Possible Bug - VLANS

Wasca · Apr 8, 2008, 5:50 AM

Hi Guys

I was not sure where to post this but I think I may have discovered a bug in 1.2 Final release when adding interfaces and VLANS.

I'm using all Intel cards and when I add another optional interface and then a VLAN my LAN interface goes down and I loose connectivity to PFSense web gui. Heres the process.

1. Open PFSense Web configurator
2. Click on Interfaces -> assign
3. Add another interface and save
4. Click on the VLANs tab in the same window
5. Add a new VLAN and save.

This is where my PFSense then drops it interface and I have to manually bring it back up again at the console to gain access to the web gui.

One possible error on my behalf could be the fact I did not reboot PFSense after creating the new optional interface, could this be the problem? I was not prompted to reboot after creating it.

GruensFroeschli · Apr 8, 2008, 5:34 AM

Does it work after you reboot the WebGUI?

Wasca · Apr 8, 2008, 5:52 AM

No I tried that. In all cases I have to go to the shell and bring the interface up manually by typing ifconfig em0 up

Also note that I have 2 other VLANS already configured on this interface (em0)

cmb · Apr 8, 2008, 9:22 PM

So em0 is your LAN interface, and you're adding VLANs to em0? It probably shouldn't do this, sounds like a FreeBSD driver bug or a switch bug triggered by the VLAN setup, either way not something we can fix.

But you should never use the parent interface of your VLAN trunk for anything, with any network equipment. It opens you up to VLAN hopping attacks in many cases (dropping from a tagged VLAN to the default VLAN on the trunk is commonly possible), and documentation from every switch manufacturer I've read strongly recommends against using the default VLAN on a trunk interface, which is exactly what you're doing. I recommend using a VLAN for your LAN, or adding an interface to use for your LAN.

fcshost · Apr 9, 2008, 1:21 AM

Just tonight I noticed similar behavior, but with RC4. I'm using an Intel 4 port 10/100 PCI adapter, using the first port (em0) for CARP. This has worked fine in the past, but tonight I added an additional port (em1), saved and then subsequently lost communication with the firewall. By some stroke of luck I was able to access the WebGUI again a couple of minutes later, but couldn't access any hosts NATed behind the firewall.

It's important to note that I'm using the em0 interface (on both firewalls) for CARP only.

At this point, CARP status was showing init, and I removed the em1 interface. Once those changes applied, CARP showed that the firewall was again in master mode and I could access hosts behind the firewall. The intended use for the additional interface is VLAN trunking.

Is there something that I'm missing here? Em1 wasn't enabled, but shouldn't have affected general traffic through the firewall, nor should it have had any effect on CARP sync..

Any thoughts/help is greatly appreciated.

Thanks.

hoba · Apr 9, 2008, 9:30 PM

There seem to be some driver related issues where it's better to reboot when messing around with vlans. We have seen setups where it was needed and other setups that had no issues at all. We have been discussing to force a reboot after setting up vlans but thought it's not a good idea for those that run hardware where everything works fine. If things like that happen a reboot will most likely fix it. There is nothing we can do against this currently like cmb already pointed out.

Wasca · Apr 9, 2008, 10:29 PM

Hi Hoba

Thanks for the info. Just to let you know, the interface in question on my router (em0) did not come online after a reboot, I needed to manually brig the interface up at the command line after a reboot. On the next atempt to reboot it worked ok.

cmb · Apr 10, 2008, 4:44 AM

I've noticed some strange behavior with CARP and VLANs that's similar to what you're describing, fcshost. I have a ticket open to check into it as time permits. It works fine as long as you don't mess with the interfaces, but touching the interface assignment seems to muck things up for a few seconds. I opened up a ticket and will check into it as time permits.

cmb · Apr 10, 2008, 4:51 AM

@Wasca:

Just to confirm I've done this correctly this is what I have setup.

em0 has 3 VLANS assigned to it here they are

LAN - VLAN0 Tagged as 2
OPT1 - VLAN1 Tagged as 3
OPT2 - VLAN2 Tagged as 4

The LAN subnet is a VLAN, is this ok to do? Do I really have to dedicate a whole interface entirely to my LAN subnet?

Thanks for your advice.

The LAN as a VLAN is fine, that's what I usually do in VLAN setups. It sounded like you were using the parent interface (just em0, not vlan0) as the LAN, is that not the case?

Wasca · Apr 10, 2008, 5:47 AM

Thanks for the confirmation CMB ;D