Moving VLANS to ix1 interface

cloudjockey

Hello,
I'm trying to move 7 VLANs from a lagged 9+10 interface of the internal switch to the ix1 interface. I have changed the parent interface of all the VLANs to the ix1 interface (including WAN and LAN) but I cannot get any DHCP addresses or traffic routing.

The ix1 interface is a 10G SFP+ twinax going to a Cisco switch. The ix1 interface shows as up in the interface status window and I can see traffic on all the VLANs via the dashboard but no traffic is flowing through the router between the subnets or to the SOC.

I have verified the firewall rules and they are unchanged from when I was using the front panel ethernet ports as my network interface. Prior to switching to the ix1 interface, both DHCP and traffic routing worked correctly.

Any ideas would be appreciated.

Thanks

NogBadTheBad

@cloudjockey Think the same applies the other way round:-

https://docs.netgate.com/pfsense/en/latest/recipes/migrate-assigned-lan-to-lagg.html

Create the new vlans on ix1 go to each vlan and move the network port via the pull down menu.

cloudjockey

@nogbadthebad Thanks for your reply.
Can I create the same VLAN number on two parent interfaces (e.g ix1 and LAGG0)? Wouldn't that create a new set of interfaces?

I have a bunch of firewall rules for each VLAN interface and I don't want to recreate them all.

NogBadTheBad

@cloudjockey yes you can create vlans with the same id on different parent interfaces.

It doesn’t assign an interface.

cloudjockey

@nogbadthebad Thanks. That did the trick. In summary:

• I created a new set of entries under interfaces->Assignments->VLAN using the same VLAN tag I as my original ones on LAG0
• From the interfaces->Assigments tab, I changed the interface from "VLAN xx on LAGG0" to "VLAN xx on ix1" using the drop downs next to each interlace

That seemed to do the trick and my machines on different VLANs are getting a DHCP address.

I still have a problem through: I cannot access anything on the untagged LAN which used to be on 4091 LAGG0.

Right now, I have both the WAN 4090 on ix1 and LAN 4091 on ix1 but I cannot get to the internet nor access any of the address on the default LAN vlan (vlan=1). The router can ping the internet.

NogBadTheBad

@cloudjockey Is it just vlan 4091 that isn't working ?

cloudjockey

@nogbadthebad and WAN on 4090. The rest are working.

There is something I'm confused about: When I re-assigned LAN on LAGG.4091 and WAN on LAGG.4092, to the ix1 interface, does the LAN traffic still get tagged with VLAN=4091? If so, then my switches are not going pass that data to the rest of the network.

Is there a way I can change the LAN and WAN interface to have untagged traffic?

Thanks for your help.

rcoleman-netgate

@cloudjockey said in Moving VLANS to ix1 interface:

but I cannot get to the internet nor access any of the address on the default LAN vlan (vlan=1).

You should not really use the default VLAN (1) for anything... I would change your default to 4091 and you'll see things start to move in this case.

Changing the VLAN # on the 7100 would require changing the built-in port assignments, too, and that can be easily butchered and render the GUI unusable. I always recommend making a single-port interface on the built-in switch on the device before changing the defaults.

Derelict

@cloudjockey The untagged VLAN on ix1 is ix1 with no VLAN. Just assign that interface to ix1.

I agree that one should just pick another VLAN tag and tag it across and avoid mixing tagged and untagged traffic on one interface.

cloudjockey

@rcoleman-netgate So do I have it right that after moving LAN from LAGG0 with VLAN=4091 to a ix1 interface, all the traffic out of the LAN interface on ix1 is getting tagged as 4091?

cloudjockey

@rcoleman-netgate What's the best way to create a single port interface on the switch?
I tried to do this and failed. Here's what I did:

• Create a new VLAN (55) entry on the switch and assign to EHT8 as untagged with ports 9&10 as tagged
• Create a new VLAN entry in the interfaces->VLANs table with tag = 55
• Create a new interface on LAGG0, enabled it and assigned it an IP address (192.168.55.1)
• Enabled DHCP for the new interface and set up a small pool (192.168.55.2-192.168.55.20)
• Created a pass-all firewall rule

rcoleman-netgate

@cloudjockey said in Moving VLANS to ix1 interface:

So do I have it right that after moving LAN from LAGG0 with VLAN=4091 to a ix1 interface, all the traffic out of the LAN interface on ix1 is getting tagged as 4091?

Yes. But on the switch it is PVID on the port and thus goes out untagged (see the Switch Config VLANs tab)

rcoleman-netgate

@cloudjockey said in Moving VLANS to ix1 interface:

What's the best way to create a single port interface on the switch?

My steps:

1. Create VLAN in pfSense Interfaces->Assignments .... VLANs on LAGG0
2. create interface with VLAN in the Assignments page
3. Add VLAN to Switch config (Interfaces->Switches, VLANs tab). UNTAGGED on the port you want it to be isolated to and TAGGED on 9 and 10. Save
4. Remove the port from all other VLANs it is on (tagged or untagged) by editing each VLAN.
5. Click on the PORTS tab and change the PVID of that port to the new VLAN # (click the 4091 text under PVID - it will allow editing) then SAVE.
6. Activate your interface, configure you firewall rules, add DHCP if you want that, etc. This port is now isolated to the single interface.

cloudjockey

@rcoleman-netgate Thanks. That worked. The step I was missing was setting the PVID by clicking the number on the port table in the switch configuration. That interface is not very intuitive.

rcoleman-netgate

@cloudjockey It does say on the notes at the bottom of the page how to do that.

cloudjockey

@rcoleman-netgate said in Moving VLANS to ix1 interface:

Yes. But on the switch it is PVID on the port and thus goes out untagged (see the Switch Config VLANs tab)

Is that always the rule? Would it be correct to say, if a packet going out of a switch port (away from the switch core) has the same VLAN as the port's PVID, the tag gets removed and it becomes untagged.

Derelict

@cloudjockey said in Moving VLANS to ix1 interface:

@rcoleman-netgate said in Moving VLANS to ix1 interface:

Yes. But on the switch it is PVID on the port and thus goes out untagged (see the Switch Config VLANs tab)

Is that always the rule? Would it be correct to say, if a packet going out of a switch port (away from the switch core) has the same VLAN as the port's PVID, the tag gets removed and it becomes untagged.

Yes, that is the general behavior of switches.