VLANS not working



  • Hi pfSensers,

    i hope someone can help. As by now i am lost after resetting my pfSense box for about 3 times.

    The hardware is this:
    Supermicro X7SPE-HF-D525 board (2x 82574L) + Intel NIC in the expansion slot (1x 82574L)
    HP 2824 Switch

    In the pfSense box are 3 physical interfaces. em0 (WAN) em1&em2 (LAGG0)
    Resulting in:
    WAN (em0) - DHCP
    LAN (lagg0) - Static - 192.168.100.1/24
    VLAN 50 (lagg0)  - Static - 192.168.50.1/24
    VLAN 100 (lagg0)  - Static - 192.168.100.1/24
    VLAN 150 (lagg0) - Static - 192.168.150.1/24

    On the switch are 3 vlans, VLAN50, VLAN100 and VLAN150 with dhcp helper adresses to 192.168.x.1.
    pfSense is connected to the switch using interface 23/24 as a LACP trunk named TRK1 on the switch and LAGG0 on pfSense.

    Currently i have trk1 untagged on vlan100 (normal lan) that works but as soon as i assign vlan 50, 100 and 150 as tagged to trk1 all connections to my pfsense machine are lost impossible (even when using a static ip on 192.168.100.101).
    Changing the LAN ip to 192.168.99.1 didn't change anything. And all VLAN firewall rules are any to any using any protocol = allow.

    What am i missing here?

    Thanks for reading,
    Riesch



  • You have both LAN and VLAN100 using the same subnet, I don't think you can do that. Also, I have read somewhere here that mixing LAN and VLAN on the same physical interface could be problematic for pfSense.



  • Hi, the port to the swith should be on trunk o lacp, otherwise will not work, so,
    pfsense NIC (LAGG) to trunk port switch (LACP) now, lets say that i want the vlan100 on the port 1, i will tag only that port, and that should work like breeze, and for the rest of vlan the same…. no tag the lacp otherwise wnt work



  • Hi Daniev and Milanojs,

    thanks for responding. But what you both post is tried and talked of in my first post.

    The working situation is this:
    LAN = VLAN100 in untagged state
    Using LAGG0/TRK1 to transport the data from pfSense to my switch.

    The situation i want:
    VLAN50 (for virtual machines)
    VLAN100 (for desktops)
    VLAN150 (for creepy wireless users)

    As soon as i set VLAN50, VLAN100, VLAN150 as tagged there is no more traffic possible, not even when using static IP's.

    I will try to remove one interface from the lagg0/trk1 so i have a dedicated line for VLANS. And then merge them later. <- Didn't work


  • Netgate Administrator

    @daniev:

    I have read somewhere here that mixing LAN and VLAN on the same physical interface could be problematic for pfSense.

    You may have read that in something I wrote but it seems I have been spreading misinformation.  :-[
    Running tagged and untagged traffic on a single NIC is not a problem however it's still not recommended because of the security risk of tagged packets becoming untagged and arriving on the wrong interface, crossing the VLANs.

    I would try disabling VLAN_HWFILTERING on the parent interface. However with VLANs over LAGG it's hard to say how this might work. Since the LAGG interface is a software construct does it support that? Can it use the hardware on it's member interfaces?
    What does ifconfig report?

    Steve



  • @stephenw10:

    @daniev:

    I have read somewhere here that mixing LAN and VLAN on the same physical interface could be problematic for pfSense.

    You may have read that in something I wrote but it seems I have been spreading misinformation.  :-[
    Running tagged and untagged traffic on a single NIC is not a problem however it's still not recommended because of the security risk of tagged packets becoming untagged and arriving on the wrong interface, crossing the VLANs.

    I would try disabling VLAN_HWFILTERING on the parent interface. However with VLANs over LAGG it's hard to say how this might work. Since the LAGG interface is a software construct does it support that? Can it use the hardware on it's member interfaces?
    What does ifconfig report?

    Steve
    [/quote]

    Hi Steve, thanks for responding.
    I just changed everything to single links and untagged traffic. Just so i can firewall two vlans (wireless & lan) and have the most important part online. So i guess the ifconfig will not help you troubleshooting this.

    Before changing my network to the state above i did tried this:
    Tagged 2 vlans (vlan 50 & vlan 150) on em2 (em1 for lan), but even that did not work. Looks to be some hardware issue (this was a full pfSense reset). But pfSense does say all 3 nics are VLAN-capable.

    A few minutes ago i ordered a quad port nic just so i can still make the setup i need. Which needs to be running on wednesday. After that i will build this same setup again in a virtual situation and see if i get this same error again.

    Riesch


  • Netgate Administrator

    I agree you should be having no problems with those Intel 82574 NICs. They are very common and well supported. I only suggested disabling hardware vlan filtering since I had just been reading this thread: http://forum.pfsense.org/index.php/topic,62680.0.html
    It's the sort of thing I might expect from a 'lesser' NIC but not from Intel. Worth trying though as it's quick and easy.
    In a VM the situation is different since everything is in software.

    Steve



  • Hi Steve,

    i agree on the VM part. But atleast then i know that how i did it is correct, just to feel a litte bit better :).

    VLAN_HWFILTERING is disabled now but that didn't help in my case.

    I guess i'll just wait for the mailman to deliver my new shiny hardware.

    Riesch



  • hold on, you have some virtual interface to create a vlan? you must have the trunk, and then some vif(default gw for those nics) to connect internal and do the routing and everything! another thing its know if the card support vlan tag, and you should be good, when the package of the new nic, comes can you provide some review of the performance…


Log in to reply