802.1p/q pfsense setup

Atlantisman

I was just able to get the TV equipment to work through my own router as well. Remember i am still doing the QoS at a switch level though, i am going to tinker around with QoS on pfsense though and see if i can get everything working 100% through pfsense.

Until then my speedtests are right where they should be at about 930mbps download and 930 mbps upload. The IPTV service is also working completely through pfsense, and the TV app is also working great. Life is good.

mikeisfly

Cool! If you have PfSense do the QoS aren't you taking clocks away from PfSense that could be used for other things that the switch has custom asics just for that purpose? For knowledge sake I say go for it, and please document how you got everything to work. 930 Mbps is awesome, I'm really jealous right now!

Jeff V.

That is spectacular.  If the occasion ever arises, I'll buy you a beer or two :)

Can you post the config details that get the TV going?

Atlantisman

Yes, i am in the process of prepping a full write up/guide. I will post it in a bit.

Atlantisman

I have completed the guide. Here it is:

https://www.dropbox.com/s/zg9ju9373t0fnpu/GoogleFiberRouterGuide.pdf

Have fun!

stephenw10

Ah, Google fibre. I was wondering what provider was giving you such huge bandwidth. Nice.  :)

Reading through your guide (which I'll never be able to actually use  :() this part seems potentially confusing:

Access your pfsense’s machine webgui and navigate to Interfaces -> Assign -> VLANs and add
VLAN 2 to your WAN interface, as shown below:

At this point, you should now be able to access the internet, though the upload speed will be limited
to about 10mbps.

Presumably at that point you actually have to assign the new interface, em1_VLAN2 in your example, as WAN?

Steve

Atlantisman

@stephenw10:

Ah, Google fibre. I was wondering what provider was giving you such huge bandwidth. Nice.  :)

Steve

Yeah, the only remotely bad thing about it was the inability to use whatever router you chose. I assume they give you a router and do this to reduce the volume of technical support calls. Otherwise most of their calls would be regarding slow internet speeds, since most routers wouldn't have the ability to support such high bandwidth.

em1 is my WAN interface (the interfaced directly plugged into port 2 on the switch mentioned earlier in the guide). You would need to tag that interface with VLAN 2.

stephenw10

Right so after you've added the new VLAN interface, em1_VLAN2, you have to re-assign WAN to use the new interface rather than using em1 directly which would still be sending untagged traffic.
It's just that reading your document it could easily be interpreted as simply adding the VLAN to em1 is sufficient. Now it's highly unlikely that anyone who didn't understand this would be reading the document in the first place.  ;)

Steve

Atlantisman

AH, right, thanks for catching that. i will edit the document to explain that. I have actually determinded that the whole vlan step within pfsense is not needed, as the vlans are being set at the switch level. I will modify the document to reflect it.

EDIT

i am having a strange problem with this step though, maybe someone can help me figure it out.

"To complete your IGMP configuration navigate to Firewall -> Rules -> LAN, edit your default
allow any rule on your LAN network, scroll down to Advanced Features -> Advanced Options
and check the first box., It should read, “This allows packets with OP options to pass. Otherwise
they are blocked by default. This is usually only seen with multicast traffic.” Save the rule and
apply your firewall settings."

After activating this, it seems like DHCP goes crazy and does assign IP addresses so new clients (mostly wireless) are not able to connect to the network. This seems to be an intermittent issue, but its extremely annoying.

rhornsby

The netgear GS108Tv2 switch came today.  Holy number of settings, Batman.  I can't really be sure if I got them right or not, I was a little bit guessing having never really dug into Layer 2 like this.  I ended up pulling the switch entirely out of the picture, but the pfSense box still wasn't able to pick up an IP address via DHCP when plugged into the OTN.  I might be completely wrong, but I thought that was supposed to work - albeit with severely degraded bandwidth.

Prior to that, at one point I had things all messed up, and the pfSense WAN picked up an IP address from its LAN - I think that was because I had the VLAN mappings in the switch goofed.  At least it tells me the WAN interface is capable of accepting and processing DHCP traffic, acting as a dhcp client.

The only things I changed on the pfsense were the settings in the doc, mostly the stuff around the IGMP traffic.  The GFNB was able to talk to the OTN immediately through the same port on the patch panel.  I might try a simpler off-the-shelf netgear router tomorrow, just to see what happens.

I posted a few screenshots of what the switch configuration looks like based on Atlantisman's document: https://www.dropbox.com/sh/ug31k8t6n9618ni/ligIuMmIiQ/gs108t_screenshots?lst.  There is no way to delete or rename the first three VLANs.  I really don't know what impact VLAN 2 being "Voice VLAN" has.  I can disable "Voice VLAN" in another screen, or try to move it to VLAN 3, but it doesn't change anything as far as I can tell.

edit: corrected bad syntax. sorry, long day.

Atlantisman

@rhornsby:

The netgear GS108Tv2 switch came today.  Holy number of settings, Batman.  I can't really be sure if I got them right or not, I was a little bit guessing having never really dug into Layer 2 like this.  I ended up pulling the switch entirely out of the picture, but the pfSense box still wasn't able to pick up an IP address via DHCP when plugged into the OTN.  I might be completely wrong, but I thought that was supposed to work - albeit with severely degraded bandwidth.

Prior to that, at one point I had things all messed up, and the pfSense WAN picked up an IP address from its LAN - I think that was because I had the VLAN mappings in the switch goofed.  At least it tells me the WAN interface is capable of accepting and processing DHCP traffic, acting as a dhcp client.

The only things I changed on the pfsense were the settings in the doc, mostly the stuff around the IGMP traffic.  The GFNB was able to talk to the OTN immediately through the same port on the patch panel.  I might try a simpler off-the-shelf netgear router tomorrow, just to see what happens.

I posted a few screenshots of what the switch configuration looks like based on Atlantisman's document: https://www.dropbox.com/sh/ug31k8t6n9618ni/ligIuMmIiQ/gs108t_screenshots?lst.  There is no way to delete or rename the first three VLANs.  I really don't know what impact VLAN 2 being "Voice VLAN" has.  I can disable "Voice VLAN" in another screen, or try to move it to VLAN 3, but it doesn't change anything as far as I can tell.

edit: corrected bad syntax. sorry, long day.

1. Yes it should work without the QoS settings, just highly reduced bandwidth (mine did, at about 930/10).

2. Are you plugging anything else into the other ports on the switch? Or just pfsense and the OTN?

3. Are you running pfsense in a VM or anything like that? If so you'd have to configure vlans on the virtual switch in esxi/hyper-v.

4. It shouldn't matter that it is labelled voice vlan. Port one and two do need to be on VLAN 2 no matter what though.

5. Some switches come with two different vlan options (private and normal), make sure you are not configuring a private vlan, otherwise the OTN won't send you packets.

Those screenshots look right to me, though i am not too familiar with that particular switch.

rhornsby

Thanks for the info.

@Atlantisman:

1. Yes it should work without the QoS settings, just highly reduced bandwidth (mine did, at about 930/10).

2. Are you plugging anything else into the other ports on the switch? Or just pfsense and the OTN?

I tried setting up ports 1 (OTN), 2 (pfSense WAN) on VLAN 2 and the rest on VLAN 1 to isolate them.  No luck.  I also just plugged in the OTN and pfSense to the switch (everything else removed), and wiring my laptop into the pfSense LAN port to monitor the pfSense, no luck there either.

@Atlantisman:

3. Are you running pfsense in a VM or anything like that? If so you'd have to configure vlans on the virtual switch in esxi/hyper-v.

No, it is running on metal.  I'm starting to wonder if having switch port 2 tagged is causing an issue.  I think the pfSense WAN interface MTU is 1492 but I'll have to check.

Would it be appropriate to set switch port 1 to tagged and port 2 to untagged?  Both members of VLAN 2 as your point #4 states, yes.

@Atlantisman:

5. Some switches come with two different vlan options (private and normal), make sure you are not configuring a private vlan, otherwise the OTN won't send you packets.

I don't see any options like those, but I'll keep looking.

Atlantisman

@rhornsby:

Thanks for the info.

@Atlantisman:

1. Yes it should work without the QoS settings, just highly reduced bandwidth (mine did, at about 930/10).

2. Are you plugging anything else into the other ports on the switch? Or just pfsense and the OTN?

I tried setting up ports 1 (OTN), 2 (pfSense WAN) on VLAN 2 and the rest on VLAN 1 to isolate them.  No luck.  I also just plugged in the OTN and pfSense to the switch (everything else removed), and wiring my laptop into the pfSense LAN port to monitor the pfSense, no luck there either.

@Atlantisman:

3. Are you running pfsense in a VM or anything like that? If so you'd have to configure vlans on the virtual switch in esxi/hyper-v.

No, it is running on metal.  I'm starting to wonder if having switch port 2 tagged is causing an issue.  I think the pfSense WAN interface MTU is 1492 but I'll have to check.

Would it be appropriate to set switch port 1 to tagged and port 2 to untagged?  Both members of VLAN 2 as your point #4 states, yes.

@Atlantisman:

5. Some switches come with two different vlan options (private and normal), make sure you are not configuring a private vlan, otherwise the OTN won't send you packets.

I don't see any options like those, but I'll keep looking.

I would setup the switch with a different port (3-8). After the switch is setup unplug everything but the OTN and the pfsense box.

You may also need to setup vlans in pfsense, though i didn't have to. There is no reason why this wouldn't work.

rhornsby

@Atlantisman:

I would setup the switch with a different port (3-8). After the switch is setup unplug everything but the OTN and the pfsense box.

You may also need to setup vlans in pfsense, though i didn't have to. There is no reason why this wouldn't work.

Switch or no switch, nothing except the GFNB so far seems to be able to be plugged into the OTN.  Tried putting the TimeCapsule in DHCP+NAT mode (normally I just have it in bridge mode), WAN port plugged into the OTN and just like the pfsense box, it was unable to obtain a WAN DHCP address.

From everything I understand, this should be working but unfortunately I'm unable to make any progress until I can sort out why the traffic isn't making it past the OTN unless it sees a GFNB.  (That's probably not the correct description of the relationship.)

Putting a laptop directly on the OTN and there was network traffic, but no response to DHCP client requests.

Edit: No luck spoofing the GFNB's MAC address on the laptop, and no luck manually configuring the IPv4 settings (with the spoofed MAC address).


rhornsby

Score.

I don't have time tonight to mess with it anymore, but on a hunch, I figured out that I could create a VLAN virtual interface on my macbook.  I gave it VLAN ID 2, plugged it into the OTN and immediately got a reply from the WAN DHCP server.  So my problem is likely an issue where I'm going to have to either figure out what I'm doing wrong with the switch and/or get pfSense to use a virtual interface on VLAN 2 for the WAN side.

Atlantisman

@rhornsby:

Score.

I don't have time tonight to mess with it anymore, but on a hunch, I figured out that I could create a VLAN virtual interface on my macbook.  I gave it VLAN ID 2, plugged it into the OTN and immediately got a reply from the WAN DHCP server.  So my problem is likely an issue where I'm going to have to either figure out what I'm doing wrong with the switch and/or get pfSense to use a virtual interface on VLAN 2 for the WAN side.

I had an issue where the DHCP on the WAN side would only assign a total of 2-3 Public IP addresses. So you could have the same issue with the DHCP servers holding your reservations, that's why it worked when you plugged the macbook in. So you might try spoofing the macbook's mac address to your pfsense machine and it might work.

EDIT: Also, i did some reading on that switch and it does have two different types of VLANs, port based (or private), and 802.1Q (the one you need). Be sure you're using the proper VLANs on the switch.

rhornsby

@Atlantisman:

I had an issue where the DHCP on the WAN side would only assign a total of 2-3 Public IP addresses. So you could have the same issue with the DHCP servers holding your reservations, that's why it worked when you plugged the macbook in. So you might try spoofing the macbook's mac address to your pfsense machine and it might work.

EDIT: Also, i did some reading on that switch and it does have two different types of VLANs, port based (or private), and 802.1Q (the one you need). Be sure you're using the proper VLANs on the switch.

I finally did get things working partially.  I could get the WAN interface up properly using DHCP as I said before.  I was also able to get DNS queries to return correctly.  However, I was not able to get any other traffic to the internet until I discovered that pfSense has a really strange way of coming up with the routing table:

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.2.1        UGS        0    8226  nfe1
8.8.8.8            00:04:4b:02:4c:92  UHS        0      124  nfe0
10.16.0.0/16      192.168.2.1        US          0        0  nfe1
10.30.0.0/16      192.168.2.1        US          0        0  nfe1
23.255.128.0/19    link#3            U          0      376  nfe0
23.255.146.22      link#3            UHS        0        0    lo0
127.0.0.1          link#7            UH          0      32    lo0
192.119.23.198    00:04:4b:02:4c:92  UHS        0      124  nfe0
192.168.2.0/24    link#4            U          0      630  nfe1
192.168.2.1        link#4            UHS        0      752    lo0

The default route is completely wrong.  I used a route command to fix that and set the ISP gateway properly.  I also used a route command to delete the route to the 8.8.8.8 DNS server (again, no idea where these are coming from).  I'm looking at the pfSense web ui and the Status > Gateways has the correct information (even before I manually fixed the routing table).  Somehow that isn't translating into a correct routing table.  Outside of the adjustments described here, the only configuration change I've made to the routing are the two static routes for the TV.

Fixing the gateway allowed traffic to the internet (ie I can telnet to an smtp server from the pfsense box).  However, I'm now very suspicious of the rest of the routing table because I still can't get traffic from the LAN to the Internet.  I'm able to write this post because I have an ssh tunnel to the pfSense box from my laptop.  I left the NAT settings alone, but something could be wrong there?

I'm pretty confident the switch isn't the issue at this point.  I'm accessing the pfSense box over a wireless AP that is plugged into the switch, on the same VLAN (1) as the pfSense LAN interface.  The OTN and the pfSense WAN link are on the same VLAN 2.  It seems like both VLANs are behaving properly.  pfSense seems like the issue but I'm confused as to how it is coming up with some of its configuration so it is unclear where to look.

Edit: I should clarify - nfe0 is the WAN interface, and nfe1 is the LAN.  The corrected routing table has this entry for the gateway:

default            23.255.128.1      UGS        0      463  nfe0

rhornsby

Just in case it matters and I've messed up the switch config to somehow cause the weird behavior - screenshots of the VLAN configuration in the switch.  Port 1 is the OTN, port 2 is the pfSense WAN; port 7 is the wireless access point, port 8 is the pfSense LAN.

https://www.dropbox.com/sh/ug31k8t6n9618ni/ligIuMmIiQ/gs108t_screenshots

stephenw10

It looks like you may have fallen into the trap of adding a gateway to the LAN interface which, since it's done after WAN, then becomes the default. You shouldn't have a gateway on LAN at all. A lot of people seem to be doing that recently for some reason.
The correct place to set the default gateway (and remove any spurious ones) is System: Routing: Gateway:

Steve

rhornsby

@stephenw10:

It looks like you may have fallen into the trap of adding a gateway to the LAN interface which, since it's done after WAN, then becomes the default. You shouldn't have a gateway on LAN at all. A lot of people seem to be doing that recently for some reason.
The correct place to set the default gateway (and remove any spurious ones) is System: Routing: Gateway:

Steve

I didn't intentionally or explicitly add a gateway to the LAN interface that I can recall.  You're right, it doesn't make sense for the LAN interface to have a gateway.  I saw under System > Routing > Gateway that there is one for the LAN, and one for the WAN.  I thought it was a little odd, but figured it must be the way pfSense is presenting the configuration in the UI.

The only possible time I can think when I might have done something to cause this LAN GW to end up in the routing table is setting up the LAN DHCP server.  It is possible there was a question during that portion of the initial setup I should have left blank - probably thinking the question was asking what GW should the DHCP clients use.