Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VLANS on an 1100, I have some notes

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    1 Posts 1 Posters 15 Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      TheGushi
      last edited by

      All,

      I recently went through the pfsense setup for router-on-a-stick for one of our datacenter deploys. We're going to be buying beefier hardware than the 1100's real soon, but this was at least a useful case to try and get a site-to-site VPN working.

      Unfortunately, some of the unusual behavior of PFSense's internal switch (and some UI choices by the designers) made things kind of weird.

      1. There are at least three different things that can have the same name (WAN/LAN/OPT), and it's unclear which thing you're affecting at any given time.

      For example, there's the silkscreened wan port on the back of your device, which will always be port 2 -- but then there's also the WAN vlan, and then there's the WAN PFsense rules interface. Because these are all named with the short-names, it makes it hard to realize what you're changing, when. It would be helpful if the names of these devices reflected this -- on my end I've named things VLAN-WAN, or things like "INSIDE" (which I know isn't an interface name).

      As one simple example, in this "Interfaces" display on the home screen, "LAN" is labeled "Switch Port", but the thing that has the picture of ports next to it is the virtual interface.

      edb32fa9-612a-4225-b515-ee82740f156b-image.png

      And the virtual interface shows speed and duplex settings for some reason, and has no subtitle. If I hover my mouse I can see this info, but why not put it in italics, right under the interface name, just like the words "Switch Port" or "Switch Uplink". On the same note, why not show an image of a single physical port for the actual physical ports.

      Also, in cases where a physical port has a switchport number, you might as well show it i.e. opt seems to be number "1" on these devices.

      7aae451f-1289-4354-b7c6-ca8f59425f80-image.png

      (Also, I'd consider words like "Physical RJ45 Port 1" to make it clear what's being talked about).

      1. When you have a device with an internal switch, you get two different "VLANs" config screens. There's the one under Interfaces --> Switches --> VLANs, and then there's the one under Interfaces --> Assignments --> VLANs, where (in the router-on-a-stick configuration, all your vlans show up twice):

      b531b3fb-f15a-4287-994e-e808bcc227fd-image.png

      Perhaps some description of why this happens could be added. Or maybe it's just a bug. (But really, if they're two different things for two different internal interfaces, maybe say that?)

      1. PFSense overall has really solid design. When I think I can edit something, I expect to see this thing:

      ebe24341-0ca1-4c38-ba78-2e80bb25db99-image.png

      The little pencil/trash icon tells you that something is editable in pfsense. If you don't see those, you will generally assume that something being displayed is informational. It's on the Interfaces-->Switches-->VLANs, but not on Interfaces-->Switches-->Ports.

      On Interfaces-->Switches-->Ports, unless you happen to hover your mouse and see "click to edit" tell you that this is an editable field, you'll assume that this is just an informational display that you should edit elsewhere:

      4e88f8fd-98d7-477f-a14a-7c5769bf0823-image.png

      Yes, there's a "save" button, but to my eye that's for the dropdowns under the speed/duplex settings. Whatever funky javascript makes this only turn into an edit-box when you click on it is lousy design.

      1. Despite the whole router-on-a-stick setup, we're only feeding our OPT port an access port, and it would not work. (I thought that by setting the interface on Interfaces-->Switch-->VLANs to "0t,1", it would do the right thing: that port 1 would be untagged, and this ate an hour of my time trying to figure out why it wouldn't work.

      2e50f7c8-ad6b-4e4e-adfc-a00a6fef254d-image.png

      Part of the cause here was that It wasn't clear to me what "Port VID" meant, and I assumed it was something magic to the internal Marvell switch.

      When I hit the little red question mark in the upper right on Interfaces-->Switch-->Ports, and then chased through to the manual for the 1100:

      https://docs.netgate.com/pfsense/en/latest/solutions/sg-1100/switch-overview.html

      Searching the page for "VID" got me nothing. There could have been a field breakdown there. (I'm used to the phrase "Native Vlan").

      So, I now have a better understanding of how this all works, which is pretty much how I'd expect it to, but some of the ways to get there were pretty odd, with several screens that look very similar, and the requirement to change/rename things in different places.

      Sadly, once we upgrade to our "real" hardware, all this info will be out the window (since we might do internal vlans, but there won't be an internal switch), but I'm happy to offer a few UI tweaks that can hopefully be added.

      PS: While debugging this, I installed lldpd -- and hit an "undefined symbol" error, because I was on a prior version Are the pfsense packages not versioned?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.