LAGG and VPNs
-
@stephenw10 said in LAGG and VPNs:
Hmm, earlier you said the port LEDs on the links in the lagg are off when it's connected. I wouldn't expect any link speed to be shown in that situation.
Do you mean those links when not configured as a LAGG link at 1G?
If you only connect one link from the lagg does it still fail?
yes, the port LEDs are off when the LAGG cables are connected
Not tried removing the LAGG from the switch to prove it to be the case as I can't afford to cock it up when I go back to the draytek router for work! However, all other ports are at 1G so I suspect they will
yes, 1 link still fails
-
Hmm, OK, if it still fails with only one link to the switch it can't be a loop, it must be a mismatch in the lagg protocol.
Strange though, I wouldn't expect it to show the links down just because LACP is failing. Does pfSense still show the NICs as linked?
-
You can try disabling strict mode:
sysctl net.link.lagg.lacp.default_strict_mode=0
You can also try enabling LACP debugging but be warned it creates a LOT of logs!
sysctl net.link.lagg.lacp.debug=1
-
When I plug the LAGG cables in the status\dashboard links go to red after a few secs and then appear to try again after around 30 secs or so
-
@stephenw10 said in LAGG and VPNs:
You can try disabling strict mode:
sysctl net.link.lagg.lacp.default_strict_mode=0
You can also try enabling LACP debugging but be warned it creates a LOT of logs!
sysctl net.link.lagg.lacp.debug=1
I will give it a go
-
I haven't seen anything that wasn't using active mode LACP for a while but....
-
Hi,
Quick question.........for example
If I have LAN set up as 192.168.0.1 and its DHCP server obviously also set up on 192.168.0 (eg. 192.168.0.50 - 192.168.0.199 with the switch in question having a static ip address of 192.168.0.21 (not in dhcp range) then when I come to allocate a static ip for the LAG I cannot use 192.168.0.1/24, despite all the network IP addresses on the default VLAN being 192.168.0.XXX.
Consequently, do I set up the LAN interface as a different ip address such as 192.168.1.1 and then set up the LAG as 192.168.0.1/24 to match the same range as the 2 managed switches namely 192.168.0.21 / 22 as I assume once the LAG is set up I won't need the LAN interface??
Hope it makes sense!
-
Yes, you can't have two interfaces in the same subnet so if you have lagg0 assigned an interface other than LAN it cannot use the LAN subnet.
So what I would normally do here is reassign LAN from igb1 to lagg0. To do that you need to be connected to the firewall via some other interface though since you would lose connection on igb1.
-
ok, so LAN is currently set to 192.168.2.1 and LAGG 192.168.0.1.
I am currently going through to pfsense via 192.168.2.1
so i have set up another interface 192.168.5.1 on port em0 but this seems to just go via 192.168.0.1 anyway, so if I change LAN to lagg0 I may end up locking myself out if the lagg is not working, if em0 fails but I will give it a go.
Looking at the LAG currently there is no activity on the ports and looking at the switch mimic (on draytek console) it isn't detecting anything plugged into the ports in question but there is!
The lagg was showing up a minute ago but now down in status and nothing changed. The log show the link coming up and then down again!
-
I have now assigned LAN to lagg0 and it has the right ip address of 192.168.0.1 but the link is obviously down due to the LAG not working
-
looking at the log i get:-
Aug 25 21:31:30 check_reload_status 420 Reloading filter
Aug 25 21:31:30 check_reload_status 420 Linkup starting igb2
Aug 25 21:31:30 kernel igb2: link state changed to DOWN
Aug 25 21:31:30 check_reload_status 420 Reloading filter
Aug 25 21:31:30 check_reload_status 420 Linkup starting igb3
Aug 25 21:31:30 kernel igb3: link state changed to DOWNSo it looks as though pfsense is starting the LAGG but it is shutting down straight away, presumably because the interfaces do not match somehow!
-
Hi,
No idea what I have done but the LAG is now up but running at 100M not 1G. It looks as though flow control has been disabled for some reason, even though it is enabled on the switch?
-
Can't seem to get the LAG to run at 1G.
However, although there is a LAG set up between the 1st switch and the 2nd switch which has a connection if I plug a laptop directly into switch 2 port on DHCP it does not get an ip address on any port, although the server which is connected to switch 2 on a separate LAG does! Clearly there is an issue with VLANs but they are all set up as per the guides with DHCP servers assigned and firewall rules set for all access.
I can ping all the dhcp servers from switch 1
-
Hmm, odd that the links still only come up as 100M.
If you can pull a lease on a client at switch 2 there must be a problem with the VLAN config on the link between the switches. or on Switch2 directly.
-
It is only the link from router to switch 1 that is 100M. The link from switch 1 to switch 2 is 1G as it always has been, no config changes have been done in switch 2. The VLANs in pfsense are the same as the existing ones in switch 2 but not sure why the NAS can be accessed (LAG on switch 2 to NAS) but no other client as VLANSs in pf sense are set up the same way. Unless it is the fact that the NAS is on a trunk (ie the LAG)??
-
A trunk would usually imply a link carrying multiple VLANs. If the NAS is on one or more VLANs dircetly then that could be different to any other clients which likely are using access ports (untagged).
But I would be trying to solve the 100M link negotiation problem. A lagg of two 100M links is of questionable benefit IMO. The fact that is behaving oddly implies other unexpected behaviour could be related.
-
The NAS was intended to be accessible from at least a couple of VLANs so that may explain that. However, the remaining VLANs should be on their own, which is why they are down as 'access' rather than 'trunk' I assume. I would have thought pfsense would still handle that though.
-
Sure if all the vlans are configured correctly pfSense will route between them.
But if the NAS is multihomed on several VLANs directly and you are able to reach it but not untagged clients that implies a VLAN error somewhere. -
AS nothing has changed on switch 2 where all these are connected and I can connect to them currently i.e through the Draytek router, then when I replace the Draytek with pfsense does that not imply the issue is somewhere in the pfsense vlan config rather than the switch?
-
Also, is there a way to get to the port details of the NICs that are used in the pfsense box as I think I've been through every conceivable config on the switch to solve the 100M LAG speed issue. Was going to try and force the speed of both the switch and pfsense NIC port to 1000M