pfSense Support Subscription

Author Topic: 802.1p/q pfsense setup  (Read 18394 times)

0 Members and 1 Guest are viewing this topic.

Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11728
  • Karma: +446/-15
    • View Profile
Re: 802.1p/q pfsense setup
« Reply #45 on: February 20, 2014, 05:58:21 am »
It looks like you may have fallen into the trap of adding a gateway to the LAN interface which, since it's done after WAN, then becomes the default. You shouldn't have a gateway on LAN at all. A lot of people seem to be doing that recently for some reason.
The correct place to set the default gateway (and remove any spurious ones) is System: Routing: Gateway:

Steve

Offline rhornsby

  • Newbie
  • *
  • Posts: 18
  • Karma: +1/-0
    • View Profile
Re: 802.1p/q pfsense setup
« Reply #46 on: February 20, 2014, 06:35:42 am »
It looks like you may have fallen into the trap of adding a gateway to the LAN interface which, since it's done after WAN, then becomes the default. You shouldn't have a gateway on LAN at all. A lot of people seem to be doing that recently for some reason.
The correct place to set the default gateway (and remove any spurious ones) is System: Routing: Gateway:

Steve

I didn't intentionally or explicitly add a gateway to the LAN interface that I can recall.  You're right, it doesn't make sense for the LAN interface to have a gateway.  I saw under System > Routing > Gateway that there is one for the LAN, and one for the WAN.  I thought it was a little odd, but figured it must be the way pfSense is presenting the configuration in the UI.

The only possible time I can think when I might have done something to cause this LAN GW to end up in the routing table is setting up the LAN DHCP server.  It is possible there was a question during that portion of the initial setup I should have left blank - probably thinking the question was asking what GW should the DHCP clients use.

Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11728
  • Karma: +446/-15
    • View Profile
Re: 802.1p/q pfsense setup
« Reply #47 on: February 20, 2014, 07:09:05 am »
Like you say it should be blank. If you change the LAN subnet at the initial console setup it asks you questions in order (IP address, subnet mask etc) and one of those is the gateway. It's hard to just return through it when it's explicitly asking you for the gateway.
The wording there especially could be changed to prevent this.

https://forum.pfsense.org/index.php/topic,72694.0.html

If you have entered a gateway on LAN remove it from Interfaces: LAN: and then go to System: Routing: Gateways: and remove it there too making sure the WAN gateway is set as default.

Steve

Offline -flo-

  • Sr. Member
  • ****
  • Posts: 350
  • Karma: +26/-0
    • View Profile
Re: 802.1p/q pfsense setup
« Reply #48 on: February 20, 2014, 11:55:50 pm »
You shouldn't have a gateway on LAN at all. A lot of people seem to be doing that recently for some reason

Btw. this happened to me when I set up pfSense from the serial console (on an ALIX board if that matters). I'm absolutely sure that I did not create a gateway, I logged every single step of my setup.

-flo-
 

Offline rhornsby

  • Newbie
  • *
  • Posts: 18
  • Karma: +1/-0
    • View Profile
Re: 802.1p/q pfsense setup
« Reply #49 on: February 21, 2014, 10:26:21 pm »
I had an issue where the DHCP on the WAN side would only assign a total of 2-3 Public IP addresses. So you could have the same issue with the DHCP servers holding your reservations, that's why it worked when you plugged the macbook in. So you might try spoofing the macbook's mac address to your pfsense machine and it might work.

EDIT: Also, i did some reading on that switch and it does have two different types of VLANs, port based (or private), and 802.1Q (the one you need). Be sure you're using the proper VLANs on the switch.

I finally got it working to the point where I could get everything on the Internet.  Thanks to Stephenw10 for the help on the routing table stuff.

However, the best speed I'm able to get is 30/10, which tells me I haven't figured out the QoS stuff yet.  I apologize, I know the QoS stuff isn't strictly pfSense, but rather is configured in the switch.  I'm banging my head trying to figure it out.  The manual seems useless but maybe it will make sense to someone else?

http://www.downloads.netgear.com/files/GS108Tv2/gs108tv2_gs110TP_usermanual.pdf

There are two ways to configure QoS.  CoS seems to mostly appear to be hardware based QoS internal to the switch.  The DiffServ way seems to be what I need.  I'm digging around in the DiffServ and nothing I try is making any difference.  To make it simple, I'm trying to set everything to priority 3 and then once I figure that out try to handle DHCP, IGMP, and other separately.

There appear to be three levels of configuration: Class, Policy, and Service.  The class looks like it is the filtering which matches the packet to be handled.  The only setting I have there is VLAN 2.  The service is where you map a policy to an interface.

https://dl.dropboxusercontent.com/u/36902/gs108t_screenshots/Screen%20Shot%202014-02-21%20at%2022.22.43.png
https://dl.dropboxusercontent.com/u/36902/gs108t_screenshots/Screen%20Shot%202014-02-21%20at%2022.23.04.png
https://dl.dropboxusercontent.com/u/36902/gs108t_screenshots/Screen%20Shot%202014-02-21%20at%2022.23.13.png

It looks like the policy is where the real work happens.  I've tried setting the policy COS to 3, the IP precedence to 3, and the IP DSCP to both cs3 and cs1, not really clear which one of these sets the correct bits.  Nada - same speed test result.  I'm running the test on ethernet through the tv box, but I fully expect from past tests to see something ~ 140/130.

Sorry if I'm missing something obvious here, but any ideas?

Offline rhornsby

  • Newbie
  • *
  • Posts: 18
  • Karma: +1/-0
    • View Profile
Re: 802.1p/q pfsense setup
« Reply #50 on: February 25, 2014, 10:11:45 pm »
Finally got everything working.  Part of the problem was the speed test was giving really bad results.  I wrote up the instructions for configuring the Netgear GS108Tv2.  Comments or other feedback is welcome.  The QoS part especially was long enough that I broke  VLAN and QoS into separate posts.

Part 1 - http://flyovercountry.org/2014/02/google-fiber-gigabit-speeds-your-router-part-1-vlans/
Part 2 - http://flyovercountry.org/2014/02/google-fiber-gigabit-speeds-your-router-part-2-qos/

Offline SpitefulMonkey

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Re: 802.1p/q pfsense setup
« Reply #51 on: April 07, 2014, 06:28:54 pm »
I am using the netgear gs108t v2 switch and a pfsense box running the latest release. I have the switch set correctly as my internet connection is full speed both ways 984/978. The tv's guide comes up but no video is shown. I followed 1.2 version of the guide pdf starting from section 2 (setting up TV). Any ideas on something I could try to get my tv services back up and going?

Offline rhornsby

  • Newbie
  • *
  • Posts: 18
  • Karma: +1/-0
    • View Profile
Re: 802.1p/q pfsense setup
« Reply #52 on: April 07, 2014, 07:56:08 pm »
I am using the netgear gs108t v2 switch and a pfsense box running the latest release. I have the switch set correctly as my internet connection is full speed both ways 984/978. The tv's guide comes up but no video is shown. I followed 1.2 version of the guide pdf starting from section 2 (setting up TV). Any ideas on something I could try to get my tv services back up and going?

One of the things that is easy to miss is setting the correct option on the 4 firewall rules:

Quote
Scroll down to Advanced Features -> Advanced Options and check the first box., It should read, “This allows packets with OP options to pass. Otherwise they are blocked by default. This is usually only seen with multicast traffic.”

At one point, I had the option set on only three of the rules and it caused weird issues.

Offline Atlantisman

  • Jr. Member
  • **
  • Posts: 86
  • Karma: +1/-0
    • View Profile
Re: 802.1p/q pfsense setup
« Reply #53 on: April 07, 2014, 11:06:01 pm »
You should only need the set opts box checked on the default ALLOW ALL rule in Firewall -> Rules -> LAN.

Also, it seems like pfsense doesn't handle the IGMP traffic (at least for me) 100% effectively, causing little hiccups in tv service where it stops working 10-15 seconds, i am still investigating this issue and will be doing more testing with pfsense 2.1.1
« Last Edit: April 07, 2014, 11:08:09 pm by Atlantisman »

Offline rhornsby

  • Newbie
  • *
  • Posts: 18
  • Karma: +1/-0
    • View Profile
Re: 802.1p/q pfsense setup
« Reply #54 on: April 08, 2014, 07:19:50 am »
You should only need the set opts box checked on the default ALLOW ALL rule in Firewall -> Rules -> LAN.

D'oh! Maybe that's part of my problem. Completely misunderstood the doc on that. You did say default rule, not the IGMP FW rules.  My fault.

Offline SpitefulMonkey

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Re: 802.1p/q pfsense setup
« Reply #55 on: April 08, 2014, 10:55:41 am »
Is IPv6 working for you all when you go test it? It doesn't seem to be working for me anymore.


Offline rhornsby

  • Newbie
  • *
  • Posts: 18
  • Karma: +1/-0
    • View Profile
Re: 802.1p/q pfsense setup
« Reply #56 on: April 08, 2014, 08:40:11 pm »
You should only need the set opts box checked on the default ALLOW ALL rule in Firewall -> Rules -> LAN.

D'oh! Maybe that's part of my problem. Completely misunderstood the doc on that. You did say default rule, not the IGMP FW rules.  My fault.

I went back and looked at this again.  I had the allow ip opts set on both the default rule and the individual IGMP rules, so it probably wasn't making any difference after all.

Offline rhornsby

  • Newbie
  • *
  • Posts: 18
  • Karma: +1/-0
    • View Profile
Re: 802.1p/q pfsense setup
« Reply #57 on: April 08, 2014, 08:49:41 pm »
Is IPv6 working for you all when you go test it? It doesn't seem to be working for me anymore.

Negative.  Unfortunately, I don't understand enough about IPv6 to know even what to look at.  Most everything I've found talks about using a tunnel broker, I assume since so many ISPs like Comcast aren't delivering IPv6 to residential(?) customers.  GF, AFAIK, supports and uses it.

For an "old" guy like me, IPv6 feels like a whole new interweb.  https://www.youtube.com/watch?v=5wWsJH4LVTA

Offline Atlantisman

  • Jr. Member
  • **
  • Posts: 86
  • Karma: +1/-0
    • View Profile
Re: 802.1p/q pfsense setup
« Reply #58 on: May 07, 2014, 02:05:50 pm »
I have been able to get IP6 to work on any device except for pfsense. I can plug a windows box, centos box, mint box or etc into my WAN connection and get a publicly route-able IP6 address, but no luck getting pfsense to get an address.

I am not sure, but i think it may have something to do with pfsense using dhcp6c instead of dhclient -6 to call for an address.


if anyone has any thoughts or ideas about this issue that would be awesome.

Thanks.

Offline Jeff V.

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
Re: 802.1p/q pfsense setup
« Reply #59 on: May 12, 2014, 02:29:06 pm »
This weekend, I finally got a chance to mess with this some more.

I was able to borrow a Netgear GSM7312 switch from work.  While the GUI is laid out differently from the GS108T, it follows the same unintuitive logic.  Fortunately rhornsby created a great guide for the GS108T that I was able to follow to get the 7312 working.

When I was directly connected to the 7312, I was pulling ~930 mbit in both directions. That's about as fast as I've seen any Google Fiber connection go, so I'm really pleased.

My pfSense box is a rebuilt and upgraded Watchguard X5000.  With that in place, I'm seeing around 800 both ways.   So a little bit of loss, but I'm still pleased. Especially for something that didn't even power up when I bought it.   Video is working nearly perfectly.  I've seen a couple very minor interruptions, and I'm hoping I can eventually tune those out.

Given what I've seen on eBay, I don't think the Netgear GSM switches are preferable to the GS108T.  They can be rack mounted, but they take up more space and power than the GS108T.  They're also a bit more expensive.  On the bright side, they have a text based command line and config file.  I've attached a fairly generic config for my 7312.  Port 1 goes to the Google ONT.  Port 2 goes to the router. And port 3 is set up to allow you to connect via telnet or the web GUI on 192.168.1.4.

What I'm really curious about is the Netgear FSM series.  These are 10/100 switches that have 2-4 gigabit uplink ports. They're quite a bit cheaper than the all-gigabit GSM series.  I was able to grab a FSM7328S for $35 shipped.  According to the data sheet, the backplane bandwidth is competitive with the GSM7312, and it uses the same base firmware and command line.   So hopefully I can just paste in my config file and be right back in business.

Thanks to Atlantisman and rhornsby and everyone else for their hard work on this.  It was so well documented that it was actually enjoyable to work on.  I should hopefully have a report on the FSM7328S this weekend.