switch setup on Netgate-SG-3100

adamw

Hi all,

I have an old device running 2.3.4 with interfaces defined as below:

WAN1 (wan) -> vr1 -> v4: xxx.xxx.xxx.xxx/29
LAN (lan) -> vr0 -> v4: 192.168.8.1/22
WAN2 (opt1) -> pppoe0 -> v4/PPPoE: yyy.yyy.yyy.yyy/32
DMZ (opt2) -> vr0_vlan999 -> v4: 172.20.13.1/24

I exported this config and imported to SG-3100 running 2.4.4
After boot with this config the last 2 autodetected interfaces looked incorrect:

WAN1 (wan) -> mvneta2 -> v4: xxx.xxx.xxx.xxx/29
LAN (lan) -> mvneta1 -> v4: 192.168.8.1/22
OPT1 (opt1) -> mvneta0 ->
DMZ (opt2) -> vr0.999 -> v4: 172.20.13.1/24

so I've recreated them manually as below:

WAN1 (wan) -> mvneta2 -> v4: xxx.xxx.xxx.xxx/29
LAN (lan) -> mvneta1.1 -> v4: 192.168.8.1/22
WAN2 (opt1) -> pppoe0 ->
DMZ (opt2) -> mvneta1.999 -> v4: 172.20.13.1/24

That didn't work for LAN and DMZ with several different configurations of SG-3100 switch VLANs I've tried.

LAN works if I remove VLANs completely:

LAN (lan) -> mvneta1 -> v4: 192.168.8.1/22

Is it because there is a conflict with VLAN ID 1 being used in two places?

Ideally I would like to achieve the following scenario with switch ports:

LAN1: LAN(1) and DMZ(999) trunked/tagged with both VLANs passed through to the core switches and the rest of the network. Then I configure access (LAN vs DMZ) locally on these switches.
LAN2: LAN(1) only - e.g. if I want to access SG-3100 directly bypassing core switches.
LAN3: DMZ(999) - same as above but for a DMZ device.
LAN4: spare and reserved for future use (e.g. WiFi)

SG-3100 switch was troublesome to start with and I had to make some changes:
https://forum.netgate.com/topic/137703/switch-php-errors-on-netgate-sg-3100

Not sure if it's somehow related.

Please advise .

Regards,
Adam

adamw

I've just discovered that my problems started earlier this year when I migrated config from 2.2.6 to 2.3.4.
A port on the master switch tagged with both VLAN 1 and 999 stopped passing any traffic to/from firewall port vr0.
There have been no changes made on the switch so it must be something changing in pfSense config between 2.2.6 and 2.3.4.
I've run a diff on the files and there are hundred of lines being flagged.
Vast majority is related to opening and closing tags.
I can't see any differences that I would expect to affect VLANs.

Has anybody had similar problems?
Any ideas?

adamw

I've found one problem - misconfigured LAN interface:

	<lan>
		<enable></enable>
		<if>vr0</if>

instead of:

	<lan>
		<enable></enable>
		<if>vr0_vlan1</if>

A different port (VLAN unaware) on the master switch was used.
DMZ hasn't been in use since so nobody noticed...

Derelict

Well, first thing is to drop the notion of tagging VLAN 1. If you want to continue to use the default VLAN, you should have the following interface assignments:

LAN -> mvneta1
DMZ -> mvneta1.999

That will send LAN traffic to the switch untagged and DMZ traffic tagged.

You would then want to be sure 999 was tagged on port 5 of the switch.

Where the two VLANs go from there depend on the settings of the other 4 ports. But I would not try to tag VLAN 1 to anything connected. I would jsut put VLAN 1 on the port as untagged.

VLAN 999 can be either tagged or untagged depending on whatthe device you connect is expecting.

https://www.netgate.com/docs/pfsense/solutions/sg-3100/switch-overview.html

adamw

TA for all the suggestions.

This is my current set up:

LAN -> mvneta1
DMZ -> mvneta1.999

SG-3100 switch setup:

Ports tab

Port 1 - Port VID 1
Port 2 - Port VID 1
Port 3 - Port VID 999
Port 4 - Port VID 999

VLANs tab

VLAN group: 0
VLAN tag: 1
Members: 1(connected to untagged port on a test switch), 2, 5

VLAN group: 1
VLAN tag: 999
Members: 3t(connected to a tagged port on a test switch), 4, 5t

This is working as expected but I'm not sure how it's going to behave when I connect the firewall to the live switches.
There are chained with dual LAGGs.
VLAN1 and VLAN999 are tagged on all LAGGs / LAGG ports.

My first concern is VLAN1 traffic traversing through.
My second concern is potential loops on SG-3100 switch which AFAIK doesn't support STP.
BTW is it a hardware limitation or merely missing some firmware code?

Derelict

@adamw said in switch setup on Netgate-SG-3100:

This is working as expected but I'm not sure how it's going to behave when I connect the firewall to the live switches.
There are chained with dual LAGGs.
VLAN1 and VLAN999 are tagged on all LAGGs / LAGG ports.
My first concern is VLAN1 traffic traversing through.

802.1q is 802.1q. The untagged traffic will be placed on whatever VLAN is the PVID on the switchport connected to the SG-3100.

My second concern is potential loops on SG-3100 switch which AFAIK doesn't support STP.
BTW is it a hardware limitation or merely missing some firmware code?

I don't see that the Marvell switch chip supports STP at all. I know there are no GUI knobs for it. I would take care to not create loops there.

adamw

@derelict said in switch setup on Netgate-SG-3100:

802.1q is 802.1q. The untagged traffic will be placed on whatever VLAN is the PVID on the switchport connected to the SG-3100.

In my scenario on the switch connected to the firewall I have:

Port 22: VLAN1 and VLAN999 tagged
Port 23 + 24 LAGGed with VLAN1 and VLAN999 tagged

(followed by a chain of switches connected to one another with 2 LAGGed ports with VLAN1 and VLAN999 tagged)

Currently I have a single cable connecting vr0_vlan1/vr0_vlan999 on pfSense to port 22 on the first (let's call it "core") switch.
Both VLANS work fine on all switches.

The default VLAN1 still works ok across all switches if I connect the cable to any port < 22 which are marked as VLAN1 untagged.
VLAN999 stops working which is no surprise.

With the new firewall SG-3100 (config details in my previous post) I'm planning to connect SG-3100 Port1 to any port < 22 and Port3 to port 22.
Following that I'll remove tag for VLAN1 from that port.
So that VLAN1 traffic flows through port < 22 and VLAN999 traffic through port 22.

What's still not clear to me is how exactly VLAN1 traffic is going to traverse to other switches down the chain.
Is having VLAN1 tagged on LAGGed ports 23 and 24 necessary?
Or quite the opposite - it should be removed and allow default forwarding rules and PVIDs deal with it?
PVIDs are set to 1 across all ports on all switches, apart from 2 ports on one of the switches explicitly used for DMZ.
I'm guessing creating VLAN100 for the default LAN traffic is a better practice, right?

Derelict

You don't tag VLAN 1. At best, I would consider the behavior there to vary across vendors. VLAN 1 is the default, untagged VLAN.

It should be untagged on mvneta0.

In Interfaces > Assignments You assign the interface you want to see that traffic to mvneta0.

When you create VLAN 999 on mvneta0 that will be mvneta0.999. That indicates the traffic will be tagged to, and must be tagged from, the embedded switch.

You would assign whatever pfSense interface you intend to be on VLAN 999 to VLAN 999 on mvneta0.

On the switch you would have:

VLAN 1, ports 1,2,5
VLAN 999, ports 3,4,5t

PORT 1,2,5 PVID 1
Port 3,4 PVID 999

In that case there will be NO tagged traffic outside the switch so any connecting switch ports must be UNTAGGED.

If you want to make, say, port 4 a "Trunk" port carrying both VLANs you would:

VLAN 1, ports 1,2,4,5
VLAN 999, ports 3,4t,5t

PORT 1,2,4,5 PVID 1
Port 3 PVID 999

The connecting switch port would need to be configured to have VLAN 1 and the untagged, native VLAN and VLAN 999 tagged.