802.1q VLANs and VIA VT6102 (Rhine II) NIC
-
I need a sanity check here or I'm just being 'thick'.
I acquired some old thin clients with single VT6102 NIC (Via C3 CPU (800Mhz)) and from the dumpster at work and I'm trying to get pfSense running on instead of an old PC got reduce power usage.
I am set up like this:
vl10 = internet modem to pfsense
vl20 = LAN
vl20 = VoIP
vl30 = DMZ'existing' pfsense with 3 interfaces with each connected to an individual 'switchport access vlan xx' port
PCs are directly connected to access switchports configured for vl20
IP phones are directly connected to access switchports configured for vl30
Web server is directly connected to access switchport configured for vl40
'NEW' pfsense server has only one NIC and directly connected to switchport configured as trunk.Everything is working except the trunk for the 'new' pfsense server.
The switchport the 'new' pfsense is connected to is configured for dot1q with no security and all vlans allowed:
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport mode trunk
spanning-tree portfastPfSense works if I set no vlans and have vr0 has only the WAN interface. As soon as I reconfigure for vlans I loose all network connectivity. I cannot ping outward from pfsense nor inward to pfsense. The switch will show the MAC on one and sometimes more vlans but still not communicate to any device or the 'existing' pfsense.
I figure I'm missing something stupid but cannot find what I'm missing…. Or does the vr0 Rhine II driver just not support vlan tagging via 802.1q?
-
See the FreeBSD VLAN man page (http://www.freebsd.org/cgi/man.cgi?query=vlan&apropos=0&sektion=0&manpath=FreeBSD+8.2-RELEASE&arch=default&format=html) for VLAN support of vr interfaces. I use VLANs on rl interfaces which are in the same group as vr interfaces in the man page discussion.
You haven't identified your VLAN capable switch so its not easy to guess the nuances of the configuration information you have provided. I suspect you might need to configure the trunk port (connecting to pfSense vr0 interface) as a member of VLAN 10, VLAN 20, VLAN 30 and VLAN 40. (Maybe you think on your switch a trunk port belongs to all VLANs.)
You could troubleshoot this a bit further by (say) starting a ping on a system on your LAN VLAN while you have a packet capture pfSense interface vr0. Do you see anything from the MAC address of the LAN system? One possibility is ARP packets to the broadcast MAC address.
-
Thanks for responding wallabybob! I'm going insane trying to figure this out as it's not that complicated - or shouldn't be! LOL
I looked at the VLAN MAN page and the way I read it the VR driver supports vlan natively but tagging only for 802.1q and also the long frames for vlan tags. I'm assuming that pfSense loads the vlan driver when choosing to set up vlans.
Sorry about leaving the switch info out, guess I removed in in trying to clean up my post. Anyway, it's a Cisco 3550 24 port, using L2 only with all vlans defined at L2 and only vl20 as l3 for mgmt access into the switch.
A "show interface fa 0/23 switchport"
Switchport: Enabled
Administrative mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Disabled
Access Mode VLAN: 0 ((Inactive))
Trunking Native Mode VLAN: 999 (VLAN0999)
Trunking VLANs Enabled: ALL
Trunking VLANs Active: 1,10,20,30,40,999
Pruning VLANs Enabled: NONE"show spanning-tree interface fa0/23" shows all vlans in "FORWARDING"
A ping from a workstation in the same vlan gets "Destination host unreachable." and the existing pfsense reports "host down". Neither machine picks up a MAC.
The switch will learn the MAC and add it to the CAM table:
switch#sh mac-address-table | inc 0/23
00e0.c554.94b4 Dynamic 20 FastEthernet0/23The vr0 trunk doesn't seem to respond to the ARP requests as I don't see anything on the 'new' server with tcpdump. The output packet counts increment on the switch.
I'm going to try setting up a monitor of the trunk see see what wireshark shows and report back shortly….
-
ok - wireshark capture shows ARP replies on the trunk but for some reason pfsense isn't getting them. They are being forwarded out the switchport but not being added to the pfsense arp table.
I've also now tried the 2.1 image as well as 2.0 release with the same results.
I know I'm missing something but I can't figure out what. ::)
-
What is the interface status of the link between pfSense and the switch? Please provide the output of pfSense shell command ifconfig (mask IP addresses if you wish.)
-
I can get everything to work if I leave one IP associated with the parent interface instead of having all assigned to a VLAN. This also means I then need to have the switch configured with the native vlan tied to that.
This is what's working:
pfsense
vr0 = vlan20 (LAN) vr0_vlan10 = vlan10 (internet) vr0_vlan30 = vlan30 (VoIP) [typo in previous post had me showing this as 20 also] vr0_vlan40 = vlan40 (DMZ)
switch
interface FastEthernet0/23 description Neoware CA-10 Trunk switchport trunk encapsulation dot1q switchport trunk native vlan 10 switchport mode trunk spanning-tree portfast end
Not sure why I need an untagged IP on this and it's obviously the "wrong" way to configure it but the only way I can get it to work on this nic driver. I haven't found anything searching google about this driver behaving this way, but I did run across the re0 drivers having this problem.
The only issue now that I see is poor network performance with max throughput at about 4-5Mbps which I haven't determined if that's due to the nic/driver or cpu.
I'm glad it's working but would be happier if I could get tagging working as it should with no IP on the parent interface and all IP's on vlan interfaces only.
Thanks for the pointers as it helped get me going in the right direction. If you have in further insights I would appreciate those as well.