SG-1000 VLANS don't seem to work.



  • Hi Everyone,

    I bought a SG-1000 a few months ago and am now getting around to setting it up and having a really hard time getting VLANs to work.

    Steps:

    • After factory reset or flash
    • Go through wizzard and everything works with the LAN interface configured on the cpsw1 port, can get DHCP address, can get to webgui, can ping from a laptop connected to the device directly or through a switch.
    • Create a new vlan in "Interfaces" -> "Assignments" -> "VLANs"
    • Parent interface is cpsw1
    • VLAN tag is "10"
    • Name is "LAN"
    • On the "Interface Assignments" tab
    • Move the "LAN" interface to "VLAN 10 on cpsw1"
    • Wait for all the settings to apply
    • Move the laptop to a port on the switch on VLAN 10 and nothing, no DHCP, assigned manually, no ping, cannot load webui.
    • Using the console cable, connect to the SG, I can start a packet capture and once I do, everything starts working, stop the packet capture, and it stops working again. I can see on the packet capture the switch is tagging it with the correct number.

    18:18:53.197593 00:90:f5:fb:f0:8d (oui Unknown) > ec:11:27🇩🇪38:7c (oui Unknown), ethertype 802.1Q (0x8100), length 102: vlan 10, p 0, ethertype IPv4, 10.5.1.100 > pfSense.localdomain: ICMP echo request, id 13465, seq 3, length 64
    18:18:53.197955 ec:11:27🇩🇪38:7c (oui Unknown) > 00:90:f5:fb:f0:8d (oui Unknown), ethertype 802.1Q (0x8100), length 102: vlan 10, p 0, ethertype IPv4, pfSense.localdomain > 10.5.1.100: ICMP echo reply, id 13465, seq 3, length 64

    I am just not sure what to do since I can't just keep a packet capture running permanently.

    Am I missing something or is this a known issue?

    Thank you,

    Robbert


  • Netgate

    Are you changing the switch port connected to pfSense to a tagged port for vlan 10?



  • Yes as you can see in the two lines from the packet capture the firewall sees the packets as coming in tagged, the weird part is that it works when doing a packet capture through the serial console.

    Thanks,

    Robbert


  • Netgate

    Is the parent interface cpsw1 assigned to any pfSense interfaces? Is that interface enabled?

    If it is not can you try assigning it to an OPTX interface and enabling it? Just set both IPv4 and IPv6 types to None.



  • I tried with:

    The parent interface with no IP assigned
    The parent interface with an IP setup as the native VLAN (PVID 1) the parent interface worked but no vlan interfaces.
    The parent interface undefined.

    Regards,

    Robbert



  • This is likely related to MAC spoofing - read about that and promiscuous mode at https://doc.pfsense.org/index.php/Interface_Settings
    Have you specified the MAC address for either the "real" interface or the VLAN interface?



  • I will try setting the promiscuous mode permanently through the link you provided.

    I have however not done any configuration on the MAC address side at all.

    Thanks,

    Robbert



  • It should not be necessary to set promiscuous mode, but it would be interesting to know if that makes it work. Then search for the real reason why it is needed.


  • Netgate

    I just tried this and could not duplicate it…

    Tagged switchport for 1311 to SG-1000 LAN (cpsw1).

    Client on untagged 1311 port on switch working fine.

    ![Screen Shot 2017-06-13 at 11.20.21 AM.png](/public/imported_attachments/1/Screen Shot 2017-06-13 at 11.20.21 AM.png)
    ![Screen Shot 2017-06-13 at 11.20.21 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-06-13 at 11.20.21 AM.png_thumb)



  • I set the interface to promiscuous mode and it has been working fine for a few hours now.

    The configuration that is working with promisc turned on is attached. I am not sure why but as soon as I turn promisc off it stops working.

    Thanks,

    Robbert

    ![Screenshot from 2017-06-13 14-45-02.png](/public/imported_attachments/1/Screenshot from 2017-06-13 14-45-02.png)
    ![Screenshot from 2017-06-13 14-45-02.png_thumb](/public/imported_attachments/1/Screenshot from 2017-06-13 14-45-02.png_thumb)


  • Netgate

    My snapshot might not be current enough to see what you're seeing.



  • I'm on the latest snapshot and even did a full flash with an SD card. If you have a chance let me know if you see the same thing with the latest version.

    Robbert



  • @JimP has logged an issue with this https://redmine.pfsense.org/issues/7645 at priority "Very High". So it is recognised as a problem that appears to be a recent regression.



  • Thanks, I'll follow that bug report, and I can test any fixes if needed.

    Robbert



  • Glad I found this thread.  I am having the same issue.  Promiscuous mode fixed the issue for now.  Thanks for the info!


  • Rebel Alliance Developer Netgate

    This is fixed on current snapshots. Actually the last few. I have updated the one I have with a VLAN for WAN a couple days in a row without any problems.



  • Hi jimp - thanks for the update!

    Would you suggest updating pfSense prior to disabling promiscuous mode on the interface with VLANs or vise-versa?

    To confirm, disabling promiscuous mode is:

    /sbin/ifconfig cpsw0 -promisc
    

  • Rebel Alliance Developer Netgate

    Just update, don't touch promisc manually. That will go away when the device reboots anyhow.



  • Got it - thanks again!



  • After upgrading to

    2.4.0-RC (arm)
    built on Thu Oct 05 21:17:11 CDT 2017
    FreeBSD 11.1-RELEASE-p1

    I seem to be seeing this problem, previous releases had been fine. Anyone else experiencing issues with the latest build ?


  • Rebel Alliance Developer Netgate

    We're aware, a fix is coming shortly.


Locked