Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - andrew867

Pages: [1]
Hey all,

I have BellAliant FibreOP, they stick IPTV, internet, and voice over one fibre. There is an ONT unit that converts the fibre to an FXS voice port and a single gigabit RJ45. BellAliant provides a useless ActionTec router that takes the gigabit connection from the ONT and uses VLAN 35 for internet access (DHCP for IP address) and then uses VLAN 34 for IPTV.

The issue at hand is this, when the IPTV box send its data on VLAN 34 it doesn't attach a 802.1p tag. That is left up to the router to do before it sends the data out on VLAN 34 to the ONT. The BellAliant network will drop/ignore any IPTV VLAN 34 packets that are not tagged with 802.1p priority 4 (video/VI).

I am using two Intel PRO/1000 NICs for the ONT WAN connection and IPTV data, with an onboard Broadcom gigabit for the LAN. I have pfSense working perfectly with the WAN selected as em0_vlan35 with DHCP, but when capturing packets on the WAN VLAN 34 (em0_vlan34) I see that they are always priority 0. I have set firewall rules to allow any traffic in and out of the OPT1 (em0_vlan34) and OPT2 (em1_vlan34) and to set a 802.1p tag as 4 (VI) both ways on both interfaces. So it looks like this:

WAN -> em0_vlan35 (142.163.x.x DHCP)
LAN -> bge0 (
OPT1 -> em0_vlan34 (no IP)
OPT2 -> em1_vlan34 (no IP)
bridge0 -> OPT1, OPT2

Firewall rules for OPT1 and OPT2 are like this:
Any in, any out, anywhere. Any inbound ('none') 802.1p tag, outbound VI (4).

This patch is what lead me onto using 2.1 dev, but there is a slight bug in the code. This is the change I made to allow me to select a different match (input?) priority than the outgoing tag when going back to the page to edit the rule.

Code: [Select]
<td width="22%" valign="top" class="vncell"><?=gettext("802.1p");?></td>
<td width="78%" class="vtable">
<div id="showadvvlanpriobox" <?php if (!empty($pconfig['vlanprio'])) echo "style='display:none'"?>>
<input type="button" onClick="show_advanced_vlanprio()" value="<?=gettext("Advanced"); ?>"></input> - <?=gettext("Show advanced option");?></a>
<div id="showvlanprioadv" <?php if (empty($pconfig['vlanprio'])) echo "style='display:none'"?>>
$vlanprio = array("none""be""bk""ee""ca""vi""vo""ic""nc");
$vlanprioset = array("none""be""bk""ee""ca""vi""vo""ic""nc");
$opts "";
foreach($vlanprio as $vprio) {
if ($vprio == $pconfig['vlanprio'])
$selected " SELECTED";
$selected "";
if ($vprio == "none")
$opts .= "<option value=\"\" {$vprio}>{$vprio}</option>\n";
$opts .= "<option value=\"{$vprio}\" {$selected}>" strtoupper($vprio) . "</option>\n";
$optsset "";
foreach($vlanprioset as $vprioset) {
if ($vprioset == $pconfig['vlanprioset'])
$selected " SELECTED";
$selected "";
if ($vprioset == "none")
$optsset .= "<option value=\"\" {$vprioset}>{$vprioset}</option>\n";
$optsset .= "<option value=\"{$vprioset}\" {$selected}>" strtoupper($vprioset) . "</option>\n";

<select name='vlanprio'>
<?php echo $opts?>
<p><?=gettext("Choose 802.1p priority to match on");?></p>
<select name='vlanprioset'>
<?php echo $optsset?>
<p><?=gettext("Choose 802.1p priority to apply");?></p>

But it seems that the 802.1p firewall rules really don't work, did I do something wrong or is there something else I can try?

Here is a screenshot of the packets captured on the WAN after turning on 802.1p VI in the firewall rules, VLAN is set properly but PRI is still 0 (best effort/BE):

Any help would be appreciated, getting the TV working is the last step to having super awesome 50/30 internet that doesn't crap out when torrenting ;)


Pages: [1]