pfSense Forum

pfSense English Support => General Questions => Topic started by: Atlantisman on January 23, 2014, 04:58:30 pm

Title: 802.1p/q pfsense setup
Post by: Atlantisman on January 23, 2014, 04:58:30 pm
Hello, I was wondering if anyone had any idea about how to complete any of the following steps on pfsense 2.0.3?

1. Wan should be on vlan2.
2. DHCP traffic should have 802.1p bit = 2
3. IGMP traffic should have 802.1p bit = 6
4. All other internet traffic 802.1p bit = 3

Thanks.
Title: Re: 802.1p/q pfsense setup
Post by: Jeff V. on January 25, 2014, 06:48:17 pm
I'm working on this too.  I'm pretty sure I've got the VLAN side of it figured out.  You probably guessed by my user name. I'm the guy who had this working on his MacBook the other day.  It'll be later tonight before I can take the connection down and test it.  My wife is glued to the TV  :P

The 802.1p / QoS stuff will be a little less straightforward, but I'll be sure to post up anything I find.  Hopefully someone else can point us in the right direction though.  I'm very much a noob with pfSense.

I'm really glad you copied that.  Looks like the original post disappeared  :o
Title: Re: 802.1p/q pfsense setup
Post by: Atlantisman on January 25, 2014, 07:51:38 pm
Yeah, they deleted it lol. I also got the vlan part straight but only get 80-90 down and 10 up without the QoS settings.

I do not believe there's a way to do it in the webgui, it will probably involve some command line editing.
Title: Re: 802.1p/q pfsense setup
Post by: mikeisfly on January 25, 2014, 08:02:36 pm
Can't you do your Cos Frame tagging on your switch? What switching platform are you using? As far a VLAN just go to assign under interface and you will see the VLAN tab that is where you can create your VLANs. Once you have the VLANs created then you can assign that VLAN to a interface.
Title: Re: 802.1p/q pfsense setup
Post by: Atlantisman on January 25, 2014, 08:14:01 pm
I have a Zyxel GS1910-24 switch. I might be able to do it on my switch.
Title: Re: 802.1p/q pfsense setup
Post by: mikeisfly on January 25, 2014, 09:29:18 pm
Just looked your switch up on New Egg and is does have QoS capabilities. I have no experience with your switch Platform but typically if you are breaking your traffic up on your tagged ports into different Classes then you can give one Class priority over the Other. I believe that is what you are trying to do. CoS is a layer two way to give traffic priority which is what I think you want. PfSense does have QoS capabilities as well but I will let someone who is more knowledgeable in the matter speak on that.  Here http://www.youtube.com/watch?v=EfXImr5q-sw (http://www.youtube.com/watch?v=EfXImr5q-sw) is a video explaining how to setup traffic shaping if you wanted to try to play around with it.
Title: Re: 802.1p/q pfsense setup
Post by: Jeff V. on January 25, 2014, 11:35:39 pm
I'm feeling like a complete idiot right now.  I can't even get my Watchguard to grab a DHCP address from the network.

If I put my Macbook on VLAN2, it grabs an IP immediately and I can get out to the net.

If I put dummy IPs on the Macbook VLAN2 and the WG VLAN2, I can ping from the MacBook to the WG.  Interestingly, I can't ping from the WG to the Macbook.

I've set my pfSense install back to defaults, I tried setting the MTU to 1496, I've put 'allow any <> any' rules on the WAN interface for both IPv4 and v6, and still no luck.  So I'm dead in the water on testing.

One thing I did notice when I was messing with the firewall rules.  There's an 802.1p button down near the bottom.  Looks like you could create pass rules that add the 802.1p tags.

If I can figure out what's up with my DHCP problems I'll get back into this.
Title: Re: 802.1p/q pfsense setup
Post by: Atlantisman on January 25, 2014, 11:53:04 pm
I don't see any 802.1p settings at the bottom of my firewall rules.
Title: Re: 802.1p/q pfsense setup
Post by: Jeff V. on January 26, 2014, 12:13:13 am
I found this image in another, unrelated thread:

(http://i.imgur.com/AaAIarF.jpg)

Thread reference: https://forum.pfsense.org/index.php?topic=61002.0

The above thread basically discusses how it was broken in a previous release.

If it helps, I'm running 2.1-Release on a Watchguard x5000.    My firewall rule menus look like the ones in the example.   If I were going to try this, I'd set up a pass-all rule for TCP/UDP, and for 802.1p I'd chose match on none and apply CA. (Critical Apps, bit 3)

I may have found what was broken in my WAN VLAN.  I probably won't be able to test it before tomorrow though.
Title: Re: 802.1p/q pfsense setup
Post by: Atlantisman on January 26, 2014, 12:36:36 am
Interesting... 2.0.3 doesn't have that section.
Title: Re: 802.1p/q pfsense setup
Post by: mikeisfly on January 26, 2014, 03:58:06 am
Couple of things, remember that most pcs don't deal with tagged traffic. The port going to Pfsense should be tagged with all your vlans. The port going to your mac should be untagged. Some switches due it with the pvid setting others when you assign a vlan to a port make sure its untagged. Lastly I would remind you to make sure you configure dhcp for that vlan.
Title: Re: 802.1p/q pfsense setup
Post by: Jeff V. on January 26, 2014, 10:23:56 am
The VLAN'd port is facing the ISP.   The WAN port has to be tagged on VLAN 2 in order for traffic to pass.

Outgoing traffic to the ISP also needs to have the .1p tags in order to not get dumped into a low speed queue.

When I talk about testing with my Mac, I'm putting a VLAN on the Thunderbolt GigE interface and plugging it directly into their ONT.
Title: Re: 802.1p/q pfsense setup
Post by: Jeff V. on January 26, 2014, 11:02:02 am
I fixed the VLAN and I'm getting out just fine.   I'm pulling ~400 down to Softlayer in Dallas, but uploads are still stuck at 10.

What's worse is the TV system is not working. The guide is showing, but that could just be cached.  I get a black screen on every channel I try.

I set up outbound rules from the WAN interface to 'any' to try to apply the tags as provided in the first post.  Nothing seems to help so far.

I'm starting to wonder if the original info was deleted simply because it was wrong or incomplete, and not because it's some conspiracy to keep 3rd party routers off the network.
Title: Re: 802.1p/q pfsense setup
Post by: Jeff V. on January 26, 2014, 11:40:23 am
Still no joy on the uploads.

I do have some possible insight into the problem with the TV, though I'm no closer to fixing it.   Atlantisman, let me know if you're a TV subscriber or if you're internet-only.  I won't clutter up the thread with TV service details if I'm the only one using it right now.
Title: Re: 802.1p/q pfsense setup
Post by: Atlantisman on January 26, 2014, 11:48:55 am
I am also a TV subscriber, and i did notice that if i put the TV equipment behind a different router other than their own that it would just give me black screens. Even if i did this Fiber jack ---> Their router ---> pfsense ---> tv box.
Title: Re: 802.1p/q pfsense setup
Post by: Jeff V. on January 26, 2014, 12:49:49 pm
I noticed the TV boxes and the storage box send a UDP IPv6 packet to  ff02::1 approximately once per minute.  This is roughly equivalent to IPv4 multicast on 224.0.0.1?  I'm still really green on IPv6. 

Even though my pfSense install had a permit any <> any rule for IPv6, it was still blocking these multicast messages.  I put in a pass rule using the auto-generate tool in the logs.  That let the traffic out, but no replies were coming in.   It seems there's a lot that needs fixing.  This will really test the patience of my wife  ;D
Title: Re: 802.1p/q pfsense setup
Post by: mikeisfly on January 27, 2014, 04:50:36 am
Can you guys tunnel your TV service through a vlan on your network keeping the isp router, but then have it supply a public IP to Pfsense so you can use it as your edge router? I think this will give you control over the internet which is what you want and also allow your TV service to work undisturbed. What service are you guys using that you get 400 Mbps down? That is amazing!
Title: Re: 802.1p/q pfsense setup
Post by: Jeff V. on January 27, 2014, 10:04:34 am
400 is slow.  It's supposed to be a gig both directions ;)   Unfortunately, I think my old Watchguard box will be hardware-limited to ~400.  As long as I can fix the upload speeds and get the TV working, I don't really care.  Even 400 is faster than pretty much anything else I can connect to.

That's not a bad idea on segregating the ISP router. I'm not yet convinced that it's necessary though.  It looks like the TV devices just need to pass certain kinds of IPv6 traffic which pfSense seems to block by default. 

Later this week I'll see about borrowing some hardware from work so I can set up a Wireshark tap between the ONT and router. Then we'll see exactly what's going over the wire.

I'm also going to set up one of my Adtran routers to do some testing.  I've got a much better understanding of those, and I've got a much easier interface to mess with the .1p tags.
Title: Re: 802.1p/q pfsense setup
Post by: Atlantisman on January 27, 2014, 01:17:55 pm
You're getting better results than i am without the .1p settings, max i have seen is 85/10, and i know my pfsense build can support the whole gig.
Title: Re: 802.1p/q pfsense setup
Post by: stephenw10 on January 27, 2014, 05:01:17 pm
Unfortunately, I think my old Watchguard box will be hardware-limited to ~400.

Are you still running the 2.8GHz P4? My X6000 passes ~365Mbps but it's running at 1.2GHz. I would expect yours to pass well over 400Mbps.

Steve
Title: Re: 802.1p/q pfsense setup
Post by: Jeff V. on January 27, 2014, 06:36:58 pm
Quote from: stephenw10
Are you still running the 2.8GHz P4?

Yeah.  I haven't done anything to the CPU.  I stuck more RAM in it because it was sitting in a box doing nothing.  But that's the only performance chance I made.  I had to replace the PSU and every capacitor on the motherboard though.  That was not fun.

I haven't done any throughput testing on it.  The reduced speeds could be due to the .1p situation.  My outbound requests for data are going into the 'best effort' bin, which has the default effect of slowing down a server's response to me.
Title: Re: 802.1p/q pfsense setup
Post by: Atlantisman on January 27, 2014, 11:20:00 pm
I haven't had a lot of time to do much testing as of now. I have just been trying to research a way of either doing the .1p settings in pfsense or possibly on a switch level before it gets to my pfsense machine.
Title: Re: 802.1p/q pfsense setup
Post by: Jeff V. on January 29, 2014, 07:21:10 pm
I've made a bit of progress.  It's not strictly pfSense related, but I'm hoping we can use this to bridge the gap.

I borrowed an Adtran Netvanta 1335 from work.   It's basically a router with some Layer 3 switching capabilities.  There's 24 10/100 ports and 2 gig ports.

Right off the bat, this old POS looks to be hardware limited to ~120 Mbit/sec even on the gig ports.  I knew they were running out of gas (which is why we're replacing them at work) but I thought it was a CPU/ # of firewall sessions problem.  I guess it's all of the above.

Also, I have no IPv6 enabled.  I'm not even sure it's supported on this platform.  No IPv6 = IPTV on this system.

Anyway, I fixed the upload problem. Once I got basic connectivity established, I was pulling 120 down, and only 10 up.  Which is what Atlantis and I were seeing on pfSense.

After I got a QoS policy in place, upload improved to match the download rates.  I was getting 120 both ways.   I did verify that the gig ports were auto-negotiating at the correct rate and not accumulating errors.

So here's what I'm hoping for.  Adtran configs are very similar to Cisco.  It's my hope that some of the more knowledgeable folks will read what I did with this Adtran, and then chime in with how we might be able to implement a similar config on pfSense.

I'll explain the relevant parts of the config, and I'll upload the entire thing as an attachment.  The only changes I've made is to remove the password hashes.  Everything else is line for line identical to my running config.   Please don't critique it too hard.  It's just something I banged together in a few minutes for testing purposes.

So, to get this working:

Create interface VLAN 2, and set it to DHCP.
*Put interface gigabit-switchport 0/1 into VLAN trunking mode.  Verify that VLAN 2 obtains an IP address and you can ping out.
*Turn up interface gigabit-switchport 0/2 and let it go on the default VLAN.  Add the necessary policies to allow outbound NAT. Verify access.

Create access list GF-dhcp
*Set the ACL to match both TCP and UDP port 67.  Probably only needs UDP.  Whatever.

Create access list GF-default
*Set this as a permit IP any <-> any

Create QoS policy GF-QoS
* On the first policy term, match against the GF-dhcp ACL
* When packets match the ACL, set the VLAN priority / 802.1p / CoS bit 2
* On the second policy term, match against GF-default
* This is the catch-all rule, which applies VLAN priority / 802.1p / CoS bit 3
* I wanted to do a ACL and QoS term for IGMP, but I couldn't figure out how to enable that.   Maybe later.

Apply the QoS policy in the outbound direction on VLAN 2. 

All traffic exiting VLAN 2 towards the internet will have the .1p / CoS bits set, and upload speeds should see a dramatic improvement.

Anyone want to take a crack at interpreting this into a pfSense config?
Title: Re: 802.1p/q pfsense setup
Post by: Atlantisman on January 30, 2014, 12:33:04 am
I was just able to get it working, but the QoS part is done through my switch (two ports are vlan'd off, one for the fiber jack, and one for pfsense). The switch strips off the QoS then passing the clean packets to pfsense. No TV as of now, as i probably need to upgrade to pfsense 2.1 to get full IPv6 support.

I have a Zyxel GS1910 switch, and i wasn't sure which bit was for IGMP and which was for DHCP (they all just have a number code on my switch) so i set them all to 3.

The result is a clean 930 down and 934 up.

**UPDATE**

Upgraded to pfsense 2.1 and set allow all IP6 traffic outbound, still no TV service, i get the guide, On-Demand, and DVR functionality, but no live TV.

**UPDATE 2**

The TV service not functioning does not appear to be caused by the firewall, it could be that the TV equipment somehow pairs to the router so you can't just take the TV box over to a buddies house and get the service from it. You'd think that they'd accomplish this task by only allowing IPs from their subnets on their IPTV servers, but who knows.
Title: Re: 802.1p/q pfsense setup
Post by: Jeff V. on January 30, 2014, 09:12:22 am
Have you read up on IGMP at all?  I've seen people in other threads about IPTV systems mentioning that they had to run some kind of IGMP proxy in order to get TV working.    I haven't dug too deep into it myself since my focus until now has been getting the data working correctly.

I really hope it's possible to get the .1p stuff working in pfSense.  I've got a really nice gig switch, but I'd rather not have it managing both internal and external traffic, mainly from a simplicity standpoint. That was a big part of my reason for buying the Watchguard.
Title: Re: 802.1p/q pfsense setup
Post by: Atlantisman on January 30, 2014, 07:18:54 pm
I haven't really looked at IGMP, i am going to investigate that more tonight when i have some time.
Title: Re: 802.1p/q pfsense setup
Post by: Atlantisman on February 01, 2014, 02:11:00 am
I was able to get my TV service working again, but with a cludge-y work-around. I just added another port on my switch to vlan 2, plugged the network box into that, and plugged the TV into the network box. ISP will give you more than one public IP (I have three from them at the moment, running 2 pfsense machines for fun, and 1 for their network box), so one for pfsense for your data network, and one for the their router and their TV equipment. I am still going to be tinkering around with the TV service though to see if i can get anything to work through pfsense entirely.

Not exactly ideal, as now i cannot use the android app to control the tv equipment (unless i re-activate wireless on the NB and switch wireless networks whenever i want to, which would be stupid.). At least it's working though.

I also contacted them to see if using our own routers was against their ToS in anyway, and i was assured it wasn't, just that their support will not assist us in getting this to work.
Title: Re: 802.1p/q pfsense setup
Post by: Atlantisman on February 06, 2014, 03:39:26 am
I was just able to get the TV equipment to work through my own router as well. Remember i am still doing the QoS at a switch level though, i am going to tinker around with QoS on pfsense though and see if i can get everything working 100% through pfsense.

Until then my speedtests are right where they should be at about 930mbps download and 930 mbps upload. The IPTV service is also working completely through pfsense, and the TV app is also working great. Life is good.
Title: Re: 802.1p/q pfsense setup
Post by: mikeisfly on February 06, 2014, 04:18:36 am
Cool! If you have PfSense do the QoS aren't you taking clocks away from PfSense that could be used for other things that the switch has custom asics just for that purpose? For knowledge sake I say go for it, and please document how you got everything to work. 930 Mbps is awesome, I'm really jealous right now!
Title: Re: 802.1p/q pfsense setup
Post by: Jeff V. on February 06, 2014, 07:21:34 pm
That is spectacular.  If the occasion ever arises, I'll buy you a beer or two :)

Can you post the config details that get the TV going?
Title: Re: 802.1p/q pfsense setup
Post by: Atlantisman on February 06, 2014, 07:31:19 pm
Yes, i am in the process of prepping a full write up/guide. I will post it in a bit.
Title: Re: 802.1p/q pfsense setup
Post by: Atlantisman on February 06, 2014, 08:57:36 pm
I have completed the guide. Here it is:

https://www.dropbox.com/s/zg9ju9373t0fnpu/GoogleFiberRouterGuide.pdf


Have fun!
Title: Re: 802.1p/q pfsense setup
Post by: stephenw10 on February 07, 2014, 12:13:29 am
Ah, Google fibre. I was wondering what provider was giving you such huge bandwidth. Nice.  :)

Reading through your guide (which I'll never be able to actually use  :() this part seems potentially confusing:
Quote
Access your pfsense’s machine webgui and navigate to Interfaces -> Assign -> VLANs and add
VLAN 2 to your WAN interface, as shown below:

At this point, you should now be able to access the internet, though the upload speed will be limited
to about 10mbps.

Presumably at that point you actually have to assign the new interface, em1_VLAN2 in your example, as WAN?

Steve
Title: Re: 802.1p/q pfsense setup
Post by: Atlantisman on February 07, 2014, 12:39:54 am
Ah, Google fibre. I was wondering what provider was giving you such huge bandwidth. Nice.  :)

Steve

Yeah, the only remotely bad thing about it was the inability to use whatever router you chose. I assume they give you a router and do this to reduce the volume of technical support calls. Otherwise most of their calls would be regarding slow internet speeds, since most routers wouldn't have the ability to support such high bandwidth.

em1 is my WAN interface (the interfaced directly plugged into port 2 on the switch mentioned earlier in the guide). You would need to tag that interface with VLAN 2.
Title: Re: 802.1p/q pfsense setup
Post by: stephenw10 on February 07, 2014, 06:37:12 am
Right so after you've added the new VLAN interface, em1_VLAN2, you have to re-assign WAN to use the new interface rather than using em1 directly which would still be sending untagged traffic.
It's just that reading your document it could easily be interpreted as simply adding the VLAN to em1 is sufficient. Now it's highly unlikely that anyone who didn't understand this would be reading the document in the first place.  ;)

Steve
Title: Re: 802.1p/q pfsense setup
Post by: Atlantisman on February 07, 2014, 01:27:21 pm
AH, right, thanks for catching that. i will edit the document to explain that. I have actually determinded that the whole vlan step within pfsense is not needed, as the vlans are being set at the switch level. I will modify the document to reflect it.

EDIT

i am having a strange problem with this step though, maybe someone can help me figure it out.

"To complete your IGMP configuration navigate to Firewall -> Rules -> LAN, edit your default
allow any rule on your LAN network, scroll down to Advanced Features -> Advanced Options
and check the first box., It should read, “This allows packets with OP options to pass. Otherwise
they are blocked by default. This is usually only seen with multicast traffic.” Save the rule and
apply your firewall settings."

After activating this, it seems like DHCP goes crazy and does assign IP addresses so new clients (mostly wireless) are not able to connect to the network. This seems to be an intermittent issue, but its extremely annoying.
Title: Re: 802.1p/q pfsense setup
Post by: rhornsby on February 14, 2014, 10:24:11 pm
The netgear GS108Tv2 switch came today.  Holy number of settings, Batman.  I can't really be sure if I got them right or not, I was a little bit guessing having never really dug into Layer 2 like this.  I ended up pulling the switch entirely out of the picture, but the pfSense box still wasn't able to pick up an IP address via DHCP when plugged into the OTN.  I might be completely wrong, but I thought that was supposed to work - albeit with severely degraded bandwidth.

Prior to that, at one point I had things all messed up, and the pfSense WAN picked up an IP address from its LAN - I think that was because I had the VLAN mappings in the switch goofed.  At least it tells me the WAN interface is capable of accepting and processing DHCP traffic, acting as a dhcp client.

The only things I changed on the pfsense were the settings in the doc, mostly the stuff around the IGMP traffic.  The GFNB was able to talk to the OTN immediately through the same port on the patch panel.  I might try a simpler off-the-shelf netgear router tomorrow, just to see what happens.

I posted a few screenshots of what the switch configuration looks like based on Atlantisman's document: https://www.dropbox.com/sh/ug31k8t6n9618ni/ligIuMmIiQ/gs108t_screenshots?lst (https://www.dropbox.com/sh/ug31k8t6n9618ni/ligIuMmIiQ/gs108t_screenshots?lst).  There is no way to delete or rename the first three VLANs.  I really don't know what impact VLAN 2 being "Voice VLAN" has.  I can disable "Voice VLAN" in another screen, or try to move it to VLAN 3, but it doesn't change anything as far as I can tell.

edit: corrected bad syntax. sorry, long day.
Title: Re: 802.1p/q pfsense setup
Post by: Atlantisman on February 14, 2014, 11:12:02 pm
The netgear GS108Tv2 switch came today.  Holy number of settings, Batman.  I can't really be sure if I got them right or not, I was a little bit guessing having never really dug into Layer 2 like this.  I ended up pulling the switch entirely out of the picture, but the pfSense box still wasn't able to pick up an IP address via DHCP when plugged into the OTN.  I might be completely wrong, but I thought that was supposed to work - albeit with severely degraded bandwidth.

Prior to that, at one point I had things all messed up, and the pfSense WAN picked up an IP address from its LAN - I think that was because I had the VLAN mappings in the switch goofed.  At least it tells me the WAN interface is capable of accepting and processing DHCP traffic, acting as a dhcp client.

The only things I changed on the pfsense were the settings in the doc, mostly the stuff around the IGMP traffic.  The GFNB was able to talk to the OTN immediately through the same port on the patch panel.  I might try a simpler off-the-shelf netgear router tomorrow, just to see what happens.

I posted a few screenshots of what the switch configuration looks like based on Atlantisman's document: https://www.dropbox.com/sh/ug31k8t6n9618ni/ligIuMmIiQ/gs108t_screenshots?lst (https://www.dropbox.com/sh/ug31k8t6n9618ni/ligIuMmIiQ/gs108t_screenshots?lst).  There is no way to delete or rename the first three VLANs.  I really don't know what impact VLAN 2 being "Voice VLAN" has.  I can disable "Voice VLAN" in another screen, or try to move it to VLAN 3, but it doesn't change anything as far as I can tell.

edit: corrected bad syntax. sorry, long day.

1. Yes it should work without the QoS settings, just highly reduced bandwidth (mine did, at about 930/10).

2. Are you plugging anything else into the other ports on the switch? Or just pfsense and the OTN?

3. Are you running pfsense in a VM or anything like that? If so you'd have to configure vlans on the virtual switch in esxi/hyper-v.

4. It shouldn't matter that it is labelled voice vlan. Port one and two do need to be on VLAN 2 no matter what though.

5. Some switches come with two different vlan options (private and normal), make sure you are not configuring a private vlan, otherwise the OTN won't send you packets.

Those screenshots look right to me, though i am not too familiar with that particular switch.
Title: Re: 802.1p/q pfsense setup
Post by: rhornsby on February 15, 2014, 07:52:52 am
Thanks for the info.

1. Yes it should work without the QoS settings, just highly reduced bandwidth (mine did, at about 930/10).

2. Are you plugging anything else into the other ports on the switch? Or just pfsense and the OTN?

I tried setting up ports 1 (OTN), 2 (pfSense WAN) on VLAN 2 and the rest on VLAN 1 to isolate them.  No luck.  I also just plugged in the OTN and pfSense to the switch (everything else removed), and wiring my laptop into the pfSense LAN port to monitor the pfSense, no luck there either.

3. Are you running pfsense in a VM or anything like that? If so you'd have to configure vlans on the virtual switch in esxi/hyper-v.

No, it is running on metal.  I'm starting to wonder if having switch port 2 tagged is causing an issue.  I think the pfSense WAN interface MTU is 1492 but I'll have to check.

Would it be appropriate to set switch port 1 to tagged and port 2 to untagged?  Both members of VLAN 2 as your point #4 states, yes.

5. Some switches come with two different vlan options (private and normal), make sure you are not configuring a private vlan, otherwise the OTN won't send you packets.

I don't see any options like those, but I'll keep looking.
Title: Re: 802.1p/q pfsense setup
Post by: Atlantisman on February 15, 2014, 06:15:09 pm
Thanks for the info.

1. Yes it should work without the QoS settings, just highly reduced bandwidth (mine did, at about 930/10).

2. Are you plugging anything else into the other ports on the switch? Or just pfsense and the OTN?

I tried setting up ports 1 (OTN), 2 (pfSense WAN) on VLAN 2 and the rest on VLAN 1 to isolate them.  No luck.  I also just plugged in the OTN and pfSense to the switch (everything else removed), and wiring my laptop into the pfSense LAN port to monitor the pfSense, no luck there either.

3. Are you running pfsense in a VM or anything like that? If so you'd have to configure vlans on the virtual switch in esxi/hyper-v.

No, it is running on metal.  I'm starting to wonder if having switch port 2 tagged is causing an issue.  I think the pfSense WAN interface MTU is 1492 but I'll have to check.

Would it be appropriate to set switch port 1 to tagged and port 2 to untagged?  Both members of VLAN 2 as your point #4 states, yes.

5. Some switches come with two different vlan options (private and normal), make sure you are not configuring a private vlan, otherwise the OTN won't send you packets.

I don't see any options like those, but I'll keep looking.


I would setup the switch with a different port (3-8). After the switch is setup unplug everything but the OTN and the pfsense box.

You may also need to setup vlans in pfsense, though i didn't have to. There is no reason why this wouldn't work.
Title: Re: 802.1p/q pfsense setup
Post by: rhornsby on February 16, 2014, 07:43:27 pm
I would setup the switch with a different port (3-8). After the switch is setup unplug everything but the OTN and the pfsense box.

You may also need to setup vlans in pfsense, though i didn't have to. There is no reason why this wouldn't work.

Switch or no switch, nothing except the GFNB so far seems to be able to be plugged into the OTN.  Tried putting the TimeCapsule in DHCP+NAT mode (normally I just have it in bridge mode), WAN port plugged into the OTN and just like the pfsense box, it was unable to obtain a WAN DHCP address.

From everything I understand, this should be working but unfortunately I'm unable to make any progress until I can sort out why the traffic isn't making it past the OTN unless it sees a GFNB.  (That's probably not the correct description of the relationship.)

Putting a laptop directly on the OTN and there was network traffic, but no response to DHCP client requests.

Edit: No luck spoofing the GFNB's MAC address on the laptop, and no luck manually configuring the IPv4 settings (with the spoofed MAC address).
Title: Re: 802.1p/q pfsense setup
Post by: rhornsby on February 16, 2014, 09:54:40 pm
Score.

I don't have time tonight to mess with it anymore, but on a hunch, I figured out that I could create a VLAN virtual interface on my macbook.  I gave it VLAN ID 2, plugged it into the OTN and immediately got a reply from the WAN DHCP server.  So my problem is likely an issue where I'm going to have to either figure out what I'm doing wrong with the switch and/or get pfSense to use a virtual interface on VLAN 2 for the WAN side.
Title: Re: 802.1p/q pfsense setup
Post by: Atlantisman on February 17, 2014, 04:50:42 pm

Score.

I don't have time tonight to mess with it anymore, but on a hunch, I figured out that I could create a VLAN virtual interface on my macbook.  I gave it VLAN ID 2, plugged it into the OTN and immediately got a reply from the WAN DHCP server.  So my problem is likely an issue where I'm going to have to either figure out what I'm doing wrong with the switch and/or get pfSense to use a virtual interface on VLAN 2 for the WAN side.

I had an issue where the DHCP on the WAN side would only assign a total of 2-3 Public IP addresses. So you could have the same issue with the DHCP servers holding your reservations, that's why it worked when you plugged the macbook in. So you might try spoofing the macbook's mac address to your pfsense machine and it might work.

EDIT: Also, i did some reading on that switch and it does have two different types of VLANs, port based (or private), and 802.1Q (the one you need). Be sure you're using the proper VLANs on the switch.
Title: Re: 802.1p/q pfsense setup
Post by: rhornsby on February 19, 2014, 09:32:42 pm
I had an issue where the DHCP on the WAN side would only assign a total of 2-3 Public IP addresses. So you could have the same issue with the DHCP servers holding your reservations, that's why it worked when you plugged the macbook in. So you might try spoofing the macbook's mac address to your pfsense machine and it might work.

EDIT: Also, i did some reading on that switch and it does have two different types of VLANs, port based (or private), and 802.1Q (the one you need). Be sure you're using the proper VLANs on the switch.

I finally did get things working partially.  I could get the WAN interface up properly using DHCP as I said before.  I was also able to get DNS queries to return correctly.  However, I was not able to get any other traffic to the internet until I discovered that pfSense has a really strange way of coming up with the routing table:

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.2.1        UGS         0     8226   nfe1
8.8.8.8            00:04:4b:02:4c:92  UHS         0      124   nfe0
10.16.0.0/16       192.168.2.1        US          0        0   nfe1
10.30.0.0/16       192.168.2.1        US          0        0   nfe1
23.255.128.0/19    link#3             U           0      376   nfe0
23.255.146.22      link#3             UHS         0        0    lo0
127.0.0.1          link#7             UH          0       32    lo0
192.119.23.198     00:04:4b:02:4c:92  UHS         0      124   nfe0
192.168.2.0/24     link#4             U           0      630   nfe1
192.168.2.1        link#4             UHS         0      752    lo0


The default route is completely wrong.  I used a route command to fix that and set the ISP gateway properly.  I also used a route command to delete the route to the 8.8.8.8 DNS server (again, no idea where these are coming from).  I'm looking at the pfSense web ui and the Status > Gateways has the correct information (even before I manually fixed the routing table).  Somehow that isn't translating into a correct routing table.  Outside of the adjustments described here, the only configuration change I've made to the routing are the two static routes for the TV.

Fixing the gateway allowed traffic to the internet (ie I can telnet to an smtp server from the pfsense box).  However, I'm now very suspicious of the rest of the routing table because I still can't get traffic from the LAN to the Internet.  I'm able to write this post because I have an ssh tunnel to the pfSense box from my laptop.  I left the NAT settings alone, but something could be wrong there?

I'm pretty confident the switch isn't the issue at this point.  I'm accessing the pfSense box over a wireless AP that is plugged into the switch, on the same VLAN (1) as the pfSense LAN interface.  The OTN and the pfSense WAN link are on the same VLAN 2.  It seems like both VLANs are behaving properly.  pfSense seems like the issue but I'm confused as to how it is coming up with some of its configuration so it is unclear where to look.

Edit: I should clarify - nfe0 is the WAN interface, and nfe1 is the LAN.  The corrected routing table has this entry for the gateway:

default            23.255.128.1       UGS         0      463   nfe0
Title: Re: 802.1p/q pfsense setup
Post by: rhornsby on February 19, 2014, 09:45:52 pm
Just in case it matters and I've messed up the switch config to somehow cause the weird behavior - screenshots of the VLAN configuration in the switch.  Port 1 is the OTN, port 2 is the pfSense WAN; port 7 is the wireless access point, port 8 is the pfSense LAN.

https://www.dropbox.com/sh/ug31k8t6n9618ni/ligIuMmIiQ/gs108t_screenshots

Title: Re: 802.1p/q pfsense setup
Post by: stephenw10 on February 20, 2014, 05:58:21 am
It looks like you may have fallen into the trap of adding a gateway to the LAN interface which, since it's done after WAN, then becomes the default. You shouldn't have a gateway on LAN at all. A lot of people seem to be doing that recently for some reason.
The correct place to set the default gateway (and remove any spurious ones) is System: Routing: Gateway:

Steve
Title: Re: 802.1p/q pfsense setup
Post by: rhornsby on February 20, 2014, 06:35:42 am
It looks like you may have fallen into the trap of adding a gateway to the LAN interface which, since it's done after WAN, then becomes the default. You shouldn't have a gateway on LAN at all. A lot of people seem to be doing that recently for some reason.
The correct place to set the default gateway (and remove any spurious ones) is System: Routing: Gateway:

Steve

I didn't intentionally or explicitly add a gateway to the LAN interface that I can recall.  You're right, it doesn't make sense for the LAN interface to have a gateway.  I saw under System > Routing > Gateway that there is one for the LAN, and one for the WAN.  I thought it was a little odd, but figured it must be the way pfSense is presenting the configuration in the UI.

The only possible time I can think when I might have done something to cause this LAN GW to end up in the routing table is setting up the LAN DHCP server.  It is possible there was a question during that portion of the initial setup I should have left blank - probably thinking the question was asking what GW should the DHCP clients use.
Title: Re: 802.1p/q pfsense setup
Post by: stephenw10 on February 20, 2014, 07:09:05 am
Like you say it should be blank. If you change the LAN subnet at the initial console setup it asks you questions in order (IP address, subnet mask etc) and one of those is the gateway. It's hard to just return through it when it's explicitly asking you for the gateway.
The wording there especially could be changed to prevent this.

https://forum.pfsense.org/index.php/topic,72694.0.html

If you have entered a gateway on LAN remove it from Interfaces: LAN: and then go to System: Routing: Gateways: and remove it there too making sure the WAN gateway is set as default.

Steve
Title: Re: 802.1p/q pfsense setup
Post by: -flo- on February 20, 2014, 11:55:50 pm
You shouldn't have a gateway on LAN at all. A lot of people seem to be doing that recently for some reason

Btw. this happened to me when I set up pfSense from the serial console (on an ALIX board if that matters). I'm absolutely sure that I did not create a gateway, I logged every single step of my setup.

-flo-
 
Title: Re: 802.1p/q pfsense setup
Post by: rhornsby on February 21, 2014, 10:26:21 pm
I had an issue where the DHCP on the WAN side would only assign a total of 2-3 Public IP addresses. So you could have the same issue with the DHCP servers holding your reservations, that's why it worked when you plugged the macbook in. So you might try spoofing the macbook's mac address to your pfsense machine and it might work.

EDIT: Also, i did some reading on that switch and it does have two different types of VLANs, port based (or private), and 802.1Q (the one you need). Be sure you're using the proper VLANs on the switch.

I finally got it working to the point where I could get everything on the Internet.  Thanks to Stephenw10 for the help on the routing table stuff.

However, the best speed I'm able to get is 30/10, which tells me I haven't figured out the QoS stuff yet.  I apologize, I know the QoS stuff isn't strictly pfSense, but rather is configured in the switch.  I'm banging my head trying to figure it out.  The manual seems useless but maybe it will make sense to someone else?

http://www.downloads.netgear.com/files/GS108Tv2/gs108tv2_gs110TP_usermanual.pdf

There are two ways to configure QoS.  CoS seems to mostly appear to be hardware based QoS internal to the switch.  The DiffServ way seems to be what I need.  I'm digging around in the DiffServ and nothing I try is making any difference.  To make it simple, I'm trying to set everything to priority 3 and then once I figure that out try to handle DHCP, IGMP, and other separately.

There appear to be three levels of configuration: Class, Policy, and Service.  The class looks like it is the filtering which matches the packet to be handled.  The only setting I have there is VLAN 2.  The service is where you map a policy to an interface.

https://dl.dropboxusercontent.com/u/36902/gs108t_screenshots/Screen%20Shot%202014-02-21%20at%2022.22.43.png
https://dl.dropboxusercontent.com/u/36902/gs108t_screenshots/Screen%20Shot%202014-02-21%20at%2022.23.04.png
https://dl.dropboxusercontent.com/u/36902/gs108t_screenshots/Screen%20Shot%202014-02-21%20at%2022.23.13.png

It looks like the policy is where the real work happens.  I've tried setting the policy COS to 3, the IP precedence to 3, and the IP DSCP to both cs3 and cs1, not really clear which one of these sets the correct bits.  Nada - same speed test result.  I'm running the test on ethernet through the tv box, but I fully expect from past tests to see something ~ 140/130.

Sorry if I'm missing something obvious here, but any ideas?
Title: Re: 802.1p/q pfsense setup
Post by: rhornsby on February 25, 2014, 10:11:45 pm
Finally got everything working.  Part of the problem was the speed test was giving really bad results.  I wrote up the instructions for configuring the Netgear GS108Tv2.  Comments or other feedback is welcome.  The QoS part especially was long enough that I broke  VLAN and QoS into separate posts.

Part 1 - http://flyovercountry.org/2014/02/google-fiber-gigabit-speeds-your-router-part-1-vlans/
Part 2 - http://flyovercountry.org/2014/02/google-fiber-gigabit-speeds-your-router-part-2-qos/
Title: Re: 802.1p/q pfsense setup
Post by: SpitefulMonkey on April 07, 2014, 06:28:54 pm
I am using the netgear gs108t v2 switch and a pfsense box running the latest release. I have the switch set correctly as my internet connection is full speed both ways 984/978. The tv's guide comes up but no video is shown. I followed 1.2 version of the guide pdf starting from section 2 (setting up TV). Any ideas on something I could try to get my tv services back up and going?
Title: Re: 802.1p/q pfsense setup
Post by: rhornsby on April 07, 2014, 07:56:08 pm
I am using the netgear gs108t v2 switch and a pfsense box running the latest release. I have the switch set correctly as my internet connection is full speed both ways 984/978. The tv's guide comes up but no video is shown. I followed 1.2 version of the guide pdf starting from section 2 (setting up TV). Any ideas on something I could try to get my tv services back up and going?

One of the things that is easy to miss is setting the correct option on the 4 firewall rules:

Quote
Scroll down to Advanced Features -> Advanced Options and check the first box., It should read, “This allows packets with OP options to pass. Otherwise they are blocked by default. This is usually only seen with multicast traffic.”

At one point, I had the option set on only three of the rules and it caused weird issues.
Title: Re: 802.1p/q pfsense setup
Post by: Atlantisman on April 07, 2014, 11:06:01 pm
You should only need the set opts box checked on the default ALLOW ALL rule in Firewall -> Rules -> LAN.

Also, it seems like pfsense doesn't handle the IGMP traffic (at least for me) 100% effectively, causing little hiccups in tv service where it stops working 10-15 seconds, i am still investigating this issue and will be doing more testing with pfsense 2.1.1
Title: Re: 802.1p/q pfsense setup
Post by: rhornsby on April 08, 2014, 07:19:50 am
You should only need the set opts box checked on the default ALLOW ALL rule in Firewall -> Rules -> LAN.

D'oh! Maybe that's part of my problem. Completely misunderstood the doc on that. You did say default rule, not the IGMP FW rules.  My fault.
Title: Re: 802.1p/q pfsense setup
Post by: SpitefulMonkey on April 08, 2014, 10:55:41 am
Is IPv6 working for you all when you go test it? It doesn't seem to be working for me anymore.

Title: Re: 802.1p/q pfsense setup
Post by: rhornsby on April 08, 2014, 08:40:11 pm
You should only need the set opts box checked on the default ALLOW ALL rule in Firewall -> Rules -> LAN.

D'oh! Maybe that's part of my problem. Completely misunderstood the doc on that. You did say default rule, not the IGMP FW rules.  My fault.

I went back and looked at this again.  I had the allow ip opts set on both the default rule and the individual IGMP rules, so it probably wasn't making any difference after all.
Title: Re: 802.1p/q pfsense setup
Post by: rhornsby on April 08, 2014, 08:49:41 pm
Is IPv6 working for you all when you go test it? It doesn't seem to be working for me anymore.

Negative.  Unfortunately, I don't understand enough about IPv6 to know even what to look at.  Most everything I've found talks about using a tunnel broker, I assume since so many ISPs like Comcast aren't delivering IPv6 to residential(?) customers.  GF, AFAIK, supports and uses it.

For an "old" guy like me, IPv6 feels like a whole new interweb.  https://www.youtube.com/watch?v=5wWsJH4LVTA
Title: Re: 802.1p/q pfsense setup
Post by: Atlantisman on May 07, 2014, 02:05:50 pm
I have been able to get IP6 to work on any device except for pfsense. I can plug a windows box, centos box, mint box or etc into my WAN connection and get a publicly route-able IP6 address, but no luck getting pfsense to get an address.

I am not sure, but i think it may have something to do with pfsense using dhcp6c instead of dhclient -6 to call for an address.


if anyone has any thoughts or ideas about this issue that would be awesome.

Thanks.
Title: Re: 802.1p/q pfsense setup
Post by: Jeff V. on May 12, 2014, 02:29:06 pm
This weekend, I finally got a chance to mess with this some more.

I was able to borrow a Netgear GSM7312 switch from work.  While the GUI is laid out differently from the GS108T, it follows the same unintuitive logic.  Fortunately rhornsby created a great guide for the GS108T that I was able to follow to get the 7312 working.

When I was directly connected to the 7312, I was pulling ~930 mbit in both directions. That's about as fast as I've seen any Google Fiber connection go, so I'm really pleased.

My pfSense box is a rebuilt and upgraded Watchguard X5000.  With that in place, I'm seeing around 800 both ways.   So a little bit of loss, but I'm still pleased. Especially for something that didn't even power up when I bought it.   Video is working nearly perfectly.  I've seen a couple very minor interruptions, and I'm hoping I can eventually tune those out.

Given what I've seen on eBay, I don't think the Netgear GSM switches are preferable to the GS108T.  They can be rack mounted, but they take up more space and power than the GS108T.  They're also a bit more expensive.  On the bright side, they have a text based command line and config file.  I've attached a fairly generic config for my 7312.  Port 1 goes to the Google ONT.  Port 2 goes to the router. And port 3 is set up to allow you to connect via telnet or the web GUI on 192.168.1.4.

What I'm really curious about is the Netgear FSM series.  These are 10/100 switches that have 2-4 gigabit uplink ports. They're quite a bit cheaper than the all-gigabit GSM series.  I was able to grab a FSM7328S for $35 shipped.  According to the data sheet, the backplane bandwidth is competitive with the GSM7312, and it uses the same base firmware and command line.   So hopefully I can just paste in my config file and be right back in business.

Thanks to Atlantisman and rhornsby and everyone else for their hard work on this.  It was so well documented that it was actually enjoyable to work on.  I should hopefully have a report on the FSM7328S this weekend.
Title: Re: 802.1p/q pfsense setup
Post by: Jeff V. on May 15, 2014, 08:53:21 pm
Well, good news.  The FSM7328S works great.  The config needs a few tweaks vs the GSM7312, but it overall it's the same.

The ports are numbered 1/0/1 - 1/0/24 for the 10/100 ports, and 1/0/25 - 1/0/28 for the gig ports.

Right off the bat, this switch is meant for stacking with other compatible Netgear switches.  As best I can tell, there's no way to disable this.  Thus, ports 1/0/27 and 1/0/28 are hard coded stack ports and don't seem to be available for general purpose use.  They took the config, but I wasn't able to pass traffic.  It cleared up when I moved the pfSense box to 1/0/25 and the Google ONT to 1/0/26.    I was able to get ~930x930 Mbit when I tested directly from the switch.

This is basically the box-stock config, with the bare minimum to get it working on a Google connection.  The config is attached.  You'll be able to telnet or access the web UI at 192.168.1.4 from any of the 10/100 ports.

The other nice thing about this vs the GSM73xx box is that it's smaller, and fanless.  For $35 shipped, I couldn't be happier.

Now on to the not so good news.

I'm still seeing some IPTV issues.  It was bad enough that my wife gave up on watching TV while she worked from home today.  I may have found a partial fix though.

If you go into System > Advanced and then go to the System Tunables tab, there's an option called net.inet.ip.fastforwarding.  Edit that value, and change it from 'default' to '1'.   Then reboot your box.   I noticed a nice 10% increase in my speed tests, though the tests were hardly scientific.    I've been watching a movie for the last couple hours, and the video has been damn near perfect the entire time.   Be warned though.  I've read some posts that say this setting can break IPSEC VPN clients. That may have just been for older versions though.  The information is conflicting in some places.

I've read about people successfully using far less powerful pfSense setups on other IPTV systems, so all I can figure is that Google has very tight timing tolerances that the pfSense IGMP proxy or firewall code struggles to meet.

One last thing....IPv6 DHCP.  I tried to get an IPv6 address when I tested directly from the Netgear switch.  I wasn't able to.  Technically the switch should just pass any ethernet frames, regardless of whether they've got v4 or v6 payloads.  But clearly something is missing.  I don't know enough about IPv6 yet to really make much headway on it.

I've got access to a few other switches, so I'll see if I can't line up some more tests for the IPv6 stuff.
Title: Re: 802.1p/q pfsense setup
Post by: Atlantisman on May 15, 2014, 09:23:29 pm
Your switch will have really nothing to do with the IPv6, i have been working on trying to get IPV6 to work without any luck.

It seems to be a problem with pfsense (tested on pfsense (2.1 (first version to completely support IP6), 2.1.2, 2.1.3, and the 2.2 beta), since i can plug literally anything else into one of the VLAN2 ports on my switch and it pulls an ipv6 address in seconds. I tested this with windows, centos linux, Ubuntu linux and more.

I was also having IPTV issues, i had given up on it for now as pfsense doesn't appear to be handling the traffic effectively. So i have my Google Router plugged into another port connected to VLAN2 on my switch and have all the TV gear plugged into that, essentially splitting my network into a data section and a tv section.

EDIT: When i am able to get IP6 working i am going to try putting the TV equipment behind pfsense again, since IP6 is more efficient and has less overhead than IP4. Based on my traffic sniffing it seems to be using IP6 for the TV service anyways.
Title: Re: 802.1p/q pfsense setup
Post by: Jeff V. on May 15, 2014, 11:25:56 pm
The weird part for me is that I tried to get a v6 address when I had my MacBook connected directly to the switch, before I had hooked up the pfSense box.

If I set up VLAN 2 on my MacBook and plug directly into the fiber jack, I get both v4 and v6 addresses a v4 address only. These Netgear boxes I'm testing are pretty old, so it wouldn't surprise me if something isn't up to spec.

I like your idea of splitting the networks.  But that would break the Fiber guide app, right?  As it sits, I'm going to have to shelve this whole project because my wife is losing patience with the TV situation, and breaking the Fiber app will be the last straw.  If it was up to me, this wouldn't even be an issue.  I'd have the gigabit-only package...

EDIT:  I have to backtrack part of what I said.  I didn't actually test v6 directly to the fiber jack on the night I installed the Netgear.  My recollection of getting a v6 address directly off the fiber jack was based on an apparently incorrect memory of the first time I tried this many months ago.  I am definitely not getting a v6 address right now.

I'm still a little fuzzy on it, but I found this thread that may help explain it.

http://apple.stackexchange.com/questions/60608/does-os-x-have-a-builtin-dhcpv6-client

It's directly more towards OSX, but I think the theory could apply to pfSense too (especially since they're both based on FreeBSD).   It looks like you need certain options enabled on the upstream router in order for DHCPv6 to work.  Without those options enabled, you need to rely on other IPv6 mechanisms (router announcements?)

So my speculation is that the Google Network Box requests a v6 prefix from the upstream Google interface. The LAN facing side of the Network Box has the necessary options turned on, so DHCPv6 works on inside your network.
Title: Re: 802.1p/q pfsense setup
Post by: Jeff V. on May 16, 2014, 04:40:57 pm
Also, I figured out how to disable the stack ports on the FSM73xxS series.

http://rivald.blogspot.com/2009/05/netgear-switches-fsm7352s-and-disabling.html

Quote
To disable stacking from the command line:

enable (if you aren't there already)
configure
stack
stack-port 1/0/51 ethernet
stack-port 1/0/52 ethernet

To revert them back to stack ports:

configure
stack
stack-port 1/0/51 stack
stack-port 1/0/52 stack

I had to reboot my switch to get the change to take effect.   Substitute 1/0/27 and 1/0/28 if you only have the 28 port version like I do.
Title: Re: 802.1p/q pfsense setup
Post by: Jeff V. on June 17, 2014, 06:42:08 pm
For anyone who's interested, I have a working IPv6 config now. 

Go here and see post 7.  Beware possible hard crashes when you have IPv4 + IGMP + IPv6 configured though.

https://forum.pfsense.org/index.php?topic=76322.0
Title: Re: 802.1p/q pfsense setup
Post by: bejahnel on February 01, 2015, 03:10:55 am
Hey guys, I just got GF and am looking for a way to get a firewall in place to mainly use VPN and protect my network. Thinking about trying a pfSense either Virtual machine off a Dell 2950 running ESX, or I have an older pizza box server with I believe a P4, no clue on RAM, haven't got it in my rack yet. I have a cisco ASA 5505 that worked awesome when i had comcast, but I want to take full advantage of GF. The dropbox link seems to be dead. Is there a way I can get that config to help me get pfsense setup a little faster? Much appreciated!!! Also I have a Dell 6248P, but I'd rather not have that on the perimeter just stripping off the QoS. Again, thanks for any help.


P.S. An after thought is that maybe I could use pfSense to do my firewall and have GF equipment on it's own vlan and have the 6248 route the traffic through the GF port, then I shouldn't have to worry about QoS. Also it looks like GF has a support page for using their service without their box. Doesn't say anything about needing IPv6, says it's optional and they recommend have DHCPv6 enabled, but here is the page for you to look for yourself - https://support.google.com/fiber/faq/3333053?hl=en#6032607
Title: Re: 802.1p/q pfsense setup
Post by: dhiltonp on February 11, 2015, 11:09:35 pm
Nice find on the google fiber support page!

Atlantisman's guide can be found by searching for "GoogleFiberRouterGuide.pdf."

There is one step missing from his guide, though - you've got to create the VLAN within pfSense, too:
Title: Re: 802.1p/q pfsense setup
Post by: nutt318 on April 14, 2015, 09:32:32 pm
Just finished the guide from here (http://flyovercountry.org/2014/02/google-fiber-gigabit-speeds-your-router-part-1-vlans/) and just finished page 2 and the last step doesnt seem to be working for me.

My Operational Status is Down, my internet works but upload is only 10meg and my down is around 350meg which is very low from last nights test. Also my TVs are not working either, just get a black screen saying channel not available.

Anyways just trying to figure out why my status for g2 is down.

EDIT:

So I re-read the guide and somehow I missed the VLAN tag for IGMP under the QOS Class configuration. So I added VLAN2, and checked the status and now says UP.
Problem now is im getting only 40down and .4up, its gotten worse.

Any ideas?

EDIT 2:
Missed the IGMP Setting for the same Class Sections, I must of hit cancel and not apply. Anyways the internet is workign great! However my TV is not.

I'm getting a black screen with a red text saying Channel Not Available.

Any ideas on the TV side of things?

EDIT 3:
Followed this guide to get TV working - http://flyovercountry.org/wp-content/uploads/2014/02/GoogleFiberRouterGuide.pdf however only lower channels work.

1-97 come in just fine, 98 and above do not show up. Is there another subnet thats used thats not listed in the guide?

EDIT 4:
I've got everything working! I've created some documentation on the process of getting everything working. Links Below:

Bypass the Network Box - Part 1:
http://www.itnutt.com/how-to-bypass-google-fibers-network-box/

Setup Firewall Rules for TV Services - Part 2:
http://www.itnutt.com/how-to-get-google-fiber-tv-services-working-with-pfsense/
Title: Re: 802.1p/q pfsense setup
Post by: Duncan308 on December 11, 2015, 02:53:16 pm
Does anyone have this working with only pfSense. I've got 4 Gb ports on the pfSense box but not a good switch. If someone does can you point me in the right direction on the WAN setup. LAN is working fine but I cannot get out to the internet so I'm missing something on the VLAN setup I'm guessing if this is even possible directly via pfSense. I will post setup of pfSense later work has successfully blocked teamviewer some how.
Title: Re: 802.1p/q pfsense setup
Post by: KingViper on May 04, 2016, 03:39:06 pm
I just got Google Fiber installed today and had a Netgear GS108T lined up for tagging and priority assignment. While the netgear worked just fine, I was able to get internet working natively within pFsense without the Netgear switch. I think in pFsense 2.3 they added some options and potentially fixed some issues with 802.1p compared to before. Here's what I did. (I do not have TV service so I can't comment there)

Step 1.

Interfaces -> Assign
VLANS
+Add
Parent Interface - WAN
VLAN Tag - 2
VLAN Priority - 3
Description - Google Fiber VLAN
Save

It should look like this. (Where em1 is your WAN interface)
(http://i.imgur.com/DioxsHD.png)

Step 2.

Interfaces -> Assign
Interface Assignments
WAN - Google Fiber VLAN
Save

It should look like this.
(http://i.imgur.com/uQUvzJ6.png)

And that's it. My internet started working at full speed both up and down!
Title: Re: 802.1p/q pfsense setup
Post by: KingViper on May 09, 2016, 10:54:05 am
I also had to disable the IPv6 config on pfsense to fix some issues on my android phone when using WiFi. I had problems downloading/updating apps in the play store, watching youtube videos in the youtube app (they would work fine from chrome), downloading pictures in SMS, and accessing printers in google cloud print. There is probably a way to actually fix it, but for now disabling IPv6 resolved my issues.

Step 3.

Interfaces -> LAN
IPv6 Configuration Type - None
Save

(http://i.imgur.com/mASNUYs.jpg)
Title: Re: 802.1p/q pfsense setup
Post by: CobraGT2000 on May 11, 2016, 09:12:55 am
So I've followed all the steps, i get an IP address, i'm able to ping out and have internet.

The only issues I've ran across is the gateway constantly shows 90-100% packet loss and offline (even tho its working without issues). I am trying to do fail-over, however with the gateway showing packet loss and offline the fail-over will not work.

I dont have the TV service, is there something that i'm missing? Is anyone else having this issue?
Title: Re: 802.1p/q pfsense setup
Post by: KingViper on May 17, 2016, 12:24:30 pm
My gateway shows 0% packet loss and online.

(http://i.imgur.com/b5Ur3hC.jpg)
Title: Re: 802.1p/q pfsense setup
Post by: CobraGT2000 on May 17, 2016, 12:30:32 pm
I had to end up changing the ICMP packet from 0 to 1 and that took care of it.
Odd that yours works without that.
Title: Re: 802.1p/q pfsense setup
Post by: zhester on May 18, 2016, 08:02:56 am
I just got Google Fiber installed today and had a Netgear GS108T lined up for tagging and priority assignment. While the netgear worked just fine, I was able to get internet working natively within pFsense without the Netgear switch. I think in pFsense 2.3 they added some options and potentially fixed some issues with 802.1p compared to before. Here's what I did. (I do not have TV service so I can't comment there)

Step 1.

Interfaces -> Assign
VLANS
+Add
Parent Interface - WAN
VLAN Tag - 2
VLAN Priority - 3
Description - Google Fiber VLAN
Save

Step 2.

Interfaces -> Assign
Interface Assignments
WAN - Google Fiber VLAN
Save

And that's it. My internet started working at full speed both up and down!

I registered to this forum for the singular and explicit purpose of posting this message.  THANK YOU!

My Google searches kept sending me into the guts of using ALTQ (A.K.A. "Traffic Shaping") to do this.  I didn't think that the QoS priority could be set in the VLAN config page.  Plus, ALL the other tutorials and examples used a managed switch (like your first attempt) for the sole purpose of adjusting Ethernet frame headers.  That felt wrong.  I'm glad you posted this.  I updated my configs, and Google Fiber is sailing at full symmetrical bandwidth.

Now: If we could just get Google searching to hit this forum a little better, I wouldn't have spent 10 hours messing around with traffic shaping just to set an outgoing QoS field in my frames.
Title: Re: 802.1p/q pfsense setup
Post by: TourniquetRules on May 23, 2016, 08:46:36 pm
I followed the guide by ITNUTT, flyovercountry and atlantisman.  I am using their recommended Netgear switch and pfsense on a super micro configuration found elsewhere on this board. The internet works fine with speeds of 914/930.  The TV channels all come in but all freeze after a couple of minutes.  Changing channels gets it going again.  I have 3 TV boxes.  I worked with Google support for an hour today trying to narrow it down.  Ultimately I hooked the Google network box back up and the TV worked fine.  The closest we could come was bad setup on my end which they don't support or poor signal to the boxes (which may be true however it does work with the existing Google network box). If anyone has similar experience or solutions please post.
Title: Re: 802.1p/q pfsense setup
Post by: rsaanon on October 26, 2016, 07:43:34 am
Hi folks,

Wondering if anyone is using Cisco SMB switch for the QoS setup for the Google fiber.  If so, it would be much appreciated if the setup/configuration can be shared.

-rsa