VLAN MAC Address, Network Unreachable

indesignfirm · Sep 7, 2012, 3:58 AM

So we have a provider that will only allow us to map 1 ip per mac address. However, we are having to pay for 5 IP's.

So our thought was we would setup vlans and just use the mac address field in the interface to "fake" the MAC and allow us to utilize more IP's.

However, on 2.1-BETA0 (i386) built on Sun Sep 2 18:21:50 EDT 2012 this fails horribly. So I'm not sure if this is impossible to do and I'm an idiot or if something is going wrong.

It took us a bit to figure it out, but it appears if we set a MAC address on any vlan all routing for that VLAN stops. We take it off, and it's back. If we put it on the WAN connection, pFsense will fail to boot, and will freeze on Starting WAN. We have three providers with different devices on each of the connections, even our internal VLAN's go crazy if we specify a MAC. Don't know if this is a problem with the current version or if adding a MAC to a VLAN is just a black hole of death. :)

Any input you can provide would be appreciated!

wallabybob · Sep 7, 2012, 8:47 AM

Please post the output of pfSense shell command```

/etc/rc.banner


What is between your pfSense and and the Internet? (Presumably, from your description, at least a VLAN capable switch.)

Have you tried setting the physical interface supporting the VLANs into promiscuous mode? A possible problem is that NICs generally discard received frames that don't have the right MAC address(es) UNLESS the interface is in promiscuous mode.

indesignfirm · Sep 12, 2012, 2:04 AM

We have a 3Com 48 Port Baseline Switch, and yes it is VLAN capable. We have the server connected via LAGG to the switch.

Please see the output of your request below.

*** Welcome to pfSense 2.1-BETA0-pfSense (i386) on gateway1 ***

WAN (wan) -> lagg0_vlan101 -> v4/DHCP4: xx.xx.xx.xx/29
LAN (lan) -> lagg0_vlan700 -> v4: 10.0.0.1/16
MANAGEMENTLAN (opt1) -> lagg0_vlan1 -> v4: 10.201.0.1/24
SHAREDLAN (opt2) -> lagg0_vlan500 -> v4: 10.200.0.1/16
GENESISLAN (opt3) -> lagg0_vlan200 -> v4: 10.150.0.0/16
INTERTEL (opt4) -> lagg0_vlan800 -> v4: 192.168.1.1/24
GENUVERSE (opt5) -> lagg0_vlan120 -> v4/DHCP4: xx.xx.xx.xx/22
GENWINDSTREAM (opt6) -> lagg0_vlan122 -> v4: xx.xx.xx.xx/30
INTERNS (opt7) -> lagg0_vlan300 ->
GENESISGUEST (opt8) -> lagg0_vlan400 -> v4: 10.245.2.0/24
IDFGUEST (opt9) -> lagg0_vlan600 ->
DEADLAN (opt10) -> lagg0_vlan100 ->

indesignfirm · Sep 12, 2012, 2:05 AM

Sorry, as for promiscuous mode, I'm unsure how to set that on the LAGG since it's not a physical interface.

cmb · Sep 12, 2012, 2:09 AM

You're better off skipping that mess of unnecessary VLANs and just using CARP for the additional IPs, presuming they're static. If it's AT&T Uverse, that will work. Otherwise you will have to put the parent NICs of the lagg into promiscuous to accomplish what you're attempting with VLANs but I'd avoid that type of setup if possible.

indesignfirm · Sep 14, 2012, 6:47 AM

I would gladly use CARP. However, as dumb as this is going to sound, U-Verse blocks you having more than one IP address on the same MAC address. Their U-Verse Gateway goes CrAzY. That was the whole reason we were resorting to VLAN's so that we could actually fake the MAC in order to get different MAC addresses for each IP.

I know it's messy, it was just an idea on how we could do it. None the less, forcing a MAC makes everything go boom.

cmb · Sep 14, 2012, 9:29 PM

CARP IPs each have unique MACs. I've done numerous such setups, it works fine.