pfSense 22.05 breaks VLANS, restoring pfSense 22.01 fixes the issue
-
Ok, interesting. No outbound traffic there but there's no reason that should be any different.
We still see all the VLAN0 tagged traffic arriving which implies the APs are tagging it.I would bet if you run the second test with only the switch it will work fine.
What sort of QoS settings do you have on the APs?
Steve
-
@stephenw10 said in pfSense 22.05 breaks VLANS, restoring pfSense 22.01 fixes the issue:
would bet if you run the second test with only the switch it will work fine.
In a moment, I had to do some tricks for the tests :). Don't worry I cooperate :) Thank you for staying this long with me.
-
@stephenw10 said in pfSense 22.05 breaks VLANS, restoring pfSense 22.01 fixes the issue:
Ok, interesting. No outbound traffic there but there's no reason that should be any different.
We still see all the VLAN0 tagged traffic arriving which implies the APs are tagging it.I would bet if you run the second test with only the switch it will work fine.
What sort of QoS settings do you have on the APs?
Steve
I don't think Ubiquity does that on AP. AFAIK you must purchase a router or a switch to achieve that, but I can look in the Unifi Network Controller .
I don't see nothing that I can turn on the AP regarding QoS. -
Last test as you instructed:
- Added port 7 to VLAN 20 group and marked the port Untagged
- Set PVID 20 to port 7
- Started tcpdump on pfsense for ix2
- Connected the cable to a desktop and to port 7
The desktop MAC is b4:2e:99:c7:b4:26
tcpdump.txt - sorry was too big
No lease, no internet
Maybe I should've removed port 7 from VLAN1 group also?
https://imgur.com/c5wOVI1 -
Hmm, well that's weird!
As long as you changed the PVID on port 7 to 20 then it would only be one way traffic anyway. I shouldn't prevent traffic VLAN20 working.
Were you able to take a pcap on the connected desktop?
It's hard to imagine what could be tagging that. It seems very unlikely the AP and switch would be doing so independently.
Steve
-
@stephenw10 said in pfSense 22.05 breaks VLANS, restoring pfSense 22.01 fixes the issue:
Hmm, well that's weird!
As long as you changed the PVID on port 7 to 20 then it would only be one way traffic anyway. I shouldn't prevent traffic VLAN20 working.
Were you able to take a pcap on the connected desktop?
It's hard to imagine what could be tagging that. It seems very unlikely the AP and switch would be doing so independently.
Steve
I thought you're off for today :)
I started to revert back to 22.01, in order to get things running again.
If you need pictures with the switch I can provide. I don't have any reason not to follow your suggestions. I'm the first who wants to solve this.
I tried to dump the desktop, but the interface was not getting any ip just a local one with 169...something...so I provided the ix2 one, dumped from pfsense.
I can reinstall 22.05 tomorrow if you are still willing, and still have ideas :)
-
Hmm, do you have Snort or Suricata in in-line mode on ix2 by any chance?
In 22.05 you have netmap enabled on ix2 (and ix3) and not in 22.01.
-
@stephenw10 said in pfSense 22.05 breaks VLANS, restoring pfSense 22.01 fixes the issue:
Hmm, do you have Snort or Suricata in in-line mode on ix2 by any chance?
In 22.05 you have netmap enabled on ix2 (and ix3) and not in 22.01.
The configuration is the same on both.
On 22.01 I have Suricata running in Inline mode yes, on ix2 and ix3.
On 22.05 Suricata it is installed but disabled on all interfaces for testing purposes.
Also pfblockerNG installed but disabled.
Besides Avahi and NUT I don't have anything else enabled as packages. -
Hmm, did you reboot since disabling it? Is ix2 still showing netmap enabled?
There are known issues with netmap and VLANs and that's definitely a difference between your setup and mine. I'm trying to replicate it now... -
@stephenw10 said in pfSense 22.05 breaks VLANS, restoring pfSense 22.01 fixes the issue:
Hmm, did you reboot since disabling it? Is ix2 still showing netmap enabled?
There are known issues with netmap and VLANs and that's definitely a difference between your setup and mine. I'm trying to replicate it now...I did reboot after I set PROMISC tag to see if it works. So at least one reboot.
-
Do you still see 'netmap' listed as an option on ix2 though?
Try setting the interface to legacy mode.I can't replicate exactly what you're seeing but with Snort in-line enabled it cannot pass vlan traffic.
Just disabling the interface in Snort removes the netmap setting and allows vlan tagged traffic to pass here.
Steve
-
@stephenw10 said in pfSense 22.05 breaks VLANS, restoring pfSense 22.01 fixes the issue:
Do you still see 'netmap' listed as an option on ix2 though?
Try setting the interface to legacy mode.I can't replicate exactly what you're seeing but with Snort in-line enabled it cannot pass vlan traffic.
Just disabling the interface in Snort removes the netmap setting and allows vlan tagged traffic to pass here.
Steve
After I disabled Suricata I did not saw Netmap on the interfaces. I paid close attention to tags, I was looking for "PROMISC". :)
But to exclude Suricata I can uninstall it altogether.
For now I reverted back to 22.01, but I can upgrade again tomorrow, and uninstall Suricata after the upgrade to 22.05. That is the easy part.If you have other ideas you can post them, and I will try them in order and report back.
First I will try to set the interfaces to legacy, second I will uninstall the package.
-
That should be a good test. When I enable netmap here I see no VLAN tagged traffic arrive at all.
Do you have anything else running on the patent interface that might be setting it in promisc mode?
Steve
-
It would be good to repeat the pcap on ix2 with the VLAN working in 22.01. That will show us if the traffic is still tagged VLAN0 in your setup but the driver in 22.01 just allows it.
Steve
-
This post is deleted! -
@nrgia said in pfSense 22.05 breaks VLANS, restoring pfSense 22.01 fixes the issue:
@stephenw10
Besides Suricata, I do not run anything that should enable promisc mode. I don't think pfblocker enables, promisc mode. -
@stephenw10 said in pfSense 22.05 breaks VLANS, restoring pfSense 22.01 fixes the issue:
It would be good to repeat the pcap on ix2 with the VLAN working in 22.01. That will show us if the traffic is still tagged VLAN0 in your setup but the driver in 22.01 just allows it.
Steve
Run a test on pfSense 22.01 as instructed.
- started tcpdump on ix2
- Connected a mobile device to VLAN 20 with IP 192.168.10.57 with MAC 08:c5:e1:97:fa:ab
Any other tests on pfSense 22.01, or should I upgrade to 22.05 and continue with Suricata testing, like you proposed yesterday?
Thank you
-
Hmm, no vlan0 traffic at all there...
Does that mean the earlier driver is filtering it before the pcap can see it?
Or that the later driver is somehow adding it?Are you able to create a mirror port on the switch so we can see what's actually on the wire?
-
@stephenw10 said in pfSense 22.05 breaks VLANS, restoring pfSense 22.01 fixes the issue:
Hmm, no vlan0 traffic at all there...
Does that mean the earlier driver is filtering it before the pcap can see it?I don't know what to respond to this. I will let you draw any conclusions.
Or that the later driver is somehow adding it?
Are you able to create a mirror port on the switch so we can see what's actually on the wire?
I'm still on 22.01, I changed from Inline to Legacy Mode, and then disabled Suricata.
The NETMAP tag is not there anymore.The test with the mirror port you want it done on 22.01 or 22.05?
And which port do you want me to mirror the pfSense LAN side?
And then what information do you want me to record, and how?
For example I will connect a device to that mirror port, and then? A tcpdump from pfsense, from the device, which interface?Also do you want a full pcap file taken with wireshark, or with tcpdump like before?
-
You might rerun the pcap in 22.01 in Inline mode to be sure it looks the same. Confirm it's not netmap adding the vlan0 tags somehow.
The test with the mirror port you want it done on 22.01 or 22.05?
Both. Once it's configured you can use it to see what's on the wire in both situations.
And which port do you want me to mirror the pfSense LAN side?
Yes, the port linked to the pfSense LAN would be most useful there I think.
And then what information do you want me to record, and how?
Connect a client to the mirror port and run a pcap on that client. You will see everything that the pfSense LAN sees.
That will confirm which of those two suppositions is correct.
If you do see vlan0 tagged traffic there the we will know the older driver in 22.01 is actually stripping those tags allowing it to work.Steve
