How to get pfSense WAN to accept VLAN 0
-
@michaellacroix This is the same error I was getting when I tried to upgrade to 22.05 as well on both igb0 and em0.
-
@cool_corona said in How to get pfSense WAN to accept VLAN 0:
Try to put pfsense into a VM and run VLAN tagging on the WAN interface using VLAN 0.
Then see if it works.
I'm trying to set this up right now - I have Proxmox running and have pfSense installed, but I do not see how to enable VLAN 0 on the WAN interface.
In Proxmox, when I edit the VM pfSense is on and edit the WAN interface, there is a spot for VLAN tag that has the option of "no VLAN" which is the default, but if you put any number outside of 1-4094, the box turns red and refuses to accept it.
Where do you put this configuration? It appears Proxmox thinks VLAN 0 is not a valid tag to put on the interface.
-
Hyper-V uses VLAN 0 for the parent interface as far as I know. I hope nothing will be broken there if pfSense changes its behavior in the future.
-
@jalano said in How to get pfSense WAN to accept VLAN 0:
I have Proxmox running and have pfSense installed, but I do not see how to enable VLAN 0 on the WAN interface.
To tag outbound?
Most of the issues here are that FreeBSD (and hence pfSense) does not accept VLAN0 as valid and drops the packets. Thus if your ISP sends dhcp responses to you tagged vlan0 pfSense never sees them and you never get an IP address.
To work around that a switch the strips the tags allows pfSense to see the traffic. The outbound traffic does not need to be tagged in most cases (AT&T being the exception).Steve
-
@stephenw10 said in How to get pfSense WAN to accept VLAN 0:
@jalano said in How to get pfSense WAN to accept VLAN 0:
I have Proxmox running and have pfSense installed, but I do not see how to enable VLAN 0 on the WAN interface.
To tag outbound?
Most of the issues here are that FreeBSD (and hence pfSense) does not accept VLAN0 as valid and drops the packets. Thus if your ISP sends dhcp responses to you tagged vlan0 pfSense never sees them and you never get an IP address.
To work around that a switch the strips the tags allows pfSense to see the traffic. The outbound traffic does not need to be tagged in most cases (AT&T being the exception).Steve
Exactly what I'm trying to accomplish, but I don't see how in Proxmox I can simulate the switch "stripping the tags". Someone higher up posted that you can do this, presumably with some other software. So I'm unsure how to configure my virtual switch on Proxmox to do this so my pfSense VM can get the DHCP WAN address.
-
@cool_corona I'm trying to do this on Proxmox.
If I'm understanding you correctly, this means on the virtual bridge interface it's just setup as a "trunk" port which accepts tagged VLAN traffic (this is the physical port that's connected to the upstream Frontier device), and within the virtual machine configuration, set virtual ethernet device as an "access" port which is set to VLAN 0?
My only issue is that the Proxmox configuration won't let me pick anything lower than VLAN 1. Does VMWare ESXi let you choose VLAN 0?
-
@stephenw10 said in How to get pfSense WAN to accept VLAN 0:
@jalano said in How to get pfSense WAN to accept VLAN 0:
I have Proxmox running and have pfSense installed, but I do not see how to enable VLAN 0 on the WAN interface.
To tag outbound?
Most of the issues here are that FreeBSD (and hence pfSense) does not accept VLAN0 as valid and drops the packets. Thus if your ISP sends dhcp responses to you tagged vlan0 pfSense never sees them and you never get an IP address.
To work around that a switch the strips the tags allows pfSense to see the traffic. The outbound traffic does not need to be tagged in most cases (AT&T being the exception).Steve
Steve,
I still find it hard to believe that neither the BSD community nor Netgate have found a work around (or permanent solution) for us (Frontier/ATT fiber) considering that other $20 routers are able to work just fine with the VLAN tag 0 issue. Do we know if the BSD pipeline has this issue reported somewhere and the developers are evaluting a permanent solution? For now I am stuck on 2.5.2 and it seems will be stuck here even after 2.7 release if this issue is not resolve. is it possible to set up a funding page for the developers to spend more time in resolving this problem from the netgate end? PLease advise. -
I've been researching lots of possible solutions to this.
Here's what I'm at now, in case anyone stumbles across this thread in July of 2022!
- FreeBSD 13.1 now has a dhclient that is aware of the DHCPOFFER datagrams inside 802.1q-encapsulated frames with VLAN 0.
- OPNSense 22.7-RC1 is on FreeBSD 13.1.
In theory, when pfSense moves to FreeBSD 13.1 this problem should be fixed. According to this, it's been fixed this way on OPNSense:
https://github.com/opnsense/src/issues/114
-
@jalano said in How to get pfSense WAN to accept VLAN 0:
I've been researching lots of possible solutions to this.
Here's what I'm at now, in case anyone stumbles across this thread in July of 2022!
- FreeBSD 13.1 now has a dhclient that is aware of the DHCPOFFER datagrams inside 802.1q-encapsulated frames with VLAN 0.
- OPNSense 22.7-RC1 is on FreeBSD 13.1.
In theory, when pfSense moves to FreeBSD 13.1 this problem should be fixed. According to this, it's been fixed this way on OPNSense:
https://github.com/opnsense/src/issues/114
Well this is certainly an update and it seems someone is looking into this issue from the BSD end. Jalono have you been able to validate this working on OPNsense yet? Please advise.
-
@cucu007 said in How to get pfSense WAN to accept VLAN 0:
@jalano said in How to get pfSense WAN to accept VLAN 0:
I've been researching lots of possible solutions to this.
Here's what I'm at now, in case anyone stumbles across this thread in July of 2022!
- FreeBSD 13.1 now has a dhclient that is aware of the DHCPOFFER datagrams inside 802.1q-encapsulated frames with VLAN 0.
- OPNSense 22.7-RC1 is on FreeBSD 13.1.
In theory, when pfSense moves to FreeBSD 13.1 this problem should be fixed. According to this, it's been fixed this way on OPNSense:
https://github.com/opnsense/src/issues/114
Well this is certainly an update and it seems someone is looking into this issue from the BSD end. Jalono have you been able to validate this working on OPNsense yet? Please advise.
I have not been able to test this - I need to get another bit of gear to install OPNsense on. I'm currently running an SG-1100 with 2.4.5p1.
Looking at OPNsense 22.7 it appears I will have a lot of work to do to convert the config file or will have to spend some time hand-entering the configuration, which I'm not looking forward to; it's quite different from pfSense now. I was hoping to have found a good solution that would allow me to keep using my pfSense hardware.
-
@jalano said in How to get pfSense WAN to accept VLAN 0:
@cucu007 said in How to get pfSense WAN to accept VLAN 0:
@jalano said in How to get pfSense WAN to accept VLAN 0:
I've been researching lots of possible solutions to this.
Here's what I'm at now, in case anyone stumbles across this thread in July of 2022!
- FreeBSD 13.1 now has a dhclient that is aware of the DHCPOFFER datagrams inside 802.1q-encapsulated frames with VLAN 0.
- OPNSense 22.7-RC1 is on FreeBSD 13.1.
In theory, when pfSense moves to FreeBSD 13.1 this problem should be fixed. According to this, it's been fixed this way on OPNSense:
https://github.com/opnsense/src/issues/114
Well this is certainly an update and it seems someone is looking into this issue from the BSD end. Jalono have you been able to validate this working on OPNsense yet? Please advise.
I have not been able to test this - I need to get another bit of gear to install OPNsense on. I'm currently running an SG-1100 with 2.4.5p1.
Looking at OPNsense 22.7 it appears I will have a lot of work to do to convert the config file or will have to spend some time hand-entering the configuration, which I'm not looking forward to; it's quite different from pfSense now. I was hoping to have found a good solution that would allow me to keep using my pfSense hardware.
According tot he pfsense release notes, it seems the 2.7 upcoming version will be base on 12.3 and not 13.x, this might mean we will be stuck even with this issue after code 2.7 gets to GA. Unless someone backports some kind of workaround for the 2.7 code to work with the VLA 0 issue at hand. Looking forward to get this issue resolve once and for all.
Reference: https://docs.netgate.com/pfsense/en/latest/releases/versions.html
-
It's based on 12.3 now but that doesn't mean it will be.
The dhclient accepting vlan0 tagged packets doesn't address the fact that igb/em doesn't pass the packets to it. Otherwise the netgraph workaround would still work in 2.6.
AT&T is whole different problem. That's very unlikely to ever be supported natively.
Steve
-
Steve,
I would be happy if we can at least get this working for frontier. -
I just loaded some old hardware with current version of opnsense and it works like a charm. No netgraph script necessary. The interface drivers were re0 and em0. DO YOU HEAR THAT NETGATE!
I have frontier fiber. -
@michaellacroix said in How to get pfSense WAN to accept VLAN 0:
I just loaded some old hardware with current version of opnsense and it works like a charm. No netgraph script necessary. The interface drivers were re0 and em0. DO YOU HEAR THAT NETGATE!
I have frontier fiber.Michael,
I think the big challenge for PFS is actually the intel NICs (igb/em) as previously mentioned by steveSteve,
Please correct me if I am wrong... -
@michaellacroix said in How to get pfSense WAN to accept VLAN 0:
I just loaded some old hardware with current version of opnsense and it works like a charm. No netgraph script necessary. The interface drivers were re0 and em0. DO YOU HEAR THAT NETGATE!
I have frontier fiber.Just for clarification if others read this thread:
OPNsense is currently based on FreeBSD 13 while pfSense is using 12.3-STABLE. The OPNsense team had a number of growing pains with that move to FreeBSD 13. They continue to still have a few. There seems to be quite a few changes around VLANs in particular with FreeBSD 13.
So a willy-nilly jump to FreeBSD 13 may result in more bugs than fixes. The pfSense team will get there for sure, but they tend to be a bit more deliberate when making FreeBSD major version moves. If I recall the timeline correctly, the OPNsense team abandoned Hardened FreeBSD (11, I think) and jumped over to FreeBSD 13.
There are differences in the NIC drivers as you change among the FreeBSD versions.
-
In that note, my guess we just have to wait patiently...when the cake is fully bake we will eat it. :-)
-
...when the cake is fully bake we will eat it
yum. save me a piece!
-
@cucu007
Not really, please keep in mind this discussion was started for the issue of PFS not being able to grab an IP from DHCP on the WAN interface because of the vlan tag.
I poked the bear because netgate hid behind freebsd about this issue when they could have easily built something into the application to handle the traffic. Now we know when pfs goes to freebsd 13 issue resolved and that will be a sweet peice of cake... -
@michaellacroix said in How to get pfSense WAN to accept VLAN 0:
I just loaded some old hardware with current version of opnsense and it works like a charm. No netgraph script necessary. The interface drivers were re0 and em0. DO YOU HEAR THAT NETGATE!
I have frontier fiber.To be clear that was using em0 as the WAN interface?
That implies the driver issue there is fixed in FreeBSD 13 and will be inherited when we move to it.Steve
