Netgate SG-1000 microFirewall

Author Topic: 802.1p/q pfsense setup  (Read 18931 times)

0 Members and 1 Guest are viewing this topic.

Offline Atlantisman

  • Jr. Member
  • **
  • Posts: 86
  • Karma: +1/-0
    • View Profile
802.1p/q pfsense setup
« on: January 23, 2014, 04:58:30 pm »
Hello, I was wondering if anyone had any idea about how to complete any of the following steps on pfsense 2.0.3?

1. Wan should be on vlan2.
2. DHCP traffic should have 802.1p bit = 2
3. IGMP traffic should have 802.1p bit = 6
4. All other internet traffic 802.1p bit = 3

Thanks.
« Last Edit: January 23, 2014, 05:03:11 pm by Atlantisman »

Offline Jeff V.

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
Re: 802.1p/q pfsense setup
« Reply #1 on: January 25, 2014, 06:48:17 pm »
I'm working on this too.  I'm pretty sure I've got the VLAN side of it figured out.  You probably guessed by my user name. I'm the guy who had this working on his MacBook the other day.  It'll be later tonight before I can take the connection down and test it.  My wife is glued to the TV  :P

The 802.1p / QoS stuff will be a little less straightforward, but I'll be sure to post up anything I find.  Hopefully someone else can point us in the right direction though.  I'm very much a noob with pfSense.

I'm really glad you copied that.  Looks like the original post disappeared  :o

Offline Atlantisman

  • Jr. Member
  • **
  • Posts: 86
  • Karma: +1/-0
    • View Profile
Re: 802.1p/q pfsense setup
« Reply #2 on: January 25, 2014, 07:51:38 pm »
Yeah, they deleted it lol. I also got the vlan part straight but only get 80-90 down and 10 up without the QoS settings.

I do not believe there's a way to do it in the webgui, it will probably involve some command line editing.

Offline mikeisfly

  • Sr. Member
  • ****
  • Posts: 436
  • Karma: +5/-0
    • View Profile
Re: 802.1p/q pfsense setup
« Reply #3 on: January 25, 2014, 08:02:36 pm »
Can't you do your Cos Frame tagging on your switch? What switching platform are you using? As far a VLAN just go to assign under interface and you will see the VLAN tab that is where you can create your VLANs. Once you have the VLANs created then you can assign that VLAN to a interface.

Offline Atlantisman

  • Jr. Member
  • **
  • Posts: 86
  • Karma: +1/-0
    • View Profile
Re: 802.1p/q pfsense setup
« Reply #4 on: January 25, 2014, 08:14:01 pm »
I have a Zyxel GS1910-24 switch. I might be able to do it on my switch.

Offline mikeisfly

  • Sr. Member
  • ****
  • Posts: 436
  • Karma: +5/-0
    • View Profile
Re: 802.1p/q pfsense setup
« Reply #5 on: January 25, 2014, 09:29:18 pm »
Just looked your switch up on New Egg and is does have QoS capabilities. I have no experience with your switch Platform but typically if you are breaking your traffic up on your tagged ports into different Classes then you can give one Class priority over the Other. I believe that is what you are trying to do. CoS is a layer two way to give traffic priority which is what I think you want. PfSense does have QoS capabilities as well but I will let someone who is more knowledgeable in the matter speak on that.  Here http://www.youtube.com/watch?v=EfXImr5q-sw is a video explaining how to setup traffic shaping if you wanted to try to play around with it.

Offline Jeff V.

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
Re: 802.1p/q pfsense setup
« Reply #6 on: January 25, 2014, 11:35:39 pm »
I'm feeling like a complete idiot right now.  I can't even get my Watchguard to grab a DHCP address from the network.

If I put my Macbook on VLAN2, it grabs an IP immediately and I can get out to the net.

If I put dummy IPs on the Macbook VLAN2 and the WG VLAN2, I can ping from the MacBook to the WG.  Interestingly, I can't ping from the WG to the Macbook.

I've set my pfSense install back to defaults, I tried setting the MTU to 1496, I've put 'allow any <> any' rules on the WAN interface for both IPv4 and v6, and still no luck.  So I'm dead in the water on testing.

One thing I did notice when I was messing with the firewall rules.  There's an 802.1p button down near the bottom.  Looks like you could create pass rules that add the 802.1p tags.

If I can figure out what's up with my DHCP problems I'll get back into this.

Offline Atlantisman

  • Jr. Member
  • **
  • Posts: 86
  • Karma: +1/-0
    • View Profile
Re: 802.1p/q pfsense setup
« Reply #7 on: January 25, 2014, 11:53:04 pm »
I don't see any 802.1p settings at the bottom of my firewall rules.

Offline Jeff V.

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
Re: 802.1p/q pfsense setup
« Reply #8 on: January 26, 2014, 12:13:13 am »
I found this image in another, unrelated thread:



Thread reference: https://forum.pfsense.org/index.php?topic=61002.0

The above thread basically discusses how it was broken in a previous release.

If it helps, I'm running 2.1-Release on a Watchguard x5000.    My firewall rule menus look like the ones in the example.   If I were going to try this, I'd set up a pass-all rule for TCP/UDP, and for 802.1p I'd chose match on none and apply CA. (Critical Apps, bit 3)

I may have found what was broken in my WAN VLAN.  I probably won't be able to test it before tomorrow though.

Offline Atlantisman

  • Jr. Member
  • **
  • Posts: 86
  • Karma: +1/-0
    • View Profile
Re: 802.1p/q pfsense setup
« Reply #9 on: January 26, 2014, 12:36:36 am »
Interesting... 2.0.3 doesn't have that section.

Offline mikeisfly

  • Sr. Member
  • ****
  • Posts: 436
  • Karma: +5/-0
    • View Profile
Re: 802.1p/q pfsense setup
« Reply #10 on: January 26, 2014, 03:58:06 am »
Couple of things, remember that most pcs don't deal with tagged traffic. The port going to Pfsense should be tagged with all your vlans. The port going to your mac should be untagged. Some switches due it with the pvid setting others when you assign a vlan to a port make sure its untagged. Lastly I would remind you to make sure you configure dhcp for that vlan.
« Last Edit: January 26, 2014, 04:04:24 am by mikeisfly »

Offline Jeff V.

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
Re: 802.1p/q pfsense setup
« Reply #11 on: January 26, 2014, 10:23:56 am »
The VLAN'd port is facing the ISP.   The WAN port has to be tagged on VLAN 2 in order for traffic to pass.

Outgoing traffic to the ISP also needs to have the .1p tags in order to not get dumped into a low speed queue.

When I talk about testing with my Mac, I'm putting a VLAN on the Thunderbolt GigE interface and plugging it directly into their ONT.

Offline Jeff V.

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
Re: 802.1p/q pfsense setup
« Reply #12 on: January 26, 2014, 11:02:02 am »
I fixed the VLAN and I'm getting out just fine.   I'm pulling ~400 down to Softlayer in Dallas, but uploads are still stuck at 10.

What's worse is the TV system is not working. The guide is showing, but that could just be cached.  I get a black screen on every channel I try.

I set up outbound rules from the WAN interface to 'any' to try to apply the tags as provided in the first post.  Nothing seems to help so far.

I'm starting to wonder if the original info was deleted simply because it was wrong or incomplete, and not because it's some conspiracy to keep 3rd party routers off the network.

Offline Jeff V.

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
Re: 802.1p/q pfsense setup
« Reply #13 on: January 26, 2014, 11:40:23 am »
Still no joy on the uploads.

I do have some possible insight into the problem with the TV, though I'm no closer to fixing it.   Atlantisman, let me know if you're a TV subscriber or if you're internet-only.  I won't clutter up the thread with TV service details if I'm the only one using it right now.

Offline Atlantisman

  • Jr. Member
  • **
  • Posts: 86
  • Karma: +1/-0
    • View Profile
Re: 802.1p/q pfsense setup
« Reply #14 on: January 26, 2014, 11:48:55 am »
I am also a TV subscriber, and i did notice that if i put the TV equipment behind a different router other than their own that it would just give me black screens. Even if i did this Fiber jack ---> Their router ---> pfsense ---> tv box.