VLAN Tagging + Linksys eg1032



  • Downloaded PFsense last week (have been using M0n0wall for 3 years) because I wanted to use VLANs to split off my LAN between my servers, wireless and ethernet connected computers.    I used the PFsense HCL to find a card that both Pfsense already had drivers for and that supported 802.11q.  Just for info, I use a HP Procurve 2424 for my switch.  The LAN NIC is connected to port 24 on the HP switch.

    Just to test I created VLAN 2 for my wireless network assigned and IP of 10.1.1.1 and can ping that from from LAN IP 192.168.1.X

    I want to  tag both VLAN1 and VLAN2 on my uplink back to the linksys NIC.  As soon as I tag eth VLAN1 on port 24 the link drops.

    Any help would be greatly appreciated. Thanks!



  • Why do ppl always want to use vlan1 pff  :'( it's prolly you default / fallback vlan(I'll mess it up for you). Now i got that out of my system  ;D

    Since I don't know the 2424 i can only tell you in words how i would start out.
    I assume pfSense has 2 nic em0 and em1. em0 will be wan and em1 will be the tagged nic connected to port 24 on the switch

    Procurve 2424:
      VLAN Setup
    assign port 3,4,5 and 24 to vlan 11
    assign port 7,8,9 and 24 to vlan 22
    assign port 11 and 24 to vlan 33
    Remove port 3,4,5,7,8,9,11,24 from default vlan (prolly vlan1)
      VLAN Port Config
    port 3,4,5 untagged with pvid 11 (lan net)
    port 7,8,9 untagged with pvid 22  (server net)
    port 11 untagged with pvid 33 (wireless net )
    Set port 24 is as tagged and vlan aware

    pfSense:   
    Boot from live cd
    answer yes to add vlans
    use em1 to add vlan 11,22,33
    assign vlan0 to lan, em0 to wan, vlan1 to opt1 and vlan2 to opt2

    Now you'll get an lan ip if connect to port 3,4 or 5
    Some wink guides here to illustrate
    Hope it helps



  • A perry said:
    Dont use VLAN1
    @802.1Q:

    Table 9-2—Reserved VID values

    VID value(hexadecimal) Meaning/Use
    0 The null VLAN ID. Indicates that the tag header contains only priority
    information; no VLAN identifier is present in the frame. This VID value shall not
    be configured as a PVID or a member of a VID Set, or configured in any Filtering
    Database entry, or used in any Management operation.

    1 The default PVID value used for classifying frames on ingress through a Bridge
    Port. The PVID value of a Port can be changed by management.

    FFF Reserved for implementation use. This VID value shall not be configured as a
    PVID or a member of a VID Set, or transmitted in a tag header. This VID value
    may be used to indicate a wildcard match for the VID in management operations
    or Filtering Database entries.



  • Thanks!  Your right! I don't use VLAN 1 at work either and I understand that it is never good practice.  I guess my problem is I could not figure out how to get the LAN mapped to another VLAN last night.  Way too many drinks…. :)

    This morning I opened up  Interfaces -->  Assign  -->  Under LAN I was able to drop down the box under Network port and choose VLAN 2 for my LAN.

    I swear that wasn't there last night. :) In fact, I know I checked it.  Maybe on reboot it finally showed up????

    That was my problem...
    I couldn't figure out how to map the LAN interface to anything other than default VLAN in PFsense.

    Thanks,
    I really appreciate it.



  • Some NIC drivers require a reboot to work correctly.

    I know for a fact that the vr driver (NIC driver of the alix) requires a reboot to work correctly.

    There sure are other drivers that are similar.



  • Anybody have problems dropping packets after tagging on an HP Procurve switch?

    LAN Interface is connected to a 1Gig copper port.

    NIC is a Linksys eg1032

    When I first boot Pfsense it's solid.  Give it a few minutes and it hoses.

    Request timed out.
    Request timed out.
    Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
    Request timed out.
    Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
    Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
    Request timed out.
    Request timed out.
    Request timed out.
    Reply from 192.168.1.1: bytes=32 time<1ms TTL=64



  • Cheapest solution: change the patch cable.
    More likely: try another NIC instead of the Linksys.

    Even if I sound like a scratched record: Inter NICs usually get the job done flawlessly. Use Intel server NICs in your pfSense when you need to push lots of traffic.



  • Along similar lines to jahonix - what does your Linksys NIC show up as in pfSense (such as em0, fxp0 or whatever)?

    Intel gigabit NICs are recommended - especially the server types. That said, the Dell PowerEdge R200 I'm using to run the 1.2-RELEASE image built on FreeBSD 6.3-RELEASE (the ICH9 disk controller on the R200 isn't supported on FreeBSD 6.2-RELEASE, so I can't run the ordinary 1.2-RELEASE) has a couple of bge NICs - gigabit Broadcom server NICs. They seem to work just fine with VLANs - this message is coming to you via that machine.

    I'd regard Intel gigabit server NICs as the best, though if you're buying hardware that has Broadcom gigabit NICs, you're probably fine with those.



  • The Linksys says re0.

    I installed Pfsense on a 8171 IBM that just happened to have a broadcom as well and it seemed to work fine great!  I guess it was because of the card that I couldn't get it to work that first night.  Pisses me off because of the good reviews it got…. yeah yeah, I understand that none of those people were using it in the way I am using it,  but there goes $38 :)  LOL

    besides that, it's a good card.

    Thanks for all the advice from everybody.  I am used to Cisco and Foundry, not software such as PFsense for firewalls.  I keep telling my wife I should have bought that BigIron 8000 from a friend.  Can't beat a $70,000 piece of equipment for $500.  He bought a pallet of stuff and that came with it.  LOL

    She said " well, it's either that or you don't get your poker table and pool table"

    DAMN that choices we have to make.



  • Another NIC problem disappears with a switch to Intel or Broadcom.

    re is a Realtek NIC. These are reasonably well supported in FreeBSD, in that there is one developer actively developing and supporting that driver, but they are known to be problematic (as you'll discover if you hang out on freebsd-current or some of the other FreeBSD mailing lists). The driver keeps being refined, but I would recommend steering clear, particularly for a 'high stress' application such as a firewall. Intel or Broadcom are better choices.


Log in to reply