STP and network

fireix

Thank you so much, seems like stacking is the way to go  :)

fireix

When checking out LAG-features in pfSense, I see that only a single LAN-interfaces (OVPN3) are available in the LAG-sceen (under Parent device). Is this because I have these interfaces in bridge-mode?

I do need the fw to be in transparent mode since I have the same IP/network on WAN/LAN - any way to solve this?

Guest

What? You LACP to pfSense then use whatever "teaming" you want with one link to each switch for the backend. Or LACP, or whatever.

I am pretty sure he is sitting in a thinking trap of his own mind! He is owning switches that are not capable of
doing what he wants to realize, an redundant core of a network switch. There are some methods to do so, but
in all cases the switches must be supporting some things as well. Please have a look on the network graphics
to understand why he is talking about using LAGs in that case. There are more then one LAG type to go with.

Building a switch core stack will be one thing and going by different redundancy protocols will be another on.
Please accept that the Cisco SG200 switches are great, but they are Layer2 only and does not coming with
redundancy protocols or will be sufficient sorted right with different supporting LAG methods as needed in
that case you wish to realize. Or in shorter words please get other switches.

Well known Switch redundancy protocols:
Virtual Router Redundancy Protocol - VRRP
Virtual Switch Redundancy Protocol - VSRP
Hot Standby Router Protocol - HSRP

Alternate protocols or workarounds:
Policy based Routing - PBR
TRILL from Brocade

For the implementation of any or all of this protocols, you must perhaps pay license fees according to the circumstance
that this protocols are  proprietary. And here might be also the angle point to implement it in any OpenSource software
due to this licenses, or in other words inserting this into the pfSense CE image (Community Edition). If there will be once
a day a paid version of pfSense this will be no problem or it will be less complicated to insert such a protocol or more of them.

LAGs - static - dynamic and crossed:
Actually there are three LAG methods mostly used;

• Dynamic LAG using the LACP
• Static LAG must be manually and on both ends configured totally identical
• Cross LAGs and this is used if there are two core switches and let us imagine two switch stacks with 5 switches each
  and from each switch in that switch stack one wire or cable will be driven to one of the core switches acting as one LAG.
  As shown in the picture "core stacking" this art and wise is here meant.

Switch stacks:
There are also some different versions out on the market to stack up switches acting as one unit and being better
able to manage with less hassle and also doing mass configurations, firmware updates and backups over a
configuration software such as Netgears MNS300 is. In the free version this software will be able to
manage up to 200 switches in one entire network.

• Stacking over SFP/RJ45 ports either with 1 GBit/s or 10 GBit/s this is called a poor mans stack and
  it let one member failing and then the second will be the master.

• Stacking over stacking bays and with stacking modules will be more comprehensive and offers more
  then the poor mans method, if one switch is failing, the second will be overtaking and the switch above
  and under will be also taking over the half of the data plane throughput, that means if this switches are
  acting with a 80 GBit/s througput, after failing of one switch the switch above and under are running now
  with 40 GBit/s of the throughput. Shown in the picture "stackFailSafe" and "fullduplexstack".

• the last one is something between this both methods and supports not all given options and features
  such as real stacking with bays and modules but more then the poor mans methods and it is able to use
  over the whole building and across over buildings, it is in a spine - leaf manner. Netgear´s M4300 Series
  is offering such switches with a fully Layer3  routing such as RIP, OSPF, VRRP, PIM, PBR and without any
  license upgrade needed!

So in your case the Cisco SG500x variant for around ~900 € will be a good bet here.


fireix

Thank you for info, I'm probably going for stack-hardware. The cost isn't that big compared to the ones I have, but the benefits looks big.

I can get this for probably 30% lower price than Cisco, plus it has 4x10 Gbit SFP+ stacking ports compared to 2x1 Gbit from Cisco: D-Link SmartPro DGS-1510-52X
Cisco has a stronger name/brand, but I think their UI is a bit targeted against professionals and doesn't give that much info.

But my question remains: How may I use LACP-team on the pfSense when I have transparent mode on (since I can't choose any of the LAN-ports).. I will try it later today in a spare pfSense, I have a theory that maybe it works if I remove the bridge, then activate the LACP-ports and after that join the ports into the bridge again. Or maybe it wouldn't work.. If anyone knows if this is possible, you would spare a lot of time if you could say so now…

fireix

Yeah, I was correct it seems :) Had to deactivate all LAN-interfaces and then I could create the LACP-team (was created as LAN) and then bridge WAN and LAN.

However, I was not able to ping anything on the LAN-interface. I have enable/assigned the LAN-interface and it shows up as connected. But nothing comes through. I was able to ping the gw from the console, but noting on the LAN.

I have a any-any on the LAN in fw rules.

johnpoz

"I have a any-any on the LAN in fw rules."

What about your bridge rules - thought you wanted this to be a transparent firewall?

fireix

@johnpoz:

"I have a any-any on the LAN in fw rules."

What about your bridge rules - thought you wanted this to be a transparent firewall?

Yes, I do. So you are indicating that I'm missing any fw rules on the virtual interface (like OPT3) I activated with the bridge and need to create an any-rule there as well? I thougth I had, but have to go back to data center ot be sure. Please let me know if that was what you ment or not.

I have had it working as a transparent firewall/bridge for a year or so, that part I know is possible, but maybe there are some details I'm overlooking now…

johnpoz

depends on how you setup the bridge..

https://doc.pfsense.org/index.php/Interface_Bridges

Do you have
net.link.bridge.pfil_member and net.link.bridge.pfil_bridge under System > Advanced on the System Tunables tab. With them set at 0 and 1, respectively, then filtering would be performed on the bridge only.

fireix

This was my setting just now (somehow, it has changed since last time - I restored the pfSense backup to a new server and maybe lost some config):

net.link.bridge.pfil_bridge Packet filter on the bridge interface 1
net.link.bridge.pfil_member Packet filter on the member interface 1

From documentation, it looks like I'm supposed to only have one of them set to 1. I changed it to be:

net.link.bridge.pfil_bridge Packet filter on the bridge interface 1
net.link.bridge.pfil_member Packet filter on the member interface 0

This should control the traffic onto the bridge only and not between the local interfaces. But this last step made all traffic bypass the firewall-rules I have on WAN-side as well… I could connect to computers over the Internet that I did not have opened up for. Is this because the Bridge-interface is controlling traffic both directions? How could I control it only one way?

I was under the impression that when I have a bridge, I can control the traffic from the Internet-side (WAN) and onto the bridge combined (LAN1, OPT1 etc).

How would I set this up so that I can control the traffic from WAN-side and in from the Internet - I do not need to restrict the traffic out from local side and out on the Internet. I have all rules on WAN-side today.

fireix

So what I want..

1. Create team (LACP) on pfSense (with two physical interfaces, LAN1, OPT1). The new joined local interface will be called LAN and will be connected against two stacked switched with LACP there also. This part is easy to do as far as I can tell and the interface appear as LAN as it should.

2. Create bridge with WAN and LAN, where I will have rules for incoming traffic from the Internet on the WAN-side. My ISPs gw is also on the WAN-side. Seems easy as well.

3. Add Bridge to a virtual interface, like OPT3?

4. Maybe using pfil_member=1, pfil_bridge=0 against the LACP team is the correct choice instead of the normal pfil_bridge setting in this case? So that I can control traffic one direction only.

I'm having public static IPs on my webservers on the LAN-side, that is the only reason why I have transparent fw setup.

Please let me know the correct settings in this scenario or at least an example that should work.

Derelict

The absolute best thing to do is get your upstream to assign a small interface address for your WAN and ROUTE the subnet of addresses to you.

Then you can just put the routed subnet on an inside interface and forget about this transparent bridge stuff.

Have you asked them if they can do that?

fireix

I thougth I was close to a solution now, so would prefer to make it on my own. No, I though I had the simplest solution already ;p They assign a public range for me and I can just use it on servers. And I don't have to do NAT for every service and so on.

I come from using FortiGate and this was pretty straigthforward without to much technical knowledge of networks. But now I have to actually understand things ;)

Do you mean to assign a local range of IPs instead, that are fewer than I have today on a different subnet?

Do you have a way to make it like I have it now, so I can compare the methods?

Derelict

You get a WAN interface of, say 198.51.100.32/30. Your default gateway is 198.51.100.33 and your interface is 198.51.100.34/30.

They route 203.0.113.64/29 to 198.51.100.34.

You put 203.0.113.65/29 on an inside interface and turn off NAT.

You give hosts on that network 203.0.113.66 - 203.0.113.70.

No bridging mess.

No NAT.

Exactly how it's supposed to be.

fireix

Ok, I have asked my ISP about this and wait for answer. I do also have some failover system that is not mentioned here, that happens transparent to me.

But, to have it transparent like today with the LACP-trunk, how would I do it? The way I have it working as of today, is apparantly by filtering on the member interface. As soon as I filter only on the bridge, the traffic is loose. In my mind (without thinking about networks), it seems logical that new LAN-team-interface is beeing filtered this way.

johnpoz

Just to stress.. Having your public range routed to you is way better than any transparent/bridge nonsense ;)  What size public range do you have?  /29 is pretty small… But if /28 or bigger I would for sure think it should be routed to you vs just attached to their network.

I personally even if having to work with attached network vs routed would just nat it and use port forwards.  Simple enough to use your specific IPs for different servers via vips..

fireix

Have /24-range, with 256-addresses. It hasn't been stressfull so far the last 10 years, since I don't do a lot of network-stuff or have any special routing/requirements. Think this is the first time I have had problems and that is because I want it to be more redundant by using LACP :)

Most of my servers are web-servers with control-panels that requires a certain IP to bind to (due to licenses). If I was to have local ips on all servers and have mapping to the public-ip for all servers, I suddenly have to mange 256-addresses * 2. And that is before I have to NAT all ports for common services like DirectAdmin and cPanel-servers use. Now I can simply group the servers based on profile.

But I'm sure there are ways to do this simple in NAT as well.

Derelict

It is pretty much insane to have that network on your WAN interface. It should be routed to you instead.

johnpoz

You have a /24 and its not routed to you??  Wow.. That is nuts dude.. I would for sure change that..  put pfsense in carp, then get some stack switches between your pfsense carp and your servers and now your cooking with gas.. ;)

fireix

Have never even been thinking of that, or that there was any disadvantage of running it transparent. When starting this business, I was told that NAT-was slower (performance-wise) and required more setup. The FortiGate I started with supported that easy.

But basically, with your suggestion, I would get assigned additional small network with public static IPs just for my WAN-area. And I could then just remove the bridge on my LAN side and threat the public IPs like I would do on a private network? I don't have any NAT today, so wouldn't have to change there.

Based on this, I shouldn't even have to change the fw rules I think, so that's a good thing. Let's see what my ISP says, maybe there are some kind of setup here that differ from the normal. But I'm still curious to how I would complete the setup in case my ISP says no..

johnpoz

Wish I could be more help with bridges on pfsense.  But software bridges should be avoided at all costs if you ask me.  While your use of it is very valid setup when under the restrictions of having to have a public range directly attached vs routed and wanting to put a firewall in between.

So while your use of transparent is valid, I would suggest if possible migrate away from it.  If you had small amount of space like a /29 or even /28 nat with vip and then 1:1 would remove your issues of having to deal with port forwards..  Doesn't remove the issue if you have software licensed to some IP… What if you loose your public space?  Do you actually own this /24 in arin or whatever RIR you might be in?  If so you should be able to get your own ASN and just route it yourself to wherever you want via your ISP your using, etc.

I manage a /16 from arin.. So never run into these sorts of issues.  We just advertise the space we need to use where ever, and be done with it ;)  You just need to work with whatever ISP to accept and advertise out your routes, etc.

But if you just got said /24 from some DC network your located in - they really shouldn't have any issues with routing it to you vs directly attaching it to their equipment.