Hello,
I'm running Opnsense 24.7.3_1.
I have a VLAN interface with VLAN priority set to 0. Then my WAN is on that VLAN device.
I need to set VLAN priority to 6 on DHCP packets, but the setting on wan's interface has no effect on DHCP packets, as if the VLAN settings overwrites it.
In the config file "dhclient_wan.conf" there is vlan-pcp 6, but all DHCP packets are still in priority 0.
Is there a known issue about that ? How can I fix this ?
What provides your WAN connection? Is it a modem that requires VLAN 6?
Quote from: Ilford on September 08, 2024, 09:07:29 AM
How can I fix this ?
If it is, I would configure the OPNsense WAN port on your switch as an access port to VLAN 6 and make the device (modem or otherwise) that requires the traffic to be tagged to be a trunk port on VLAN 6
Bart...
Quote from: Ilford on September 08, 2024, 09:07:29 AM
I have a VLAN interface with VLAN priority set to 0.
But why when you need prio 6?
@bartjsmit - tag and priority are two different things.
Yep I'm talking about PCP at the VLAN level (tag is 832). Not even DSCP.
WAN is directly connected to ISP (FTTH), so WAN has a public IP. They require PCP 6 on DHCP (Orange France). Doc I followed is here : https://docs.opnsense.org/manual/how-tos/orange_fr_fttp.html
Quote from: Ilford on September 08, 2024, 10:55:24 AM
They require PCP 6 on DHCP (Orange France).
Yes, what I meant is - does it work when set directly on the VLAN?
This thread (https://forum.opnsense.org/index.php?topic=33376.0) might be an interesting read. There was an issue with this in the 23.1 era, but a fix was introduced, so the configuration you have described should work, IIUC.
I also came across this (https://forum.opnsense.org/index.php?topic=24301.0), which suggests that virtuali[sz]ation was interfering in that case.
How are you observing the PCP on DHCP packets?
@doktornotor Yeah if I set pcp 6 on the VLAN interface, DHCP works, but ISP limits the bandwidth if I tag everything with pcp 6
@dseven Yep I came across these threads, I don't use virtualization, I run Opnsense on a Sophos SG230 rev2 appliance, optic fiber is plugged to a SFP ONU on the firewall.
I'm observing the PCP by capturing packets on the GUI on the physical interface (not VLAN) and then I open the capture with Wireshark.
Quote from: Ilford on September 08, 2024, 12:46:34 PM
@doktornotor Yeah if I set pcp 6 on the VLAN interface, DHCP works, but ISP limits the bandwidth if I tag everything with pcp 6
Sheeesh... Well, I'd tag (https://forum.opnsense.org/index.php?topic=33376.msg161762#msg161762) the outgoing DHCP via firewall rules and move on. Good luck.
I tried but do you know how can I do that ? It needs to be done before VLAN encapsulation so it won't be a rule on the WAN interface I guess. Do I need to assign the physical interface underneath the VLAN to create such a rule ?
Just create the rule on the 832 VLAN.
It never matches :( Maybe the automatic rule "Allow DHCP client on WAN" matches before ?
Perhaps post what you have created...
Quote from: doktornotor on September 08, 2024, 02:03:26 PM
Perhaps post what you have created...
(https://i.ibb.co/0JGjhmH/Capture-d-cran-2024-09-08-14-18-27.png) (https://ibb.co/RHDpzYR)
(https://i.ibb.co/rMVsWYD/Capture-d-cran-2024-09-08-14-18-50.png) (https://ibb.co/GkqThyz)
(https://i.ibb.co/r0mqHtJ/Capture-d-cran-2024-09-08-14-19-09.png) (https://ibb.co/1QLBTnx)
(https://i.ibb.co/3YxGJ2b/Capture-d-cran-2024-09-08-14-19-26.png) (https://ibb.co/qFHXZK8)
Quote from: Ilford on September 08, 2024, 02:01:22 PM
It never matches :( Maybe the automatic rule "Allow DHCP client on WAN" matches before ?
I think so. The automatic rule that is activated once you enable DHCP on your WAN will fire first, IFF you create your rule for WAN. You should create it as a floating rule to have your rule applied first.
In the first place, I don't understand what's that dhclient vlan-pcp 6 stuff about. The priority is already set in the pf rules, why would you be messing with some cryptic option in dhclient on top of that...
https://github.com/opnsense/core/blob/d3a12a6d62e765f0a9f520f67933f0d584eae505/src/etc/inc/filter.lib.inc#L407-L409
https://github.com/opnsense/core/blob/d3a12a6d62e765f0a9f520f67933f0d584eae505/src/etc/inc/filter.lib.inc#L371-L373
Also, post the output of this:
sysctl net.link.vlan.mtag_pcp
both with that DHCP priority enabled and disabled.
@meyergru : Same result with a floating rule :(
@doktornotor I'm not playing with dhclient conf files directly, vlan-pcp is set via GUI on WAN interface config.
sysctl net.link.vlan.mtag_pcp : made some tries by enabling and disabling priority at VLAN level and at WAN's DHCP level, it is always "1"
Quote from: Ilford on September 08, 2024, 04:00:36 PM
@doktornotor I'm not playing with dhclient conf files directly, vlan-pcp is set via GUI on WAN interface config.
Well yes, but why???
Otherwise, you can change the
rule priority in the code I linked and try again.
IMNSHO, all this automagic behind the scenes stuff is just annoying.
Quote from: doktornotor on September 08, 2024, 04:07:36 PM
IMNSHO, all this automagic behind the scenes stuff is just annoying.
Amen, brother :)
Thanks for the tip, I'll try messing with the code next week maybe ;D
Can you post output for this?
grep "set prio" /tmp/rules.debug
For manual messing, these two lines:
https://github.com/opnsense/core/blob/d3a12a6d62e765f0a9f520f67933f0d584eae505/src/etc/inc/filter.lib.inc#L396
https://github.com/opnsense/core/blob/d3a12a6d62e765f0a9f520f67933f0d584eae505/src/etc/inc/filter.lib.inc#L350
Make a backup, change that 1 to 300000 and try again with your manually created rule and see if it matches anything. (Disable and re-enable so that it's reloaded.)
Quote from: doktornotor on September 08, 2024, 04:07:36 PM
Well yes, but why???
because the ISP requires it, apparently. I'm sure all this messing is a fun exercise (??), but, if I'm understanding the discussion that I linked earlier, what the OP was trying to do should work (without any faffing around with rules) - either there's a regression, or the OP is doing something else that's making it not work....
Quote from: dseven on September 08, 2024, 05:28:18 PM
because the ISP requires it, apparently.
The question was - that VLAN priority header is already being set by the pf rules. Why is the same thing being done by dhclient at the same time (with the final result that none of that works).
Quote from: doktornotor on September 08, 2024, 05:40:14 PM
The question was - that VLAN priority header is already being set by the pf rules. Why is the same thing being done by dhclient at the same time (with the final result that none of that works).
Oh, I see. "Belt and suspenders", maybe? Having the same priority set in two different places doesn't seem like an obvious reason for it to not work.
I'm half-tempted to create a VM and try to reproduce this.
Quote from: dseven on September 08, 2024, 05:46:23 PM
Oh, I see. "Belt and suspenders", maybe?
🤷♂️🤔 https://github.com/opnsense/core/commit/d195cd2e8a315ccd2069c01507cbf258793630f7
This links to this topic - surprise - about Orange not working. https://forum.opnsense.org/index.php?topic=33376.0
Hmmm, getting kinda circular.
That's the thread I linked to (https://forum.opnsense.org/index.php?topic=42707.msg211801#msg211801) this morning. Supposedly the issue was resolved in 23.1.6
Uhm, lets try something different - is the OP here using Suricata or some other of those things that use netmap on the VLAN interface?
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=236219
FWIW, I created a VM which uses VLAN 832 on a PCI-passed-through NIC for the WAN interface, and set the priorities for DHCP (4 and 6) on that to 6, and it appears to do what I expect - i.e. tcpdump shows p6 on the DHCP requests (there's nothing there to answer, of course)....
root@OPNsense:~ # tcpdump -nnvei igc0
tcpdump: listening on igc0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
17:46:47.517488 00:d0:b4:01:a5:a1 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 346: vlan 832, p 6, ethertype IPv4 (0x0800), (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:d0:b4:01:a5:a1, length 300, xid 0xea8b2ca, secs 32, Flags [none]
Client-Ethernet-Address 00:d0:b4:01:a5:a1
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: Discover
Client-ID (61), length 7: ether 00:d0:b4:01:a5:a1
Hostname (12), length 8: "OPNsense"
Parameter-Request (55), length 10:
Subnet-Mask (1), BR (28), Time-Zone (2), Classless-Static-Route (121)
Default-Gateway (3), Domain-Name (15), Domain-Name-Server (6), Hostname (12)
Unknown (119), MTU (26)
This is OPNsense 24.7, without any updates (as I don't have a WAN connection to update over)....
I just want to chime in to say we have several trusty users who use the priority setting and it should work as expected, at least in the scope that those users are using it. Pretty sure about that. They would be here now otherwise (the good Orange FR people).
Cheers,
Franco
Yep, I'd bet on netmap breaking this ATM.
Netmap would be odd, but stranger things have happened. Still... hardware VLAN fail due to the relevant driver perhaps?
> IMNSHO, all this automagic behind the scenes stuff is just annoying.
Historic goo going back to silliness in dhclient/bpf even.
Cheers,
Franco
Thanks for the replies. Indeed I have Surricata enabled.
I cannot debug more this week but I will try disabling Surricata or even re-install OS for a clean test.
Quote from: franco on September 09, 2024, 10:58:05 AM
Netmap would be odd, but stranger things have happened. Still... hardware VLAN fail due to the relevant driver perhaps?
Well, netmap + pf
set prio is a documented upstream issue/limitation.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=236219
Testing without IPS would be useful.
Hmm, I'm not entirely sure I follow. The netmap generic rework should fix the issues described in the ticket from 2019. pf set-prio uses the same as dhclient vlan-pcp which is:
vlan_set_pcp() which sets MTAG_8021Q_PCP_OUT which is used by ether_8021q_frame() to set the value in the frame. I don't see how this is broken, but I can assure you that using tcpdump on the system will not tell you that it did what it should.
Cheers,
Franco
I disabled IDS and VLAN-PCP works as expected for DHCP without any rules or normalization.
Thank you very much @doktornotor !
I guess there is still an issue on that (very specific user case I concede), but I had IDS enabled on a VLAN interface (WAN) and maybe this is not a good practice.
Ok, still a bit odd considering we just pass the packet along from host to hardware.
Cheers,
Franco