VLAN traffic also on LAN in traffic graph?

Pippin

2.3.1-RELEASE-p5 (amd64) 
 built on Thu Jun 16 12:53:15 CDT 2016 
FreeBSD 10.3-RELEASE-p3

I have a VLAN on my LAN interface and when I download something to the VLAN I see that traffic, in the traffic graph on the dashboard, on the VLAN and LAN.
When I download something to the LAN I see only traffic on the LAN in the traffic graph.

This is supposed to be this way?

I noticed this before but did not bother but I just saw this
@chuyengiason:

When I ping to the internet, and do tcpdump in PC. I see that it ask for mac address of VIP and receive 2 reply from pfsense.

message and wondered if it`s related…
https://forum.pfsense.org/index.php?topic=115166.msg639500#msg639500

Pippin

This is supposed to be this way?

dreamslacker

Are you using the base interface for your LAN as well?

Pippin

Yes, I do.

I have a VLAN on my LAN interface

Probably make an extra VLAN and not use LAN, only asked myself if it is a bug or not.

Thanks.

jahonix

???
Did you stack your tagged VLANs on top of your untagged LAN?

cmb

The parent interface of VLANs has the sum traffic of all the VLANs. The traffic graph counters pull from netstat, where you'll see that traffic. The Status>Monitoring graphs pull their data from pf's counters, where you won't see it since the VLAN traffic is passed by separate rules.

It's correct, expected behavior.

Pippin

@cmb
Thanks to clarify.

@jahonix
I made a VLAN30 and add it to LAN interface.
Not the "right" way?

cmb

@Pippin:

@jahonix
I made a VLAN30 and add it to LAN interface.
Not the "right" way?

General best practice is to leave the native VLAN on a trunk port unused, so you'd strictly use tagged VLANs in that case.

Pippin

Hmm, then general practice it will be, will change that  :)

Thanks.

johnpoz

"General best practice is to leave the native VLAN on a trunk port unused"

It is best design practice not to leave native vlan 1 on your trunk ports, even when you have changed all other ports to other than vlan 1, and sure not to use vlan 1 as your managment vlan. But I have never heard anything wrong with use of a different native vlan.

Where is that stated as best practice not to use native vlans?  That sure is not cisco gospel.. Maybe that is the gospel according to cmb ;) hehehe

As a way of graphing traffic so all your traffic is in a specific tagged vlan vs the native vlan that would show all traffic going over that interface even tagged ok very clever solution to the graphing oddity, but I wouldn't agree that its best practice to only use tags..

I can think of one example where its going to cause you a problem not using native, the unifi accesspoints do not allow you to set vlan tag on their management IP.  They have to be untagged, ie native.  Sure doesn't have to be vlan 1, but they do not allow you set tag for the IP of the AP.. This might be considered a design flaw, and it should be an option to set tag on this - maybe in the future but currently if your not using native vlan here you would have issues.  Quite sure there are other such devices, but off the top of my head that was the first one that came to mind.  That would require trunk and tagged traffic to the device, but also untagged traffic.