and computers share a network and you want to give the phones priority out to the Internet. Those Cisco switches can also look at the MAC to get the OUI number and assign a VLAN tag based on it.
BTW, that SG200-8 supports VLAN priority. Any reason why it wouldn't work for VLAN 0? I suspect not.
-
I doubt that you'll find any support for VLAN 0 in the SG200, the SG series are basically the Linksys devices that came along with the acquisition that Cisco made a number of years ago, but let us know when you do and if it works.
As far as the DHCP server is concerned it has to bind to an interface to offer IP addresses, either a physical (native) or VLAN (tagged), I don't see how you could have the same range on both unless you bridged them together...now its looking ugly!Back to the SG series, you will find support for OUI based prioritization, which works quite well particularly in the case where you have a PC hanging off the back of a phone. Here the switch will see both MAC addresses and prioritize the phone's traffic over that of the PC, with no additional config required.
If you're serious about learning the ins and outs networking, get your hands on some used Cisco gear like 2960 series for L2, or 3750G for L3, or go grab Cisco Packet Tracer (free) where you can spin up all the virtual instances you want to concoct the most complex lab you can think of. Too bad you can't create virtual pf instances in there.
-
@awebster said in VLAN 0 and pfSense:
I doubt that you'll find any support for VLAN 0 in the SG200
The only difference I can see with VLAN 0 is sending it untagged to the default LAN. I don't imagine that would be hard to do. Beyond that, it should be handled the same as any other tagged frame. Again, I'll have to try it some time.
If you're serious about learning the ins and outs networking, get your hands on some used Cisco gear like 2960 series for L2, or 3750G for L3
I do have a Cisco 2600 router, which I used when I was working on my CCNA. Also, years ago, I worked for Adtran's Canadian distributor. I had plenty of access to networking gear then.
