802.1p/q pfsense setup
-
Hello, I was wondering if anyone had any idea about how to complete any of the following steps on pfsense 2.0.3?
1. Wan should be on vlan2.
2. DHCP traffic should have 802.1p bit = 2
3. IGMP traffic should have 802.1p bit = 6
4. All other internet traffic 802.1p bit = 3Thanks.
-
I'm working on this too. I'm pretty sure I've got the VLAN side of it figured out. You probably guessed by my user name. I'm the guy who had this working on his MacBook the other day. It'll be later tonight before I can take the connection down and test it. My wife is glued to the TV :P
The 802.1p / QoS stuff will be a little less straightforward, but I'll be sure to post up anything I find. Hopefully someone else can point us in the right direction though. I'm very much a noob with pfSense.
I'm really glad you copied that. Looks like the original post disappeared :o
-
Yeah, they deleted it lol. I also got the vlan part straight but only get 80-90 down and 10 up without the QoS settings.
I do not believe there's a way to do it in the webgui, it will probably involve some command line editing.
-
Can't you do your Cos Frame tagging on your switch? What switching platform are you using? As far a VLAN just go to assign under interface and you will see the VLAN tab that is where you can create your VLANs. Once you have the VLANs created then you can assign that VLAN to a interface.
-
I have a Zyxel GS1910-24 switch. I might be able to do it on my switch.
-
Just looked your switch up on New Egg and is does have QoS capabilities. I have no experience with your switch Platform but typically if you are breaking your traffic up on your tagged ports into different Classes then you can give one Class priority over the Other. I believe that is what you are trying to do. CoS is a layer two way to give traffic priority which is what I think you want. PfSense does have QoS capabilities as well but I will let someone who is more knowledgeable in the matter speak on that. Here http://www.youtube.com/watch?v=EfXImr5q-sw is a video explaining how to setup traffic shaping if you wanted to try to play around with it.
-
I'm feeling like a complete idiot right now. I can't even get my Watchguard to grab a DHCP address from the network.
If I put my Macbook on VLAN2, it grabs an IP immediately and I can get out to the net.
If I put dummy IPs on the Macbook VLAN2 and the WG VLAN2, I can ping from the MacBook to the WG. Interestingly, I can't ping from the WG to the Macbook.
I've set my pfSense install back to defaults, I tried setting the MTU to 1496, I've put 'allow any <> any' rules on the WAN interface for both IPv4 and v6, and still no luck. So I'm dead in the water on testing.
One thing I did notice when I was messing with the firewall rules. There's an 802.1p button down near the bottom. Looks like you could create pass rules that add the 802.1p tags.
If I can figure out what's up with my DHCP problems I'll get back into this.
-
I don't see any 802.1p settings at the bottom of my firewall rules.
-
I found this image in another, unrelated thread:
Thread reference: https://forum.pfsense.org/index.php?topic=61002.0
The above thread basically discusses how it was broken in a previous release.
If it helps, I'm running 2.1-Release on a Watchguard x5000. My firewall rule menus look like the ones in the example. If I were going to try this, I'd set up a pass-all rule for TCP/UDP, and for 802.1p I'd chose match on none and apply CA. (Critical Apps, bit 3)
I may have found what was broken in my WAN VLAN. I probably won't be able to test it before tomorrow though.
-
Interesting… 2.0.3 doesn't have that section.
-
Couple of things, remember that most pcs don't deal with tagged traffic. The port going to Pfsense should be tagged with all your vlans. The port going to your mac should be untagged. Some switches due it with the pvid setting others when you assign a vlan to a port make sure its untagged. Lastly I would remind you to make sure you configure dhcp for that vlan.
-
The VLAN'd port is facing the ISP. The WAN port has to be tagged on VLAN 2 in order for traffic to pass.
Outgoing traffic to the ISP also needs to have the .1p tags in order to not get dumped into a low speed queue.
When I talk about testing with my Mac, I'm putting a VLAN on the Thunderbolt GigE interface and plugging it directly into their ONT.
-
I fixed the VLAN and I'm getting out just fine. I'm pulling ~400 down to Softlayer in Dallas, but uploads are still stuck at 10.
What's worse is the TV system is not working. The guide is showing, but that could just be cached. I get a black screen on every channel I try.
I set up outbound rules from the WAN interface to 'any' to try to apply the tags as provided in the first post. Nothing seems to help so far.
I'm starting to wonder if the original info was deleted simply because it was wrong or incomplete, and not because it's some conspiracy to keep 3rd party routers off the network.
-
Still no joy on the uploads.
I do have some possible insight into the problem with the TV, though I'm no closer to fixing it. Atlantisman, let me know if you're a TV subscriber or if you're internet-only. I won't clutter up the thread with TV service details if I'm the only one using it right now.
-
I am also a TV subscriber, and i did notice that if i put the TV equipment behind a different router other than their own that it would just give me black screens. Even if i did this Fiber jack –-> Their router ---> pfsense ---> tv box.
-
I noticed the TV boxes and the storage box send a UDP IPv6 packet to ff02::1 approximately once per minute. This is roughly equivalent to IPv4 multicast on 224.0.0.1? I'm still really green on IPv6.
Even though my pfSense install had a permit any <> any rule for IPv6, it was still blocking these multicast messages. I put in a pass rule using the auto-generate tool in the logs. That let the traffic out, but no replies were coming in. It seems there's a lot that needs fixing. This will really test the patience of my wife ;D
-
Can you guys tunnel your TV service through a vlan on your network keeping the isp router, but then have it supply a public IP to Pfsense so you can use it as your edge router? I think this will give you control over the internet which is what you want and also allow your TV service to work undisturbed. What service are you guys using that you get 400 Mbps down? That is amazing!
-
400 is slow. It's supposed to be a gig both directions ;) Unfortunately, I think my old Watchguard box will be hardware-limited to ~400. As long as I can fix the upload speeds and get the TV working, I don't really care. Even 400 is faster than pretty much anything else I can connect to.
That's not a bad idea on segregating the ISP router. I'm not yet convinced that it's necessary though. It looks like the TV devices just need to pass certain kinds of IPv6 traffic which pfSense seems to block by default.
Later this week I'll see about borrowing some hardware from work so I can set up a Wireshark tap between the ONT and router. Then we'll see exactly what's going over the wire.
I'm also going to set up one of my Adtran routers to do some testing. I've got a much better understanding of those, and I've got a much easier interface to mess with the .1p tags.
-
You're getting better results than i am without the .1p settings, max i have seen is 85/10, and i know my pfsense build can support the whole gig.
-
Unfortunately, I think my old Watchguard box will be hardware-limited to ~400.
Are you still running the 2.8GHz P4? My X6000 passes ~365Mbps but it's running at 1.2GHz. I would expect yours to pass well over 400Mbps.
Steve
