Can't Bridge WAN's Parent Interface [SOLVED]

m0j0

Trouble getting bridged ports working.

I have a fiber to the home connection (FTTH) with 1 ISP provided Modem/BTU and 1 ISP provided custom router which includes SIP for VoIP. The internet connection is PPPoE over VLAN 621. The default configuration provided by the ISP is

                      [ISP Router]
Fiber -> Modem/BTU -> --|-> 1x RJ45 WAN Port
                        |-> 4x RJ45 Ports (Gigabit LAN Switch)
                        |-> 2x RJ11 Ports (VoIP)
                        |-> 2.4GHz/5GHz WiFi
                            

I have replaced the ISP provided custom router with a Qotom 4 port pfsense box, I have already setup the PPPoE over VLAN 621 on pfsense and the internet works, which leaves me with the last thing I need to solve, bridging. I would like to bridge 2 of the igb ports on the Qotom box so that I can connect the ISP provided custom router into the pfsense box which will provide the SIP connection for VoIP.

                      [PFSENSE/Qotom]
Fiber -> Modem/BTU -> --|-> (igb1) bridge0
                        |      |-> VLAN 621
                        |            |-> PPPoE (WAN)
                        |-> (igb0) LAN Switch             
                        |-> (igb3) bridge0 -------------> [ISP router] -> VoIP

I assigned both the ports I want to bridge (igb1 and igb3) and then created the bridge interface, I have tried changing the system tunables "net.link.bridge.pfil_member" and "net.link.bridge.pfil_bridge" to 0 and 1 respectively but that didnt work either.

Is it a limitation of my hardware since I have the VLAN configured for PPPoE on the parent interface I am trying to bridge?

I have tried the following which did work but I would ideally like to avoid using a 2nd piece of equipment:

                      [SWITCH]
Fiber -> Modem/BTU -> --|-> PORT1
                        |-> PORT2 -> pfsense
                        |-> PORT3 -> ISP router -> VoIP Handset

It did occur to me that perhaps I needed the change the VLAN 621 parent interface from igb1 to bridge0 but in the dropdown only the physical interfaces showed up, and searching online turned up a thread which if I understand correctly says VLAN parent interfaces have to be physical.
I have attached some screenshots of my pfsense gui, hopefully I haven't left out anything important to the question.
Thanks in advance for any help you guys can provide.

netblues

@m0j0 I think your understanding is wrong. It looks like vlan 621 is used by the btu and is not passed tagged on ethernet. vlan configuration is done inside btu only.
In order to prove this, remove all vlans from igb1 and just add pppoe.
I bet internet will work.
As for the provider router, if you plug a small switch after the btu, connecting btu, isp router and pf igb1 should also work.

Most probably, this will end into two pppoe internet sessions active, and you need to check if this is allowed, and if it can be disabled from the isp router.

If this is not the case, then the btu is having its port configured as trunk, sends different frames over different vlans (i suspect voice is over dhcp).

m0j0

This post is deleted!

m0j0

@netblues said in Can't Bridge WAN's Parent Interface:

@m0j0 I think your understanding is wrong. It looks like vlan 621 is used by the btu and is not passed tagged on ethernet. vlan configuration is done inside btu only.
In order to prove this, remove all vlans from igb1 and just add pppoe.
I bet internet will work.
As for the provider router, if you plug a small switch after the btu, connecting btu, isp router and pf igb1 should also work.

Most probably, this will end into two pppoe internet sessions active, and you need to check if this is allowed, and if it can be disabled from the isp router.

If this is not the case, then the btu is having its port configured as trunk, sends different frames over different vlans (i suspect voice is over dhcp).

Thank you for your message. PPPoE without the VLAN configured doesnt work. It indeed does need that VLAN and digging around the management panel of the ISP router it looks like VoIP also uses a VLAN specifically 822. As for using a switch between the BTU to connect the pfsense and ISP router to, I did mention in my post that I had tested that exact thing and it did work, but I would like to further my understanding of networking by understanding if this can be done without an extra switch. I did also change the "connection mode" on the ISP router from "always on" to "connect manually" to avoid the problem of having both the pfsense and ISP router trying to connect via PPPoE simultaneously.

I imagine having VLAN configured on home routers is unusual, but in my country Malaysia this is actually common place because we have different ISPs using the same fiber infrastructure, for instance if if I change the VLAN from 621 to 500 that would be a different ISP and a different PPPoE login account/password.

netblues

@m0j0 So here it goes..
voip is vlan 822 and is dhcp
internet is vlan 621 and is pppoe
So this is how it is tagged as it leaves the btu.
This is common, it also works like this on vdsl to provide different services..
So the btu can either have this bound on different eth interfaces without tagging, or use a singe eth port in tunnel mode (tagged)
Since pppoe didn't work without vlan, looks like it is the case.

So the isp router expects a trunk port, and won't work bridged.
use a small managed swith,. A 5 port or 8 port would do.
eg Dlink dgs1100-8
Configure port 1 as trunk, with vlans 822 and 621
configure port 2 as trunk with vlan 621 and 822 and connect isp modem
verify that isp and voip works
configure port 3 as untagged vlan 621
remove all vlan configuration from pf and connect wan ppp port to port 3
it should also work
Remove trunk 621 from isp trunk, so it won't connect to internet.

Tell me what you think.

m0j0

@netblues said in Can't Bridge WAN's Parent Interface:

@m0j0 So here it goes..
voip is vlan 822 and is dhcp
internet is vlan 621 and is pppoe
So this is how it is tagged as it leaves the btu.
This is common, it also works like this on vdsl to provide different services..
So the btu can either have this bound on different eth interfaces without tagging, or use a singe eth port in tunnel mode (tagged)
Since pppoe didn't work without vlan, looks like it is the case.

So the isp router expects a trunk port, and won't work bridged.
use a small managed swith,. A 5 port or 8 port would do.
eg Dlink dgs1100-8
Configure port 1 as trunk, with vlans 822 and 621
configure port 2 as trunk with vlan 621 and 822 and connect isp modem
verify that isp and voip works
configure port 3 as untagged vlan 621
remove all vlan configuration from pf and connect wan ppp port to port 3
it should also work
Remove trunk 621 from isp trunk, so it won't connect to internet.

Tell me what you think.

Thank you for your message. Your solution of using a managed switch would certainly clean up alot of config with VLANS etc on the pfsense and I have no doubt it would work, especially since I have already tested a dumb switch in that same position on the chain between the pfsense/isp's router and the btu. However I am trying to avoid using another piece of equipment and would like to just use the extra igb i have on the pfsense box to solve this issue if at all possible. In your message you mentioned that the ISP's router is expecting a "trunk port" and this is exactly right, it got me thinking where the problem lies in my situation. I am under the impression (which now looks wrong) that bridging 2 physical interfaces on a pfsense box is the equivalent of making a 2 port "virtual dumb switch" is this incorrect? Does bridging not work with trunk ports? Because since the BTU is connected to the pfsense box on igb1 and that is a trunk port, does bridging that to igb3 not pass all the vlan traffic in its original tagged state?

EDIT: @m0j0 i had written igb0 (now corrected) but i meant igb1 (somehow trying to edit the post i was hit with a "spam" warning)

netblues

@m0j0
The thing is that usually trunk ports do not recognize packets that do not have vlan tags.
What an unmanaged switch that doesn't understand VLAN tags will do with frames which have VLAN tags (a trunk link) is really undefined. Some switches will drop the frames as garbled, some switches will pass them on as they are, and some switches will strip the VLAN tags.

You could try creating 4 interfaces, 2 on vlan 621 and 2 on vlan 822, under igb0 and igb2 respectively, and then create two bridges , one for each vlan .
put the isp modem on igb2 and see if it works.
I have never tried that in practice though.
A switch does this in a very reliable and easy way.

m0j0

@netblues said in Can't Bridge WAN's Parent Interface:

@m0j0
The thing is that usually trunk ports do not recognize packets that do not have vlan tags.
What an unmanaged switch that doesn't understand VLAN tags will do with frames which have VLAN tags (a trunk link) is really undefined. Some switches will drop the frames as garbled, some switches will pass them on as they are, and some switches will strip the VLAN tags.

You could try creating 4 interfaces, 2 on vlan 621 and 2 on vlan 822, under igb0 and igb2 respectively, and then create two bridges , one for each vlan .
put the isp modem on igb2 and see if it works.
I have never tried that in practice though.
A switch does this in a very reliable and easy way.

Thank you very much for your time and insight. I did as you explained, created the VLANS for both interfaces then bridged them, it didn't work at first till I noticed packets were getting blocked on the bridge interface, so I created rules for both bridges which allowed everything through and now it works! I probably only needed the allow rule since I had changed the system tunables "net.link.bridge.pfil_member" and "net.link.bridge.pfil_bridge" to 0 and 1 respectively. I will try changing them back and giving it a go just to better understand things, but the big hurdle is now crossed thanks to you! much appreciated.

netblues

@m0j0 I'm glad it worked for you. If you have more than a few vlans, emulating a managed switch this way is quite impractical.
Do some stress testing though. I have no idea what kind of speeds you are expecting from fiber and it would be interesting how it fares.
On the other hand, if only voip will end up being bridged, then traffic will be minimal.
pppoe bound on a vlan tag is ok and with minimal overhead, since vlan tagging is handled at the hardware level of the physical interface.

m0j0

@netblues said in Can't Bridge WAN's Parent Interface [SOLVED]:

@m0j0 I'm glad it worked for you. If you have more than a few vlans, emulating a managed switch this way is quite impractical.
Do some stress testing though. I have no idea what kind of speeds you are expecting from fiber and it would be interesting how it fares.
On the other hand, if only voip will end up being bridged, then traffic will be minimal.
pppoe bound on a vlan tag is ok and with minimal overhead, since vlan tagging is handled at the hardware level of the physical interface.

Thank you for your message. I will keep in mind those points. Indeed you are right I am only using this "emulation" to get VoIP back. My internet package gives me 800Mbps down and 200Mbps up and so far both have been just fine even with fq_codel the Qotom (Celeron 3215U & 2GB RAM) box keeps up. I must admit that I really only monitor the pfsense dashboard and sometimes ssh in and check dmesg.