AWS DC Tags the traffic to my WAN port
-
Hi everyone! I've seen other people with this question, but I couldn't find any answers that fit my situation.
I'm using a netgate appliance for my end of an AWS DirectConnect link. It's a silly name because it's not direct, it needs BGP, and it's also not direct because I'm pretty sure it's tagged.
The link is up, but the capture only has my arp requests going out, unanswered.
I think I'm talking on the native LAN to a device that's tagged at the other end, and to test this I want to get the netgate to tag the traffic on the port as vlan 180. How do we do this? I can create VLAN 180 and assign it to the WAN interface, but I'm a but "sus", because when it's at the default of 4090 for general use via DHCP or whatever, it's not as though the other end is tagging that as 4090, so I'm not confident that I'm doing it properly.
Also I did this and it's still the same.
Can I (remotely!) configure this device somehow to show me the "raw" traffic on the cable, where I should be able to see and verify the correct tagging at both ends?
Thanks heaps for any insight here.
-
@firewaller-0 said in AWS DC Tags the traffic to my WAN port:
It's a silly name because it's not direct, it needs BGP, and it's also not direct because I'm pretty sure it's tagged.
???
BGP is a routing protocol that advertises your network to the rest of the world and determines the best route for packets to take. Also, VLANs have nothing to do with "direct", as carriers often use them to separate customers over fibre links.
You can add a VLAN to the WAN link, but you need to know which VLAN ID to use.
As for watching traffic on the cable, which cable? If the one between pfsense and the modem, that's easy, using a data tap and Wireshark. If you mean the cable between the modem and ISP, that's not accessable without specialized test equipment.
-
@jknott Thanks for taking the time!
I did have useless info there, sorry, my point was that typically, linguistically, a "direct connection" between two things wouldn't use BGP and VLANs, but I'm happy to defer to your experience -- that's why I'm here, after all!
I know which VLAN ID to use, I can set it in the AWS console. It's a mandatory field.
There is no modem, it's an ethernet connection, I set up a /30 with an address at both ends, then we talk BGP to one another. Easy-ish. If I use a managed switch and use a trunk (tagged link) then connect the "stripped" traffic to a local device, I can ping the other end.
So how do I add VLAN tagging to the WAN link?
-
BGP stands for Border Gateway Protocol, which is used between major networks on the Internet backbone. I'd be very surprised if you're using it on a /30. Again, VLAN has nothing to do with "direct". It's a method to logically isolate networks.
You create a VLAN on Interfaces > Assignments > VLANs.
-
@jknott Thanks for the GUI reference, but I don't think it's working.
For example, that you referred me to page shows that the 'LAN' interface is on VLAN 4091, but the traffic that comes and goes from that physical port isn't tagged at all; the switch on the other end isn't a trunk that allows VLAN 4091, it's just a normal access port, and the interface is working properly.
This isn't what I'd expect to see if pfsense was adding 802.1q encapsulation to each frame, which is what I need it to do for the WAN interface.
Does that make sense?
==============
Off-topic..........If it helps for context, the /30 only exists for me to run BGP over. I could use a /31 for this, but chose not to.
https://datatracker.ietf.org/doc/html/rfc3021
I agree that this is not a typical use case for BGP, but that's a decision made by AWS that I don't control. To implement a flat layer 2 network over two different spaces, one could just run a cable from one space to the other. We do this with "dark fibre" sometimes.
AWS present an optical fibre cable for me to connect to, but I have to setup BGP first to get any connectivity past the BGP talkers. Only once that is running can I do anything else. The current plan is to use a netgate at either end to create a functioning VPN that's invisible to other hosts & devices, but I can't do that until BGP is up, and I can't get BGP working until the WAN port is properly trunking the VLAN. If AWS gave me a "directly connected" layer two cable, I'd not need the VPN, the BGP, the VLAN or the Netgate device at all.
-
@firewaller-0 said in AWS DC Tags the traffic to my WAN port:
For example, that you referred me to page shows that the 'LAN' interface is on VLAN 4091
Where did I do that?
but the traffic that comes and goes from that physical port isn't tagged at all; the switch on the other end isn't a trunk that allows VLAN 4091, it's just a normal access port, and the interface is working properly.
The only significant difference between a VLAN frame and native LAN is the VLAN tag, which is 4 bytes long. The first 2 bytes denote it's a VLAN and the 2nd 2 contain the VLAN ID. The way that tagged frame gets there is you create a VLAN interface on a physical interface. For example, on my network, the LAN is on interface igb1 and VLAN 3 is igb1.3, which shows VLAN 3 is on the LAN interface. You have to ensure both pfsense and your switch are configured to pass the VLAN.
So, if you want a VLAN on your WAN interface, you have to create it and configure it as needed.
-
Where did I do that?
When you suggested to look under Interfaces > Assignments > VLANs.
So, if you want a VLAN on your WAN interface, you have to create it and configure it as needed.
Absolutely agreed, that's what I've been trying to figure out how to do all along.
Solution:
For anyone else who's got this question, just go
Interfaces --> Switches --> VLANs
Edit the entry for the link you want (Click the pencil) <-- That was the part I missed until just now!
Change the VLAN ID from the default of 4090 to whatever matches your external link (eg 180), and click the box to tag the traffic for interface "3". Leave "0" ticked and don't mess with it.
Then you need to go to Interfaces -> Assignments -> VLANs as correctly observed by JKnott, create one in there with a matching number, then back to "Interface Assignments" and choose the new VLAN from the drop-down box for the WAN interface.
Now my pings work, and I'm happy. Hooray!
