Having Problems Setting Up VLAN's

  • I'm trying to repurpose an old Dell Latitude D620 into a pfSense router. Laptop has c2d and 2Gb ram so is a nice candidate.

    It only has one onboard Broadcom Netxtreme Gigabit controller so I was hoping to use VLAN's so the one port could serve WAN and LAN.

    I have been trying with a few switches (I have a Dell Powerconnect 5324, Cisco SLM2008 and a Mikrotik RB250GS) and had no luck.

    What I have done is set the pfsense up so LAN is on VLAN 1 and WAN is on VLAN 100.

    Then I've set up a trunked port on the switch that is a member of VLAN 1 & 100 for the router with PVID 1. Then I setup all other ports as access ports with PVID 1 except one access port with PVID of 100 to plug my modem into.

    No matter what I do, I cannot see the pfSense router on my network, can't even ping it as it doesn't respond to ARP requests. However while testing, I did notice at one point if I pinged a workstation on the LAN from pfSense, the replies wouldn't make it back to pfSense, but the packets were getting to the workstation pc on the LAN.

    After wasting two days on this I just tried plugging the pfSense router to one of the LAN access ports on a switch (pvid 1), thinking the LAN side should work, but the WAN side wouldn't work, but I am still getting no response. I've also plugged a normal workstation to my trunk port which worked fine on the LAN as switch port had PVID 1 set.

    The only possibility I can think of is that the Broadcom doesn't support VLAN's (also can't find option to change VLAN in the windows driver).

    If anyone can give me any pointers I would be very grateful.

  • Netgate Administrator

    Try using something other than VLAN1. That is the native vlan on most switches and is often handled differently.

    You can try disabling hardware vlan tagging if it's in use on your card. What does 'ifconfig' report?


  • Tried it another way - just disabled all VLAN's on the cisco and plugged just my PC and pfSense laptop. If I ping the PC from pfSense, I can see ARP replies and queries but no ICMP.

    If I trying pinging the pfSense LAN interface from my PC, I can see ARP queries but no replies. Tried enabling port mirroring on the switch from the pfSense port to the PC but couldn't see anything more.

    Running ifconfig I can see VLAN_HWTAGGING is enabled for bge0. Had a quick look but can't find how to disable this - I would be very grateful for any tips.

  • @RobinGill:

    Tried it another way - just disabled all VLAN's on the cisco and plugged just my PC and pfSense laptop. If I ping the PC from pfSense, I can see ARP replies and queries but no ICMP.

    Where do you see this traffic? pfSense interface or PC? Is the ARP traffic relevant to the ping? What does ping report? What are IP addresses and network masks on PC and pfSense interface?

    I presume you disabled all the VLANs on pfSense. Correct? And you rebooted pfSense after doing so? (I have found some major configuration changes seem to need a restart to correctly clear out the old configuration information.)

  • Yes, for testing purposes you'd want to clear out everything VLAN related (perhaps even reinstall to get a clean start) and verify that you can ping, connect, etc. in that condition. A hardware failure or BIOS setting will foil the best laid plans…

    Then get back to the VLAN setup.

    I'm a bit concerned when you say you set up a "trunked" connection to the PC - in VLAN linguistics, what you want is for that port to be "tagged" (or "VLAN-aware") meaning that packets leaving it retain VLAN-ID information - most ports should be untagged. While I "get" that you mean you are running two networks on one port, "trunking" refers to a very different configuration as far as a smart switch is concerned (one link on two or more ports), and if you are not, in fact, tagging the packets to the pfsense, you won't have a hope of VLAN working, so terminology matters at least as far as being clear about what you are doing and why it might not be working...

  • Turns out something had gone very wrong somewhere - I tried adding a wifi card just so I could set that as WAN and the Broadcom as LAN without VLAN's, but I still had similar problems.

    Used 4) Reset to factory defaults then it started working properly with the two nics. Then tried setting it up using VLAN's and it worked first time.

    Many thanks for all the input.

  • Question - Reference setting up a VLAN switch to use a single port for both LAN and WAN.
    How does this effect network performance?

  • Without having actually set mine up that way, I'd guess about no effect at all on a typical connection where your WAN speed is a small fraction of the LAN speed. If your WAN speed and LAN speed were similar, there would be a significant impact. Queues on the switch end should keep collisions, etc to a minimum despite there being "two networks conjoined."

  • Can you do an experiment for me and tell me results?  Can you do a speedtest on speedtest.net with a computer direct connect to internet and then with VLAN setup and give results including ping.  I have not tested it this way ever.

  • If nobody gets you that before then, I can probably try it in late August or early September. My "Summer Maintenance Period" has been invaded by various groups using the campus (and student network) over the summer, which has screwed up my freedom to mess with things at my leisure, but I should have a small (hopefully not too small) window before school resumes.

  • haha - I'll take that as a "Try it yourself".  Thats probably what all the people who answered your silly question should have said.  "get to that in a month or so".

  • Looks like I spoke too soon - when I confirmed all was good last night, pings were going both ways but still couldn't access webgui or actually use pfSense as router.

    Rebooted and went back to square one.

    Did a little reading today on how to turn off hardware VLAN processing with the bge driver and apparently I'm not the first person to get unexpected behaviour with the bge driver and VLAN's, and hardware processing can't be turned off with this driver either.

    Had enough fun and games, I'm now looking for a docking bay and intel mt 1000 quad port. I had a bad feeling about using the Broadcom NIC as I've always used Intel for pfSense in the past, now learnt another lesson to never deviate from Intel.

    Edit: Forgot to mention I am aware the PCI bus will bottleneck a quad port as the 32 bit PCI bus in the docking station will be limited to about 1Gbs of throughput but that shouldn't be an issue for me as this is only going to be used at home with a 4Mbs WAN connection.

  • How fast is your internet connection?
    I considered using laptops for pfsense routers in the past.
    My thinking was that they have low power needs and have their own robust "ups" battery.
    Solves lots of problems.  Ultimately, because of limited space for add on NICs and poor compatibility I thought better of it.
    I also like that by using a normal reliable cheap board that I could configure the machine to restart after power failures.

  • I've only got a 4Mb connection , but I've had squid cache on a pfSense deliver over 700Megabit/second so I'm making sure to use gig Ethernet. That's why I'm not keen on the PC Card 10/100 NIC's.

    I picked the Latitude is because I had it lying around for a while and it's worthless due to screen problems, missing keys on the keyboard and broken plastic panels, yet it's still a decent powerful machine that's optimised to use low power and has it's own UPS.

    I could spend a little more than it will cost for the dock + pro MT on a newer latitude E Series with Intel NIC that I'm guessing would give me no headache, but I like the idea of turning something that otherwise will probably be scrapped into a very high spec router.

  • I was thinking use the Trendnet card on the WAN.  WAN will not be fast enough to bother it.
    That would free up your onboard network interface to use with a switch.  So, you would have no bottlenecks anywhere.
    However, that gives you 1 WAN / 1 LAN
    Gigabit through and through between PFsense and the clients (Your built in port is GB right?)

    BUT - No real possibility of expanding beyond a simple 1 WAN 1 LAN and switches setup.  (Unless you figure out VLAN later)

  • True, but I've just managed to set it up as desired in ESXi. Hopefully it performs well.

    Bonus - hopefully I can run another VM with nagios.

  • On a Latitude D620? 
    I'm surprised thats enough machine to do that well.  Cool.

  • Netgate Administrator

    So you got VLANs working on the hardware using esxi? Must be a config/driver problem in pfSense then.
    Running virtualised is probably a good option for your 4Mbps connection, your C2D is unlikely to run above idle almost any time.


  • Spoke too soon again. Setup in ESXi worked much better, but kept getting random packet loss on the WAN side.

    I'm guessing the FreeBSD bge0 driver has big problems with VLAN's and whatever ESXi uses works a little better but still not perfect.

    Looks like I'll have to wait for the docking station and quad port mt.

  • Netgate Administrator

    You could still try disabling hardware vlan tagging. There loads of reports of NICs reporting capabilities they don't fully or correctly support. Surprised to see it from a Broadcom NIC though. I believe the command to do it would be:

    ifconfig bge0 -vlanhwtag


  • Thanks Steve although I read the bge driver doesn't support disabling hardware vlan.

    Anyway just thought I would report back, thought I would forget about VLAN's and got a docking bay with intel MT dual port, still getting intermittent packet loss on WAN. Using ifconfig I realised the Draytek modem I had plugged straight into one of the MT ports only connected at 10Mb!

    Connected them via a managed switch instead and noticed the Draytek only connected at half duplex! Locked the switch port to full duplex and it all started behaving itself.

    I'm wondering if duplex mismatch was the problem all along - but I currently have run out of patience to try messing around any further. However my gut feeling is the the ESXi config was perfect but the native install may not have been working right.

    I'll see if I've regained the will to mess around further next week to see if we can determine throughput with one port VLAN'ed.

  • Netgate Administrator

    A duplex auto-negotiation failure can cause all sorts of weird and wonderful issues. Normally it reduces throughput to a crawl though. Sounds like a promising lead.  ;)


  • That seems to have done the trick except that every few days however it looses pppoe connection and fails to reconnect (normally reconnects quickly). Need to setup a syslog server to determine what's going on there.

    However, I was thinking it would be nice to have a direct connection between the modem and pfSense to free up the managed switch for other purposes. Unfortunately the modem doesn't have facility to set autonegotiation/duplex so I thought I would do it on pfSense.

    If I use
    ifconfig em0 media 100baseTX mediaopt full-duplex
    at command line and then unplug/replug the wan network lead it works, but if I follow the instructions on this page it doesn't http://doc.pfsense.org/index.php/Forcing_Interface_Speed_or_Duplex_Settings

    I suspect this is because the <wan>section in my config.xml describes a pppoe interface rather than the em0 interface I am trying to configure.

    I do realise the "proper" thing to do when autonegotiation fails and we can only set one device is to set half duplex on that device but forcing fdx is working fine with this equipment.

    I could really do with something that will persist after reboots, but my *nix skills are very limited - I would be very grateful for any suggestions.</wan>

  • Netgate Administrator

    Setup another interface on em0 and set it as type 'none'. Then set the speed and duplex on that instead.


  • Perfect!

    Just tried it out and rebooted and the change has stuck.

    Thanks a million for all your advise  :)

Log in to reply