Strange VLAN problem

vito

I am having a strange problem with my installation when using VLANs. (Currently just for my DMZ)

I am not convinced yet it is a pfsense problem and possibly just something I am missing (or messed up), but I thought I might start here. Especially since other users are using VLANs fine (Did not post in the 1.2.1 group because I was not sure if the version was my problem)

Hardware:
hp dc7100 slim form factor
Dual server HP NIC (em0,em1)
Onboard nic (bge0)
Switch: Zyxel GS2024 Managed switch latest firmware
DMZ=VLAN2

Running pfsense 1.2.1 RC2 (nov 19)

Problem:
When using VLANs, (using bge0 as the parent) I can connect to my device on the vlans fine…no drops. I can even stay connected with an RDP connection to the device with out packet loss.
But, the device on the VLAN can not fully connect to the internet. I can get a few pages, but not everything. Ping works out to internet with no drops, can telnet to our DNS servers, but only a few random pages. Inbound Traffic seems fine for the services I have running. This was tested from remote computers into the network.

Big Note: my same pfsense configuration works fine when using no VLAN’s, (using the physical nic)

What I have done so far:
Changed the parent for the VLAN from bge0 to em1….same problem
Changed to no VLAN’s and just using the physical nic…Works fine
Reconfigured the switch from scratch.
Put another device (laptop) on the VLAN same results.
Rebuilt my PFSense config from scratch

What I might do:
Install 1.2 for testing
Try another switch. I don’t have another vendor, just another model zyxel managed switch.

Is there anything else I can do to trouble shoot this some more or some other info I can provide to help?

I did search within the forum, but could not find something close. (Or maybe did not use the right search string)

Thanks in advance for any help.

GruensFroeschli

This is most probably a MTU problem.
Check your log and see if there are a lot of:
kernel: vlan4: discard oversize frame (ether type 800 flags 403 len 1514 > max 1510)
messages.

You can avoid these problems by lowering the MTU to 1496 instead of 1500.

vito

Thanks for the reply GruensFroeschli
I did not see that error, but tried your suggestion anyway to be sure.

Well, that seemed to be the problem!! THANK YOU!!!!!

Just 2 things

1. I first change the setting on the DMZ interface which did not work. Then tried the setting on the WAN…bingo… my mistake… It should only be a WAN setting change, correct?
2. Was this fix anywhere I missed? (Sorry if it was) Because of the setup working with the physical interface, I did not even think to change the MTU…very cool….

Again Many Thanks!!

GruensFroeschli

1: Well it depends on your setup.
If your client can handle oversized frames you should not have to change the MTU.
If the driver of your em-NIC's cannot handle oversized frames, you would have to change the MTU on the other side of the link, so no oversized frames arrive at your end.

2: The problem is, that VLAN-tags add 4bytes to every frame.
–> frames can become bigger than the allowed maximum.

Most drivers can handle this, but some have problems.