VLAN priority
-
I don't see any rules in either one that would change the VLAN priority for traffic. It should have a "ieee8021q-setpcp" keyword on one of the rules.
-
Your correct there is no such keyword in either file
However at 2.3.3 the wireshark capture correctly shows the VLAN PRI set as 6
At 2.4 it is failing to recognise the PRI settingAnywhere else I can check, dump ?
-
Sorry to resurrect this but its still an issue at 2.4
@jimp should this go to the FreeBSD team ?
I can raise it there if you think thats the best way
-
Been doing a little more digging and it appears to be FreeBSD 11 changes over FreedBSD 10
I had a play with the file etc/inc/filter.inc and used system patches to modified the rule
pass out quick on $WAN proto udp from any port = 546 to any port = 547 tracker 1000000563 label "allow dhcpv6 client out WAN"
to
pass out quick on $WAN proto udp from any port = 546 to any port = 547 tracker 1000000563 label "allow dhcpv6 client out WAN" ieee8021q-setpcp ic
this gets a syntax error because it appears form this patch https://reviews.freebsd.org/D6786 that the syntax is now
pass out quick on $WAN proto udp from any port = 546 to any port = 547 tracker 1000000563 label "allow dhcpv6 client out WAN" set prio 6
I re-patched using that syntax the rule now is accepted. I then wireshark traced a dhcp6c solicit request over VLAN 832 which should have inserted the PRIO into the VLAN header. It did NOT
Interestingly at pfSense 2.4 if I create a new firewall rule in the GUI and set "VLAN Prio Set" under the advanced settings the GUI builds a rule using the "ieee8021q-setpcp" syntax which of course generates a syntax error
So I'm reaching the assumption that PfSense 2.4 is not working with 802.1Q correctly which would also explain why setting the PRIO of the VLAN using the GUI may also be failing.
-
I've opened this for the syntax error: https://redmine.pfsense.org/issues/7744
I also pushed a fix a few moments ago for that.
I can't comment on whether or not setting the priority can/should work depending on the context though.
If we're setting the pf syntax right, the rest of that code seems to be OK and should be doing the job. Something else in the IP stack could be changing it though.
How are you checking the priority? You'd have to capture on the parent NIC and see what shows there.
-
Thanks jimp
I'm checking the NIC by connecting my Mac to the WAN port of the pfsense box and simply running a wireshark capture. I see the pfsense box issue the dhcp6c solicit cmd on the correct VLAN but with priority 0 in the header.
At 2.3 the VLAN priority is being set cirrectly (6 in this case) at 2.4 its notAnything else I can grab for you to review ?
I will try your patch shortly just in case
-
No that should be fine, especially if it worked on 2.3.x
-
Thanks Jimp - I can confirm that patch fixes the syntax error issues
However the underlying issue with the VLAN Header and priority setting persists
I have a 2.3 and a 2.4 PF sense system
On both systems I created a VLAN 832 with Priority 6 (first attachment)
Ifconfig on both 2.3 and 2.4 shows the VLAN prio set as I would expect for the VLAN 832 (attachments 2 & 3 respectively)
However I wireshark trace of the dhcp6c request issued over the VLAN shows that at v2.3 the priority is set to 6 (attachment 4) as expected but 2.4 the PRI is 0 not 6 (attachment 5)
 -
Crated a bug https://redmine.pfsense.org/issues/7748
Hope that is the correct way to proceed
-
Yeah that's the next step, thanks for taking the time to test and gather that detail.
The only other thing I might be curious to see is if that can be reproduced on stock FreeBSD. If it can, it may need reported upstream to the FreeBSD project.
-
Ok I'll see if I can recreate something in native FreeBSD, although I'm not familiar with FreeBSD outside of pfSense
