XG-7100 not passing untagged LAN traffic on internal vlan other than 4091
-
I recently received our first XG-7100 and ran into a bit of a snag while setting it up. I believe I have found a bug but I want to run it by the forums first.
For the purposes of my configuration I am not using the 10G ports and am only using the 1G switch ports on the XG-7100 (setup by default as lagg0). We use VID 3000 for our LAN and generally speaking pass the LAN to our external switches untagged. By default the LAN on the XG-7100 is setup to use the internal switch ports and is internally defined on VID 4091. This works just fine and I am able to pass LAN traffic untagged to our external switches in the default configuration. To keep things consistent across my devices I decided to change the LAN VID on the XG-7100 from 4091 to 3000. Unfortunately this resulted in the XG-7100 no longer passing traffic to our external switches. I am of course remembering to change the VID in both the networking configuration and the internal switch configuration. I also tried changing it to a number of other VIDs but traffic would only be passed using VID 4091.
Has anyone else run into this issue or have any suggestions as to what to try?
Since I am passing traffic to our external switches untagged it shouldn't really matter what VLAN the LAN network is defined as internally in the XG-7100 but it appears that it does. I have a feeling that someplace in the pfSense software the LAN is hard-coded to internally use VID 4091 and therefor when I change it in the GUI it just doesn't work. In the end this is just a nice thing to have and using VID 4091 internally for the LAN doesn't actually hurt functionality. I could also try passing LAN traffic on VID 3000 tagged (many would likely say that I should do this anyway) to my external switches but I haven't tried that yet. While this isn't a show-stopper issue I believe it should be addressed if it is indeed a bug as it leads to people like me banging their head against the wall for what appears to be a perfectly valid configuration.
-
https://www.netgate.com/resources/videos/configuring-netgate-appliance-integrated-switches-on-pfsense-244.html
-Rico
-
I reviewed the video and didn't find any information relating to the issue I am describing. That said, It is definitely good material for understanding how to configure the integrated switch XG-7100.
-
Maybe I understand wrong what you are doing... but on my XG-7100 I totally wiped VID 4091 and everything is working smooth so there can't be anything hardcoded.
-Rico
-
All I can say is that if I change the LAN interface to operate on lagg0.3000 and also change ETH3/ETH7 (my switch uplinks, STP is blocking one of these) to be VID 3000 then it stops passing traffic. Screenshots of the current config are below. In the end I'm mostly just trying to do my part for the community by reporting this issue. I will be trying to link my LAN to the firewall tagged instead of untagged over the next few days and if that works properly then this will be a non-issue for me.
-
How about you show the switch config when it doesn't work. That looks like the default config.
- Remove a port from VLAN group 2, say port 8. VLAN group 2 should look like this: 2,3,4,5,6,7,9t,10t
- Create VLAN Group 3, set the VLAN tag to 3000, add these ports: 8,9t,10t
- Edit the switch ports. Click on the Port VID for port 8 and change it to 3000
- Add a pfSense VLAN 3000 on LAGG0
- Create a NEW pfSense interface assigned to VLAN 3000 on lagg0
- Edit the new interface, enable it, and give it a new numbering like 192.168.2.1/24.
- Enable a DHCP server on the new interface with a pool in the right scope.
- Add a firewall rule on the new interface to pass traffic from those hosts. (Copy the LAN rule and change the interface and source subnet.)
Connect a DHCP workstation to switch port 8. What happens?
After you verify that is working you can move switch ports to either untagged VLAN (4091 or 3000) by changing the VLAN Group and the Port VID to reflect what you want.
-
Unfortunately this system is already in production so I cannot make changes on this hardware until scheduled downtime in a few weeks. I can say that I have already attempted the configuration you are describing but I did not have lagg0.3000 and lagg0.4091 operating at the same time. I only had one or the other. Each time I tried switching between the two I would completely remove the VLAN and the LAN interface and start from scratch. I even tried rebooting the system after removing the VLAN and interface so I was rebuilding it from a clean boot.
I will be setting up a new site on the same hardware this Sunday and can try to replicate the issue then and can explicitly follow your suggested instructions.
-
Well then you have to do the change from WAN Port VID 4090.
You can‘t be connected to LAN 4091 while you change the whole group, this will cut you off.-Rico
-
Not to sound rude, but if you had done that exact configuration it would have worked. Even with only VLAN 3000.
The very reason I suggested this method is because you could perform this test without impacting the users on VLAN 4091 as long as there is an unused switchport to test with. I chose port 8 because it is No carrier in the last screen shots.
Like with any switch, it is possible to lock yourself out while configuring from an interface being changed. Making these changes logged in via WAN or VPN, or out-of-band, is always a preferred method.
What are the first three digits of the serial number of the XG-7100 in question?
-
No worries, no rudeness received. I understand that you believe it would have worked and I also believe it should have worked which is why I was initially suggesting that this could be a bug. Working with pfSense and VLANs is far from a new thing for me but I also don't consider myself above making stupid mistakes.
The larger issues with making the suggested changes is that I don't have IT staff on site until the aforementioned scheduled downtime so I don't have anyone present to plugin a laptop.
Changes have been done via WAN and/or an OpenVPN connection going out of the WAN.
I should be able to re-check this issue on the exact same hardware at a different site that I'm bringing up on Sunday and can provide exact screenshots of the problematic config (I'll grab the XML config while I am at it) as well as have someone plugin a laptop to a switch port on the device while VID 4091 and VID 3000 are coexisting. As I mentioned before I never had both VLANs coexisting while I came across this issue so I will also be testing without the VLANs coexisting as that is when I previously experienced the issue.
-
So I'm bringing up my other site now and was able to reproduce my issue on different but identical hardware. The serial number of the firewall at this site begins with 143.
Again I switched lagg0.4091 to lagg0.3000 and switched the VID configured on the internal switch to 3000. Again I lost connectivity to the external switch plugged in to ETH2. A laptop plugged in to ETH3 also could not contact the firewall nor get a DHCP lease. I noticed on the ports tab of the internal switch configuration that 4091 was still listed as the port VID for all ports. I updated the VID there to be 3000 and things started working.
I was under the assumption that setting a port to be untagged on a VLAN on the internal switch configuration VLAN tab would automatically update the port VID but that assumption looks like is incorrect. This is definitely not a bug and was a config issue on my end. That said, why wouldn't the port VID be updated when I set a port to be untagged on a VLAN in the VLAN tab? I think the configuration for this may be able to be simplified a bit.
Thanks for everyone chiming in and sorry to waste time on this.
-
Some switches do that and some don't.
This requires them both to be set to create an untagged port.
There are certain circumstances where having them be different can be beneficial. For instance you can use "asymmetric VLANs" to create isolated switch ports so there needs to be a way to set them differently.