SG-1100 - OpenVPN bridge and VLAN tags
-
After multiple years of APU usage, i wanted to give an official netgate product a try. But i cannot figure out how to replicate my tried and tested configuration**, so that VLAN tags are transferred over to the remote site. Rough sketch:
Office ---------------- OpenVPN Bridge ----------- Branch ---------------------- ------------------- |pfSense 2.5.2 (APU2C4)| |netgate SG-1100 | ---------------------- ------------------ |bridge0 (tap, igb1) | |bridge0 (tap, LAN)| ---------------------- ------------------ | | ------------------ ------------------ |Switch Port 1 | |Switch Port 1 | |VLAN 1 untagged | |VLAN 1 untagged | |VLAN 2500 tagged | |VLAN2500 tagged | ------------------ ------------------
VLAN 1: Default for our network (bad practice, i know...)
VLAN 2500: Management network for the switchesWhat works:
Traffic on VLAN 1 crosses the bridge without problems in both directions.What does not work:
Traffic on VLAN 2500 does not work in either direction.What i tried so far:
-
Swapped the SG-1100 on the remote site with an Intel based pfSense 2.5.2. Traffic crosses the bridge on both VLANs with the same configuration steps used as for the SG-1100.
-
After that worked, switched back to the SG-1100. Reset to factory defaults, started from scratch replicating the steps from the Intel device. Same results as before (VLAN1 works, VLAN2500 does not)
-
disabled the firewall completely (pfctl -d) to exclude firewall rules from interfering. Other that that: Set all traffic to pass on all interfaces, except for WAN.
-
Added VLAN 2500 under "Interfaces" --> "Switch" --> VLANs with members 0t,2 / 0t,2t / 0,2 - no difference
-
What i observed: When i add VLAN 2500 in this setting, ARP requests and replies are visible with tcpdump on mvneta0.4091. But they do not seem to arrive at the sender/receivers that they are meant for.
I am out of ideas. I tried some other things like creating a VLAN Interface on the SG-1100 but it did not work either.
Any help would be appreciated. I really want to get this to work and in the long term switch to official hardware because of support.
**Used in various locations, always with Intel based pfSense appliances (APUs, Lanner etc).
-
-
Hmm, Ok. It's interesting that this works at all.
In the 1100 though the LAN is itself a VLAN so you would not expect to see traffic tagged as 2500 inside packets tagged 4091. Unless you were using QinQ of course.
The tagged 2500 traffic will appears on mvneta0 directly not on mvneta0.4091so you could assign that and add it to the bridge. However that would also include all other VLANs on mvneta0 including all LAN and all WAN traffic so I cannot imagine that working.
The 1100 switch cannot pass QinQ traffic otherwise that might be a solution.
The only thing I could see working here is two tunnels with two bridges and VLAN 2500 defined in pfSense at both ends.
Steve
-
Thank you for the clarification and technical insight. I will put this device in a different spot that does not rely on transmitted VLAN tags.