QinQ migration from MikroTik to pfSense – MTU confusion (L2MTU vs MTU)
-
I am migrating a QinQ (802.1ad) environment from MikroTik to pfSense and I am unsure about the correct MTU configuration. On MikroTik, the physical interface runs with MTU 1500 and L2MTU 1580, and the setup works properly using one S-Tag (VLAN 1062) and multiple C-Tags (10, 20, 30, 40, 66, 77), all with MTU 1500. When moving to pfSense (Intel ice 10Gb interface), I configured the physical interface MTU to 1508 to account for QinQ overhead (1500 + 8 bytes) while keeping VLAN interfaces at 1500, but connectivity did not work correctly. Since MikroTik separates L3 MTU from L2MTU and pfSense does not expose L2MTU in the same way, my question is: should the physical MTU remain at 1500 in pfSense even when using QinQ? Does FreeBSD handle VLAN overhead differently? Or is the recommended approach to keep MTU at 1500 and adjust MSS on WAN instead?
-
????
MTU specifies how much data the frame can hold, regardless of whether there's a VLAN tag. Also, I have never heard of a L3 MTU. On both native and VLAN interfaces I don't specify MTU and just accept the default 1500. Any VLAN tags are before the EtherType, which specifies whether the frame carries IPv4 (0800), IPv6 (86dd) or other. The MTU specifies how much data is allowed after the EtherType.
-
@JKnott Thank you for the feedback.
I have another point I'd like to check as well.I'm trying to create a bridge interface for my VLAN related to my wireless network (Wi-Fi).
However, since the Wi-Fi interface has a captive portal, I can't activate the bridge and it doesn't work without it.
However, when I disable the captive portal, it works normally. Is there any way to make it work with the captive portal enabled?
-
I have a VLAN & 2nd SSID here. I don't understand where a captive portal comes in. That's usually for users to access the network, as I had to do yesterday at the local library. Configuring VLANs etc. should be long before that. Also, what are you trying to bridge? My access point connects directly to the LAN for my main WiFi and to the VLAN for my guest WiFi. The access point connects to pfSense via a managed switch, where I enabled the VLAN on the ports to pfSense and the access point. Also, why are you using QinQ on the LAN? That's normally used on the WAN side, when connecting over fibre, with one VLAN used for the customer and the other by the carrier to separate customers.
-
I am experiencing an issue in an environment where I use QinQ to transport multiple VLANs between headquarters and a branch office. Both locations have VLANs 10, 20 (WiFi), 30, and 66. The transport between sites is done using QinQ with outer VLAN 1062, as provided by the ISP. In pfSense, I configured the QinQ interface, created the inner VLANs, and then set up bridges to extend the VLANs to the branch office.
After configuring the bridges between the QinQ interface and the VLANs, I started experiencing internet instability at the branch office. The connection fluctuates frequently, and some clients report intermittent loss of connectivity. To partially mitigate the issue, I adjusted the MSS on the bridge interface to 1452, which improved the situation but did not completely resolve it. Some clients still report occasional connectivity problems. The bridge interface MTU shows 1496, and I am unable to modify this value. I would like to know whether this MTU value is expected in QinQ scenarios, whether I should instead adjust the MTU on the physical interface, or if there are official recommendations regarding MSS tuning in this type of topology. I also suspect that packet fragmentation might still be occurring even after adjusting MSS.
The second issue involves VLAN 20, used for WiFi, which has Captive Portal enabled at headquarters. When Captive Portal is active, the WiFi VLAN at the branch does not function. If I disable Captive Portal, the VLAN works normally. I would like to understand whether there are known limitations of Captive Portal when used on interfaces that are part of a bridge, especially in QinQ scenarios. Is there any recommended design approach for this situation? Would it be more appropriate to use routing instead of bridging for this type of deployment?
Bridge :
Error captive portal :
I appreciate any guidance or best practices regarding this setup.
-
You have a strange setup. First off, I have never worked with MicroTik, so if they do something weird, I can't help with that. My experience with QinQ is with a telecom company providing a connection to a customer over fibre. Since fibre has so much bandwidth, it's usually split before reaching the customer. The first method it to use different wavelengths, with an optical filter located near the customer. Then QinQ (C tag)¹ is used to separate different customers. Depending on the connection, the 2nd VLAN (S tag) can be used to further subdivide the bandwidth or passed on to the customer. In the jobs I worked on, there was a media converter to convert between fibre and Ethernet and used the 2nd VLAN to connect it to a Cisco router, which then provided IP over Ethernet to the customer. So, I'm surprised you'd have QinQ on the WAN.
As for MTU that's determined by whatever the interface is configured for. As I mentioned earlier, VLAN tags do not affect that, since they're ahead of the Ethertype field. On my own network, while I can set the MTU on the native LAN, I can't on the VLAN. It just follows whatever the native LAN provides. I also checked adding a VLAN and found I can only add them to an interface, not on top of another VLAN. You found similar with the bridge. It's just not something pfSense can do, as far as I can tell.
As for connecting the VLANs between sites, that's normally done by routing the subnets, through a VPN if necessary. Do you actually have Ethernet between sites? Or just IP? If Ethernet, do you have something like MPLS to carry it?
Is there anyone else here who knows MicroTik?
- C tag = carrier level VLAN S tag = subscriber level VLAN.
