LAGG and VPNs
-
so, i currently have:
-
Not sure where the loop could be!
The switch has 4 connections associated with pfsense:-
The WAN link - igb0.101
The 2 LAG links - igb2 & igb3
Additional link for this laptop - igb1 -
log for LAGG interface:-
+
-
Ok, so I'd guess there's some misconfiguration on the switch for the VLANs that are separating those 4 links and it's creating a loop.
-
Quite possibly but I cannot find it.
It is now back working with the draytek router without issue and all i have done is change the short timeout back to long, switch back to static from LACP on the switch and swap the WAN cable from modem to router! Spoke with draytek this morning and they couldn’t see an issue with the setup either.
Unless the loop is being created via the connections to the pfsense box somehow?
-
Unlikely unless you have and bridged NICs in pfSense.
Does the Draytek router use the same 4 links to the switch?
Does the LAGG come up correctly if only those links are connected between pfSense and the switch?
-
The router has 2 links to the switch (LAG) and there are 4 links from this switch to another but that is all working. Yes, the draytek router is using the same links.
Never seen the LAGG come up yet to the pfsense either with just those links or others.
Is it possible to let me know what the pfsense settings should be for a LAGG with VPNs and I can try and make the switch match, although there aren't that many options really on the draytek switch to get wrong to be fair.
-
@stevencavanagh said in LAGG and VPNs:
The switch has 4 connections associated with pfsense:-
The WAN link - igb0.101
The 2 LAG links - igb2 & igb3
Additional link for this laptop - igb1What are the 4 connections then? That looks like 4 NICs in pfSense that are connected to the switch no?
Any VPNs you might have setup wouldn't have any effect here this is a layer 2 or even 1 issue.
I assume you are able to see a link between pfSense and the switch if there isn't a lagg in play?
-
the first connection is from the pfsense to the modem (igb0.101)
the LAGG (2 connections igb2 & igb3) from pfsense to the switch
the last is igb1 which is a connection from the pfsense to the laptopYes, if the LAGG is removed and a single cable put direct to the switch from the pfsense (obviously different port from the LAGG) then I get a connection, although at 100MB not 1GB as it should! No idea why though.
For info - the pfsense box is a DELL PC (i5) with 2 twin port NICs, giving a total of 5 ports if you include the motherboard one.
-
Ah, Ok only two links to the switch. Hard to see how that could be a loop then. The fact it only links at 100M is not a great sign! Is it set to fixed speed in the switch maybe?
-
Nope, changed the patch cable, changed the port and forced it 1GB where it stopped working completely so put back to auto and it auto negotiates at 100M
-
Hmm, with igb NICs too. About the best supported hardware there is...
If you force them to 100M does it link?
-
To clarify, the 2 cables for the LAG show as 1G on the switch, it is the single cable to another port (when the LAG is disconnected) that defaults to 100M but it works.
-
Hmm, earlier you said the port LEDs on the links in the lagg are off when it's connected. I wouldn't expect any link speed to be shown in that situation.
Do you mean those links when not configured as a LAGG link at 1G?
If you only connect one link from the lagg does it still fail?
-
@stephenw10 said in LAGG and VPNs:
Hmm, earlier you said the port LEDs on the links in the lagg are off when it's connected. I wouldn't expect any link speed to be shown in that situation.
Do you mean those links when not configured as a LAGG link at 1G?
If you only connect one link from the lagg does it still fail?
yes, the port LEDs are off when the LAGG cables are connected
Not tried removing the LAGG from the switch to prove it to be the case as I can't afford to cock it up when I go back to the draytek router for work! However, all other ports are at 1G so I suspect they will
yes, 1 link still fails
-
Hmm, OK, if it still fails with only one link to the switch it can't be a loop, it must be a mismatch in the lagg protocol.
Strange though, I wouldn't expect it to show the links down just because LACP is failing. Does pfSense still show the NICs as linked?
-
You can try disabling strict mode:
sysctl net.link.lagg.lacp.default_strict_mode=0You can also try enabling LACP debugging but be warned it creates a LOT of logs!
sysctl net.link.lagg.lacp.debug=1 -
When I plug the LAGG cables in the status\dashboard links go to red after a few secs and then appear to try again after around 30 secs or so
-
@stephenw10 said in LAGG and VPNs:
You can try disabling strict mode:
sysctl net.link.lagg.lacp.default_strict_mode=0You can also try enabling LACP debugging but be warned it creates a LOT of logs!
sysctl net.link.lagg.lacp.debug=1I will give it a go
-
I haven't seen anything that wasn't using active mode LACP for a while but....
