VLAN Trunk Link and Performance

seed

Hello,

I recently moved a few VLANS to pfSense so I can manage the firewall between VLANS. There's 3 VLANS:

1. is general stuff
2. cameras
3. is data

I noticed that copying my NAS to a new NAS from subnet 3 to 1 til I can move the node when it's done, the pfSense box gets pretty bogged down. At most I am able to get about 40MB between em which isn't terrible but it also dies after awhile. I see a couple WAIT processes on the igb link that holds the TRUNK. It's over an SG200-50P switch. I am fairly certain all the VLAN assignments on both switch and pfSense box are sound.

The pfSense box is a lanner devices which has treated me very well but I feel the ATOM 23xx chip @ 1.7GHz isn't going to cut it if I have to do large data movements.

Would a 10GBE card and a module to the SG200 help here? I haven't tested copying data from VLAN1 to VLAN1 but I would assume all traffic has to go up and down the trunk even on devices on the same VLAN? so copying from VLAN 1 192.168.1.100 to 192.168.1.101 for example. Will I still get 100MB cause it's full-duplex? or traffic going in both directions up and down the trunk?

Thanks for the guidance.

C

johnpoz

"VLAN1 to VLAN1 but I would assume all traffic has to go up and down the trunk even on devices on the same VLAN?"

Why would it do that??  There would be no reason for traffic to go up a trunk just to come back down when your on the same vlan.  Your switch would be where the traffic would stay for all traffic on that vlan, unless you have an uplink to another switch and the devices reside on different switches there would be no reason for same vlan traffic to ever leave the switch.

Yeah vlan to vlan traffic that reside on same interface is going to be a hairpin and not going to be performance friendly.. I your downstream clients are all 100mb and your interface is gig and you don't have lots of clients talking intervlan you should be ok..

Do you have multiple interfaces so you could split your vlans between physical interfaces?

seed

ok cool. I wasn't sure if the switch was smart enough to move internally on its VLAN definitions.

I do have multiple interfaces but wasn't sure I should put a VLAN on each one on the pfSense box. How would I do the TRUNKing? Would I have a TRUNK cable to each switch port that is set to TRUNK for each VLAN?

Thanks for the prompt reply.

johnpoz

You wouldn't need to trunk if your going to connect each "vlan" to its own interface in pfsense.  You don't even need to tag in that case you just set the ports as native in the vlan you want.  Pfsense doesn't even need to know the tags, it will just be a native vlan on those interfaces.

Only time you need to "trunk" is if your going to have tags to let pfsense know what packets belong to what network.  if your all native just putting your ports in their own vlan on your switch you do not need to trunk, nor setup any vlans in pfsense.

q54e3w

Mr Poz is right, I use a cisco sg500x with a number of 10 gig interfaces and its smart enough to route VLAN<->VLAN traffic within the switch. Only intra-VLAN traffic hits pfsense to be firewalled. I assume the sg200 offers the same smartness.

johnpoz

Every switch on the planet provides such smartness ;) heheh  That is how switches work ;)

seed

@johnpoz:

You wouldn't need to trunk if your going to connect each "vlan" to its own interface in pfsense.  You don't even need to tag in that case you just set the ports as native in the vlan you want.  Pfsense doesn't even need to know the tags, it will just be a native vlan on those interfaces.

Only time you need to "trunk" is if your going to have tags to let pfsense know what packets belong to what network.  if your all native just putting your ports in their own vlan on your switch you do not need to trunk, nor setup any vlans in pfsense.

on man this is brilliant. Sorry this is my first go at using a "smart switch" like this, I guess and VLANS and such. I thought VLANS were the way to go to segregate the switch itself. Can you help me understand what native is? Do I just have a group of untagged ports per VLAN then pick a port in each group and just plugin to the pfSense interfaces?

Thanks all!

Seed

johnpoz

Your using a sg200, I would assume this is pretty close to sg300.  I think its missing some of the snmp features and can't do layer 3, etc..  But the commands should be the same and would assume the web interface is the same, etc.

So here is interface that is just lan that connects to pfsense

interface gigabitethernet2
description "esxi lan"
switchport mode access
!
and there is switch that trunk mode because it does have tagged vlans on it, but you see there is also a vlan that is just native

interface gigabitethernet3
description "esxi wlan trunk"
bridge multicast unregistered filtering
switchport trunk allowed vlan add 100,200,300,500
switchport trunk native vlan 20

Here is a port that is just in a vlan 20 and not trunked, its just access port to my printer that is in vlan 20

interface gigabitethernet10
description printer
switchport mode access
switchport access vlan 20

Which is my 192.168.2/24 network, my lan network is 192.168.9/24 those other vlans some are wifi ssid are like 192.168.3, 192.168.4, etc.

seed

@johnpoz:

interface gigabitethernet2
description "esxi lan"
switchport mode access
!
and there is switch that trunk mode because it does have tagged vlans on it, but you see there is also a vlan that is just native

interface gigabitethernet3
description "esxi wlan trunk"
bridge multicast unregistered filtering
switchport trunk allowed vlan add 100,200,300,500
switchport trunk native vlan 20

I guess I'm going to have trouble on this one. Let me try and articulate what I need to do.

I have 6 pfSense Interfaces. We'll use igb1-igb3 for simplicities sake.

Set up each LAN on their own subnet and enable the service and DHCP.

On the switch:

TRUNK port 1 for VLAN 10
TRUNK port 2 for VLAN 20
TRUNK port 3 for VLAN 30

set ports 5-10 to access and untagged VLAN 10?
set ports 11-15 as access and untagged VLAN 20?
set ports 16-20 as access and untabbed VLAN 30?

Jack igb1 to port1
Jack igb2 to port2
Jack igb3 to port 3

Does that isolate each port to its own VLAN in the switch, and upstream to its own interface on the pfSense router?

Derelict

Looks like, yes. unless there is some other layer 3 routing involved in the switch itself.

set ports 5-10 to access and untagged VLAN 10?

These ports are not isolated from each other absent some other configuration on the switch, naturally.

johnpoz

you do not need to trunk.. Just set them as access and put in the vlan you want them in.  Just like your other ports..  You only need to trunk when your going to be having tagged traffic.  Access port is fine sine your not going to another switch, etc.

seed

You guys are gods in my book. Will make the change tonight and see how it goes.

To think I was all excited that I figured out how to configure VLANS only to realize I didn't need to.

Seed

seed

Hmm this isn't working as I had hoped. Sometimes I feel like it's intuitive then it fails me.

I have the default VLAN 1 that is set to untagged on all ports 1-26 on an SG200-26

I have igb3 and igb4 setup on the pfSense box with DHCP and services running.

I can then access the switch that is plugged into port 25 @ 193.168.3.100 which it received from pfSense

Once I set that port 25 to untagged it's dead and I can't access it.

ports 1-12 are untagged and access for VLAN 103
ports 13-24 are untagged and access for VLAN 104
port 25 is untagged and access on VLAN 103
port 26 is untagged and access on VLAN 104.

Once i set untagged to port 25 from excluded, I can't access the switch anymore. Is this a management thing?

Derelict

The switch is probably listening for management traffic on VLAN 1.

I don't have an SG200. There is probably a way to make it listen for management traffic on another VLAN. Yes, it's easy to lock yourself out of a switch messing around with this stuff. You have to make a port on the management VLAN, configure everything, then switch the management VLAN to what you want it to be (probably 103 or 104) then physically move the connection to a port that's untagged on that VLAN.

seed

Nice Derelict. When i think about it I think that's what's happening cause the default VLAN ID for Admin and 1 is set on the port I'm connected too trying to change that one to 103. I'm going to dedicated one port as a management port from the router to the switch so I always have an in, I hope. I was successful as well in the VLAN config within the switch but only if I set the two igb3 and igb4 ports from the pfSense router to trunk. They access for 1-12 (103) and 13-24 (104) setting trunk on 25 (103) and trunk on 26 (104). Going to keep trying. I think i'm close.

seed

Success!

Thank you all for your help. Time for a small donation to the firewall foundation. Love pfSense!

Seed

johnpoz

why are you setting trunk??  If your not going to use tags you do not have to trunk!!

You still need to configure vlans, but only on your switch.  Again trunks are only for when there is tagged traffic.  When packets from more than 1 vlan are on an interface you need a way to know which packets are in what vlan, ie tags.

So if your going to send multiple vlans out an interface, and the something connected to figure out what packets are what then its trunk.  Ie sending to 1 interface in pfsense and pfsense has vlans setup that says tag 10 is in this vlan and 20 is in this vlan, etc.  Or if sending to another switch the other switch also set to trunk and with the different vlans knows hey these packets are vlan 10, and those are 20 and then I can send them to the ports in those vlans, etc.

You still have to setup vlans in your setup - but just on the switch.

Maybe this drawing help you get your head around it, I did this for another thread.  So you see the color coding on the switch those ports are in that vlan.  And then see the trunk where ports will carry multiple vlans.  So the wlan interface in pfsense will have vlans setup for the wifi vlans, you need trunks to your AP since they will also carry tagged vlans.

seed

I THINk this is a terminology thing with this Cisco switch.

By default ALL ports are set to trunk which I don't understand by the definition of trunk, they are set as untagged though. When I setup the switch to use VLANs everything works fine. All ports are set to access untagged but the ports that are linked to the pfSense switch are set to trunk, not access, but they are still untagged. This was the only way I could get the switch to talk to the pfSense box.  I'm not sure what else to do. All 3 interfaces in pfSense are just LAN igb2,3,4 for example and physically jacked to port 25, 49 and 50.

Again, maybe this is a newb thing but it seems that Cisco used trunk and tagged as the same thing in some cases? If trunk wasn't required then why are the defaults all trunk untagged?

I'm still down to keep testing though but this was the only way I could get it to work so far.

johnpoz

I have a sg300, and have been using cisco for years and years.  Its what I currently get paid to do ;)  there should be no reason why all the ports would be trunk by default.  Their for sure is not reason for them to stay that way.  Just put them in access mode..  if your not going to carry more than 1 vlan then the port should be access..

seed

Ill do a full reset tonight and take a screen grab. I did find one online however. This is how my switches look when they're factory reset. They are all updated boot and firmware. Im fairly certain this is a terminology thing with tagged vs trunk but not sure. See screen: