802.1p/q pfsense setup
-
I am using the netgear gs108t v2 switch and a pfsense box running the latest release. I have the switch set correctly as my internet connection is full speed both ways 984/978. The tv's guide comes up but no video is shown. I followed 1.2 version of the guide pdf starting from section 2 (setting up TV). Any ideas on something I could try to get my tv services back up and going?
-
I am using the netgear gs108t v2 switch and a pfsense box running the latest release. I have the switch set correctly as my internet connection is full speed both ways 984/978. The tv's guide comes up but no video is shown. I followed 1.2 version of the guide pdf starting from section 2 (setting up TV). Any ideas on something I could try to get my tv services back up and going?
One of the things that is easy to miss is setting the correct option on the 4 firewall rules:
Scroll down to Advanced Features -> Advanced Options and check the first box., It should read, “This allows packets with OP options to pass. Otherwise they are blocked by default. This is usually only seen with multicast traffic.”
At one point, I had the option set on only three of the rules and it caused weird issues.
-
You should only need the set opts box checked on the default ALLOW ALL rule in Firewall -> Rules -> LAN.
Also, it seems like pfsense doesn't handle the IGMP traffic (at least for me) 100% effectively, causing little hiccups in tv service where it stops working 10-15 seconds, i am still investigating this issue and will be doing more testing with pfsense 2.1.1
-
You should only need the set opts box checked on the default ALLOW ALL rule in Firewall -> Rules -> LAN.
D'oh! Maybe that's part of my problem. Completely misunderstood the doc on that. You did say default rule, not the IGMP FW rules. My fault.
-
Is IPv6 working for you all when you go test it? It doesn't seem to be working for me anymore.
-
You should only need the set opts box checked on the default ALLOW ALL rule in Firewall -> Rules -> LAN.
D'oh! Maybe that's part of my problem. Completely misunderstood the doc on that. You did say default rule, not the IGMP FW rules. My fault.
I went back and looked at this again. I had the allow ip opts set on both the default rule and the individual IGMP rules, so it probably wasn't making any difference after all.
-
Is IPv6 working for you all when you go test it? It doesn't seem to be working for me anymore.
Negative. Unfortunately, I don't understand enough about IPv6 to know even what to look at. Most everything I've found talks about using a tunnel broker, I assume since so many ISPs like Comcast aren't delivering IPv6 to residential(?) customers. GF, AFAIK, supports and uses it.
For an "old" guy like me, IPv6 feels like a whole new interweb. https://www.youtube.com/watch?v=5wWsJH4LVTA
-
I have been able to get IP6 to work on any device except for pfsense. I can plug a windows box, centos box, mint box or etc into my WAN connection and get a publicly route-able IP6 address, but no luck getting pfsense to get an address.
I am not sure, but i think it may have something to do with pfsense using dhcp6c instead of dhclient -6 to call for an address.
if anyone has any thoughts or ideas about this issue that would be awesome.
Thanks.
-
This weekend, I finally got a chance to mess with this some more.
I was able to borrow a Netgear GSM7312 switch from work. While the GUI is laid out differently from the GS108T, it follows the same unintuitive logic. Fortunately rhornsby created a great guide for the GS108T that I was able to follow to get the 7312 working.
When I was directly connected to the 7312, I was pulling ~930 mbit in both directions. That's about as fast as I've seen any Google Fiber connection go, so I'm really pleased.
My pfSense box is a rebuilt and upgraded Watchguard X5000. With that in place, I'm seeing around 800 both ways. So a little bit of loss, but I'm still pleased. Especially for something that didn't even power up when I bought it. Video is working nearly perfectly. I've seen a couple very minor interruptions, and I'm hoping I can eventually tune those out.
Given what I've seen on eBay, I don't think the Netgear GSM switches are preferable to the GS108T. They can be rack mounted, but they take up more space and power than the GS108T. They're also a bit more expensive. On the bright side, they have a text based command line and config file. I've attached a fairly generic config for my 7312. Port 1 goes to the Google ONT. Port 2 goes to the router. And port 3 is set up to allow you to connect via telnet or the web GUI on 192.168.1.4.
What I'm really curious about is the Netgear FSM series. These are 10/100 switches that have 2-4 gigabit uplink ports. They're quite a bit cheaper than the all-gigabit GSM series. I was able to grab a FSM7328S for $35 shipped. According to the data sheet, the backplane bandwidth is competitive with the GSM7312, and it uses the same base firmware and command line. So hopefully I can just paste in my config file and be right back in business.
Thanks to Atlantisman and rhornsby and everyone else for their hard work on this. It was so well documented that it was actually enjoyable to work on. I should hopefully have a report on the FSM7328S this weekend.
-
Well, good news. The FSM7328S works great. The config needs a few tweaks vs the GSM7312, but it overall it's the same.
The ports are numbered 1/0/1 - 1/0/24 for the 10/100 ports, and 1/0/25 - 1/0/28 for the gig ports.
Right off the bat, this switch is meant for stacking with other compatible Netgear switches. As best I can tell, there's no way to disable this. Thus, ports 1/0/27 and 1/0/28 are hard coded stack ports and don't seem to be available for general purpose use. They took the config, but I wasn't able to pass traffic. It cleared up when I moved the pfSense box to 1/0/25 and the Google ONT to 1/0/26. I was able to get ~930x930 Mbit when I tested directly from the switch.
This is basically the box-stock config, with the bare minimum to get it working on a Google connection. The config is attached. You'll be able to telnet or access the web UI at 192.168.1.4 from any of the 10/100 ports.
The other nice thing about this vs the GSM73xx box is that it's smaller, and fanless. For $35 shipped, I couldn't be happier.
Now on to the not so good news.
I'm still seeing some IPTV issues. It was bad enough that my wife gave up on watching TV while she worked from home today. I may have found a partial fix though.
If you go into System > Advanced and then go to the System Tunables tab, there's an option called net.inet.ip.fastforwarding. Edit that value, and change it from 'default' to '1'. Then reboot your box. I noticed a nice 10% increase in my speed tests, though the tests were hardly scientific. I've been watching a movie for the last couple hours, and the video has been damn near perfect the entire time. Be warned though. I've read some posts that say this setting can break IPSEC VPN clients. That may have just been for older versions though. The information is conflicting in some places.
I've read about people successfully using far less powerful pfSense setups on other IPTV systems, so all I can figure is that Google has very tight timing tolerances that the pfSense IGMP proxy or firewall code struggles to meet.
One last thing….IPv6 DHCP. I tried to get an IPv6 address when I tested directly from the Netgear switch. I wasn't able to. Technically the switch should just pass any ethernet frames, regardless of whether they've got v4 or v6 payloads. But clearly something is missing. I don't know enough about IPv6 yet to really make much headway on it.
I've got access to a few other switches, so I'll see if I can't line up some more tests for the IPv6 stuff.
-
Your switch will have really nothing to do with the IPv6, i have been working on trying to get IPV6 to work without any luck.
It seems to be a problem with pfsense (tested on pfsense (2.1 (first version to completely support IP6), 2.1.2, 2.1.3, and the 2.2 beta), since i can plug literally anything else into one of the VLAN2 ports on my switch and it pulls an ipv6 address in seconds. I tested this with windows, centos linux, Ubuntu linux and more.
I was also having IPTV issues, i had given up on it for now as pfsense doesn't appear to be handling the traffic effectively. So i have my Google Router plugged into another port connected to VLAN2 on my switch and have all the TV gear plugged into that, essentially splitting my network into a data section and a tv section.
EDIT: When i am able to get IP6 working i am going to try putting the TV equipment behind pfsense again, since IP6 is more efficient and has less overhead than IP4. Based on my traffic sniffing it seems to be using IP6 for the TV service anyways.
-
The weird part for me is that I tried to get a v6 address when I had my MacBook connected directly to the switch, before I had hooked up the pfSense box.
If I set up VLAN 2 on my MacBook and plug directly into the fiber jack, I get
both v4 and v6 addressesa v4 address only. These Netgear boxes I'm testing are pretty old, so it wouldn't surprise me if something isn't up to spec.I like your idea of splitting the networks. But that would break the Fiber guide app, right? As it sits, I'm going to have to shelve this whole project because my wife is losing patience with the TV situation, and breaking the Fiber app will be the last straw. If it was up to me, this wouldn't even be an issue. I'd have the gigabit-only package…
EDIT: I have to backtrack part of what I said. I didn't actually test v6 directly to the fiber jack on the night I installed the Netgear. My recollection of getting a v6 address directly off the fiber jack was based on an apparently incorrect memory of the first time I tried this many months ago. I am definitely not getting a v6 address right now.
I'm still a little fuzzy on it, but I found this thread that may help explain it.
http://apple.stackexchange.com/questions/60608/does-os-x-have-a-builtin-dhcpv6-client
It's directly more towards OSX, but I think the theory could apply to pfSense too (especially since they're both based on FreeBSD). It looks like you need certain options enabled on the upstream router in order for DHCPv6 to work. Without those options enabled, you need to rely on other IPv6 mechanisms (router announcements?)
So my speculation is that the Google Network Box requests a v6 prefix from the upstream Google interface. The LAN facing side of the Network Box has the necessary options turned on, so DHCPv6 works on inside your network.
-
Also, I figured out how to disable the stack ports on the FSM73xxS series.
http://rivald.blogspot.com/2009/05/netgear-switches-fsm7352s-and-disabling.html
To disable stacking from the command line:
enable (if you aren't there already)
configure
stack
stack-port 1/0/51 ethernet
stack-port 1/0/52 ethernetTo revert them back to stack ports:
configure
stack
stack-port 1/0/51 stack
stack-port 1/0/52 stackI had to reboot my switch to get the change to take effect. Substitute 1/0/27 and 1/0/28 if you only have the 28 port version like I do.
-
For anyone who's interested, I have a working IPv6 config now.
Go here and see post 7. Beware possible hard crashes when you have IPv4 + IGMP + IPv6 configured though.
https://forum.pfsense.org/index.php?topic=76322.0
-
Hey guys, I just got GF and am looking for a way to get a firewall in place to mainly use VPN and protect my network. Thinking about trying a pfSense either Virtual machine off a Dell 2950 running ESX, or I have an older pizza box server with I believe a P4, no clue on RAM, haven't got it in my rack yet. I have a cisco ASA 5505 that worked awesome when i had comcast, but I want to take full advantage of GF. The dropbox link seems to be dead. Is there a way I can get that config to help me get pfsense setup a little faster? Much appreciated!!! Also I have a Dell 6248P, but I'd rather not have that on the perimeter just stripping off the QoS. Again, thanks for any help.
P.S. An after thought is that maybe I could use pfSense to do my firewall and have GF equipment on it's own vlan and have the 6248 route the traffic through the GF port, then I shouldn't have to worry about QoS. Also it looks like GF has a support page for using their service without their box. Doesn't say anything about needing IPv6, says it's optional and they recommend have DHCPv6 enabled, but here is the page for you to look for yourself - https://support.google.com/fiber/faq/3333053?hl=en#6032607
-
Nice find on the google fiber support page!
Atlantisman's guide can be found by searching for "GoogleFiberRouterGuide.pdf."
There is one step missing from his guide, though - you've got to create the VLAN within pfSense, too:
-
interfaces->assign->vlans
-
create a vlan for the correct interface (tag 2)
-
set vlan in interface assignments
-
-
Just finished the guide from here (http://flyovercountry.org/2014/02/google-fiber-gigabit-speeds-your-router-part-1-vlans/) and just finished page 2 and the last step doesnt seem to be working for me.
My Operational Status is Down, my internet works but upload is only 10meg and my down is around 350meg which is very low from last nights test. Also my TVs are not working either, just get a black screen saying channel not available.
Anyways just trying to figure out why my status for g2 is down.
EDIT:
So I re-read the guide and somehow I missed the VLAN tag for IGMP under the QOS Class configuration. So I added VLAN2, and checked the status and now says UP.
Problem now is im getting only 40down and .4up, its gotten worse.Any ideas?
EDIT 2:
Missed the IGMP Setting for the same Class Sections, I must of hit cancel and not apply. Anyways the internet is workign great! However my TV is not.I'm getting a black screen with a red text saying Channel Not Available.
Any ideas on the TV side of things?
EDIT 3:
Followed this guide to get TV working - http://flyovercountry.org/wp-content/uploads/2014/02/GoogleFiberRouterGuide.pdf however only lower channels work.1-97 come in just fine, 98 and above do not show up. Is there another subnet thats used thats not listed in the guide?
EDIT 4:
I've got everything working! I've created some documentation on the process of getting everything working. Links Below:Bypass the Network Box - Part 1:
http://www.itnutt.com/how-to-bypass-google-fibers-network-box/Setup Firewall Rules for TV Services - Part 2:
http://www.itnutt.com/how-to-get-google-fiber-tv-services-working-with-pfsense/ -
Does anyone have this working with only pfSense. I've got 4 Gb ports on the pfSense box but not a good switch. If someone does can you point me in the right direction on the WAN setup. LAN is working fine but I cannot get out to the internet so I'm missing something on the VLAN setup I'm guessing if this is even possible directly via pfSense. I will post setup of pfSense later work has successfully blocked teamviewer some how.
-
I just got Google Fiber installed today and had a Netgear GS108T lined up for tagging and priority assignment. While the netgear worked just fine, I was able to get internet working natively within pFsense without the Netgear switch. I think in pFsense 2.3 they added some options and potentially fixed some issues with 802.1p compared to before. Here's what I did. (I do not have TV service so I can't comment there)
Step 1.
Interfaces -> Assign
VLANS
+Add
Parent Interface - WAN
VLAN Tag - 2
VLAN Priority - 3
Description - Google Fiber VLAN
SaveIt should look like this. (Where em1 is your WAN interface)
Step 2.
Interfaces -> Assign
Interface Assignments
WAN - Google Fiber VLAN
SaveIt should look like this.
And that's it. My internet started working at full speed both up and down!
-
I also had to disable the IPv6 config on pfsense to fix some issues on my android phone when using WiFi. I had problems downloading/updating apps in the play store, watching youtube videos in the youtube app (they would work fine from chrome), downloading pictures in SMS, and accessing printers in google cloud print. There is probably a way to actually fix it, but for now disabling IPv6 resolved my issues.
Step 3.
Interfaces -> LAN
IPv6 Configuration Type - None
Save