VLAN bridged to LAN? - Still unable to solve this



  • Hello!
    I have been using pfsense for a few years but have never used vlans in pfsense
    I am working on my home network right now and am having some issued bridging a vlan
    my setup:
    pfsense 2nics
    dell powerconnect 2724
    wap

    my issue is this… i am wanting to run 2 ssids from my wap one being on vlan5 the other connected to my lan
    however in order to do this i need both my ssids to be vlans on the wap.

    i didn't see this as being an issue so i setup vlan2 on pfsense and bridged it to lan then configured my primary ssid to vlan2. however the bridge does not seem to be working connecting to this ssid i am unable to comunicate with the network at all. i set the firewall rule for vlan2 to allow * * * * * * for testing.
    the wap seems to be setup correctly because when i unbridged vlan2 from lan and gave it it's own dhcp i am able to get an ip and everything works fine.

    the reason i would like the vlan2 bridged with lan is for lan music sharing programs using bonjour and that will only work in the same subnet

    if anyone has any idea why my bridge is not working i could use the help!

    thanks in advance!

    -Jeff



  • as an update if i take the ap out and just use a laptop connected to a port that is set to use vlan2 and have vlan2 bridged to lan, when i renew the ip on the laptop i do get issued a lan ip address for just a moment then it goes away and says no ip

    when vlan2 is bridged with lan should the lan dhcp not be giving out ip's? in this case shouldn't vlan2 be simply an extension of lan?

    it seems to me that bridging my vlan2 to lan simply is not working  :-\

    any ideas?

    edit
    it also seems i can bridge vlan2 to any of the other vlans i have setup and that works fine when connecting a laptop to vlan2 it receives an ip from the dhcp of the vlan i bridged it to however if bridge to lan it does not work…...



  • You are trying to run VLANs and non-VLANs concurrently on the same interface?



  • @wallabybob:

    You are trying to run VLANs and non-VLANs concurrently on the same interface?

    yup one trunk interface and that seems to work fine but bridging a vlan and non vlan does not is that normal?

    edit
    just to test i added a 3rd nic and moved my vlans to that nic then tryed to bridge vlan2 to lan with the same result. it works if i bridge a vlan to a vlan but does not if i bridge a vlan to lan



  • does no one know if pfsense is capable of bridging a vlan to lan?

    and if it is why it may not be working?



  • It is never a good idea to use tagged and untagged traffic on the same IF.
    Having said that and reading that you successfully bridged VLANs already, why not move your LAN to another VLAN? Your DeLL switch should have enough ports and VLANs left.
    Then you can bridge the VLANs (LAN & WLAN) as needed.



  • @jahonix:

    It is never a good idea to use tagged and untagged traffic on the same IF.

    I support this comment. I think there are a number of possible ambiguities in mixing tagged and untagged traffic on the same interface.

    1. Suppose you have an interface that receives only frames with VLAN tags. Suppose you have VLAN interfaces configured for VLAN IDs 2 and 3. Suppose some traffic arrives with VLAN ID 4. It would probably be reasonable to discard it since there is no corresponding VLAN interface configured.

    2. A reasonable extension of the preceding point is that traffic without a VLAN ID is like traffic with an "unconfigured" VLAN ID and should be discarded.

    3. FreeBSD supports a number of Ethernet interfaces with some level of VLAN support in hardware. It is possible the hardware designers of one or more NICs with hardware VLAN support adopted the approach in point 2. above. It is possible the hardware designers of one or more NICs with hardware VLAN support didn't adopt the approach in point 2 above and "pass through" traffic with no VLAN tag. (To which interface?)

    4. If you have a mixture of behaviours of traffic with and without VLAN tags how can you get a consistent behaviour across interfaces if you want to use hardware VLAN support where it is available? (The NICs  that discard traffic without VLAN tags would need to have hardware VLAN  processing turned off so software can make them behave the same as the NICs which don't discard traffic without a VLAN tag).

    Your configuration description says your VLAN2 interface and LAN interface share the same hardware interface. Therefore they will have the same MAC address. The FreeBSD MAN page for bridge (see http://www.freebsd.org/cgi/man.cgi?query=bridge&apropos=0&sektion=0&manpath=FreeBSD+8.1-RELEASE&format=html) includes a discussion of why two or more bridge members shouldn't have the same MAC address. The discussion wasn't clear to me on first reading and it may be irrelevant if some of the less visible system configuration variables have appropriate values but, until you get an authoritative ruling (or you want to be a pioneer), I would suggest caution about bridging VLANs on the same physical interface.

    Also, the bridge man page says bridge member interfaces need to have the same MTU. I haven't looked into this, but its possible your VLAN2 interface will have an MTU 4 bytes less than the LAN interface MTU (to account for the 4 byte VLAN tag).



  • @wallabybob:

    @jahonix:

    It is never a good idea to use tagged and untagged traffic on the same IF.

    I support this comment. I think there are a number of possible ambiguities in mixing tagged and untagged traffic on the same interface.
    …....
    Also, the bridge man page says bridge member interfaces need to have the same MTU. I haven't looked into this, but its possible your VLAN2 interface will have an MTU 4 bytes less than the LAN interface MTU (to account for the 4 byte VLAN tag).

    Thanks for the link I have read the page and have a much better understanding of how pfsense bridges now. As you say it's a bad idea to mix tagged and non tagged on the same IF so as I said a few posts ago I did try adding an extra nic with the same result…..

    That does leave the MTU that could be the reason so I will have to research it!

    Thanks for the tip!


Locked