pfsense lose connectivity on VLAN interfaces unless LAN interface is assigned



  • We use Netgate APU2C2 with 3 NICs (igb0, igb1, igb2) running 2.4.2 as a SIP Proxy. We configure 2 VLANs on 1 NIC (usually igb1) to save switch port space and it works with our standard configuration.

    The trouble we run into is eventually at some point all ports will become unresponsive and we cannot reach the device remotely. We have to bounce the switch ports connected to this device or reboot the device to bring up the interfaces. After doing this the NIC with VLANs (igb1) remains unresponsive. Fortunately, we are able to log in over a failover connection to perform a work around.

    Example:
    VLANS Created:
    200 for Voice
    100 for WAN

    Interface assignments (IPs have been replaced with x.x.x.x):

    WAN (wan) -> igb1.100 -> v4: x.x.x.x
    LOCALMGMT (opt1) -> igb2 -> v4: x.x.x.x
    VOICE (opt2) -> igb1.200 -> v4: x.x.x.x
    FAILOVER (opt3) -> igb0 -> v4: x.x.x.x

    There is a LAN interface created by default that we leave disabled and unassigned since we have no use for it.

    Our work around has been assigning the LAN interface to ibg1 and configuring it with IP 0.0.0.0/32.

    LAN (lan) -> igb1 -> v4: 0.0.0.0/32

    For some reason this brings that NIC back up and we can reach the WAN and Voice interfaces. We never have the trouble after the work around is in place, but I would prefer not to do this.

    This same trouble has happened on previous versions of pfsense in the past (pfsense 2.1 and 2.3.4).
    IPv6 is disabled on the devices.
    System Logs only show our bouncing switch ports with No events at the time we lose connection to the device.

    Looking for any help with why the interfaces go down unless the LAN interface is assigned to a NIC and to see if anyone else has had similar trouble.



  • @mttpfsenseadmin said in pfsense lose connectivity on VLAN interfaces unless LAN interface is assigned:

    There is a LAN interface created by default that we leave disabled and unassigned since we have no use for it.

    How do you expect a VLAN to work, when you disable the interface it runs on? A VLAN is not a separate physical interface, rather a virtual one. It's like trying to run a virtual machine, without a real computer to run it on.



  • The LAN interface is not a physical interface. All interfaces on this device are virtual interfaces that are assigned to the physical interfaces (NICs igb0-igb2). So in your analogy, we are forced to run an unwanted virtual machine so that we can use the other virtual machines on the real computer.

    We have also tried leaving the virtual LAN interface active and assigned to the NIC ibg1 with no IP information. It will work for several weeks until it does not. When it stops working, we lose all access to the device on all NICs, not just igb1.
    We have to reboot the device or bounce connected switch ports to access the device again over the failover port igb0, then only when an IP gets assigned (in our case we use 0.0.0.0/32) to the LAN interface does it work again.


  • LAYER 8 Netgate

    You do not need to assign it but you cannot assign it and disable it. Just don't select it in Interfaces > Assignments. The parent interface for the VLANs should be an available network port there.

    Countless people run VLANs that way. If you are having a problem it is something peculiar to your environment that will need to be identified and corrected.


Log in to reply