Bad idea? mixing tagged and untagged VLANs, but DHCPD works…

yarick123

Hello,

one more thank pfSense team for the superior product!

As it was said many times, this is obviously a bad idea, to mix tagged and untagged vlans on the same NIC.

I wanted just inform, that DHCPD is not working on the tagged interfaces in this case. It works only on the untagged one.

Excluding the untagged vlan fixes the problem!

This message should not be understood as an pfSense issue declaration ;)

P.S. Except of DHCPD everything worked ok.

Best regards
yarick123

Derelict

Doubtful. You probably borked something in the switchport config. Interfaces on eth0 and eth0_vlanXXX should work fine.

There are two issues at play here. untagged traffic and VLAN ID 1. If you do have to mix tagged and untagged traffic on interfaces you should make sure the PVID on the switch is not VLAN 1.

Then you can tag it across trunk (tagged) links and to VLAN-aware devices that don't get squirrilley without management on the untagged VLAN. Looking at you Ubiquiti.

yarick123

Derelict, thank you for the clarification.

@Derelict:

There are two issues at play here. untagged traffic and VLAN ID 1. If you do have to mix tagged and untagged traffic on interfaces you should make sure the PVID on the switch is not VLAN 1.

May be I understand it the wrong way.

I had eth0, eth0_vlan3, eth0_vlan4, eth0_vlan13. So, four pfSense interfaces: LAN and three OPT.
In fact, the PVID on the switch was 1. The switch port was configured as 'tagged' for VLANs 3,4,13 and as 'untagged' for the default VLAN 1. What would be the correct PVID in this case?

Perhaps I should have used eth0_vlan1 instead of eth0… But, as far as I know, the switch does not tag the default VLAN 1 and I thought, that eth0_vlan1 would not get any packet.

Derelict, could you please say, what you thinks about that?

Derelict

Having the PVID as 1 will work, it's just a good idea to use something else.

That should have worked with DHCP for switchports untagged on VLAN 1 or VLANs 3, 4, or 13 if DHCP was configured and enabled on those OPT interfaces.

yarick123

Thank you for the answer Derelict.

I will recheck, maybe I did something wrong…

@Derelict:

Having the PVID as 1 will work, it's just a good idea to use something else.

Now I am using VLAN 100 for that :)

By the way, I am using pfSense 2.2.6, the NIC is Intel(R) PRO/1000 Gigabit, the switch is Allied Telesis AT-8000GS/48.

Best regards
yarick123

yarick123

I have reconfigured the slave firewall to use untagged default VLAN 1 for LAN. It worked! Thank you, Derelict!

I will reconfigure the master firewall and report about the results. It seems, that previously I have brocken something in the configuration.

NOYB

Been running mixed tagged untagged for years.  Never had an issue with it.

pfSense NIC:
LAN bfe0
WAN bfe0_VLAN99

Switch Port:
PVID 1
Member VLAN 1 untagged
Member VLAN 99 tagged

Note: within the switch everything is tagged

ingress packets:
untagged is tagged vlan 1 (PVID)
tagged keeps its tag

egress packets:
vlan 1 untagged
vlan 99 tagged

Derelict

Yeah. there's no problem with it. Hard part is tagging VLAN 1 across a real "trunk" port.

NOYB

@Derelict:

Yeah. there's no problem with it. Hard part is tagging VLAN 1 across a real "trunk" port.

Yeah that's why I don't have a problem with it.  ;)

yarick123

I have reconfigured the master firewall also. Everything works!

So, there is no problem with DHCPD on an untagged VLAN and tagged VLANs on the same NIC. Shame on me  :-\

NOYB

@yarick123:

… untagged VLAN ...

What? Isn't that an oxymoron.

yarick123

@NOYB:

@yarick123:

… untagged VLAN ...

… Isn't that an oxymoron.

I would not say so. Contradiction essential for oxymoron seems to absent.

There are N virtual LANs. To identify them it is sufficiently to tag N-1 virtual LANs and to leave one virtual LAN untagged.

NOYB

To me the one untagged isn't really a virtual though.  It's "native" (for lack of better term) or real, or physical, etc. and requires no vlan technology, capability or processing.