Today's adventure is a small home network for my parents and I'm trying with an inexpensive Netgear GS308EP managed switch. Unlike my UniFi switch, Netgear doesn't provide an obvious way create a tags-only trunk through its GUI, as recommended for OPNsense (https://docs.opnsense.org/manual/how-tos/vlan_and_lagg.html#introduction). It enforces that every port has a PVID which I interpret as it only allows mixed mode trunks (?)
Indeed in my initial attempt I had a DHCP leak and the switch picked up an IP from the Guest network after a reboot.
What I have done now is defined a throw-away VLAN (3999) that will only act as the PVID for the OPNsense trunk.
gs308ep-vlans.png
With this change I was initially seeing some icmp-v6 traffic on the 'igb2' parent interface in the live firewall view, so I went ahead and also defined a VLAN in OPNsense (igb2_vlan3999) and I assigned this to an interface named BLACKHOLE with en empty rule set (default deny). I'm not sure if it's also necessary to assign an IP to this interface for 'pf' to function? I've just left it enabled for now.
if-assignments.png
if-settings.png
The setup at the moment uses two switch ports for OPNsense and I've not tried to consolidate them, though I'm thinking that keeping the management network on its own link has some benefits. I'm undecided on this.
Am I on the right track with this?
Not using untagged traffic on a parent interface for VLANs is indeed the recommended setup. And for switches that enforce having a "native VLAN" or "PVID" I always use a dummy VLAN that is not used anywhere else.
I don't think replicating that on the OPNsense side is really necessary. If the parent interface is not assigned and configured all untagged frames should be dropped.
Thanks Patrick, I've unassigned the VLAN parent. That's more elegant.
I transferred the equipment today and the PC connected on the 'Home' access port (VLAN 30) was getting IPv6 addresses from all of the VLANs. Seems the RAs are crossing over. Is this a misconfiguration on my part, or should this cheap L2 switch not be used with IPv6?
Can you do a tcpdump of the RAs? Are they sent with VLAN tags or all untagged?
@meyergru observed a similar bug in a specific Unifi switch - flooding all VLANs.
I can try to run a capture later today.
I found an article that explains something about Netgear specific requirements but the site is in German and the Google-translated version is not so good. They mention something about needing an
additional VLAN ID on the Untagged access ports?
https://administrator.de/tutorial/vlan-installation-und-routing-mit-pfsense-mikrotik-dd-wrt-oder-cisco-rv-routern-110259.html#toc-14
Auto-translated version:
Quote3.) The third step is a NetGear special feature (or should you say "messish"), which creates a lot of confusion and about the unfortunately many VLAN beginners stumble upon NetGear Switch hardware.
NetGear forces a VLAN ID to assign a VLAN ID for untagged ports, i.e. ports to the devices such as PCs etc!
Other switch manufacturers do this automatically with the global VLAN port assignment, not so NetGear. So you have to be careful here!
So you have to go untagged ports explicitly additionally assign a VLAN ID, although you have already placed this port untagged in a VLAN with the previous config step.
(For the technically interested: NetGear must know in which VLAN this traffic has to be forgotten if there is incoming untagged traffic, hence the repeated dedicated assignment of the VLAN ID belonging to the port. If it is missing, the traffic ends in VLAN 1)
I've already tagged the access ports to VID 30 and made the same as PVID. Is this article saying that I need to assign some additional VID on the access port also?
They are discussing the ProSafe series with a different UI than what I have, but maybe there's some common behavior among Netgear switches...
It seems to mean that you must set the port to "U"(ntagged) in the VLAN membership menue and additionally assign the same VLAN as a PVID.
Ah sorry, I misspoke. I meant to say I added VID 30 to the port. I did not actually set it as tagged. I'll double check this... thank you!
I enabled only two interfaces (LAN, HOME) using Track Interface with /64 prefix IDs 0x1 and 0x3 respectively, and RAs set to Unmanaged for SLAAC. The flooding started right away.
As captured on the client PC connected to the VLAN 30 access port using 'tcpdump -vvvv -i enp6s0 "icmp6 && ip6[40] == 134"':
17:07:06.036838 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 112) _gateway > ip6-allnodes: [icmp6 sum ok] ICMP6, router advertisement, length 112
hop limit 64, Flags [none], pref medium, router lifetime 0s, reachable time 0ms, retrans timer 0ms
prefix info option (3), length 32 (4): 26xx:xxxx:xxxx:xxx3::/64, Flags [onlink, auto], valid time 7200s, pref. time 0s
0x0000: <redacted>
0x0010: <redacted>
rdnss option (25), length 24 (3): lifetime 0s, addr: 26xx:xxxx:xxxx:xxx3:66xx:xxxx:xxxx:xx49
0x0000: <redacted>
0x0010: <redacted>
dnssl option (31), length 24 (3): lifetime 0s, domain(s): h2.home.arpa.
0x0000: <redacted>
0x0010: <redacted>
mtu option (5), length 8 (1): 1500
0x0000: 0000 0000 05dc
source link-address option (1), length 8 (1): 64:xx:xx:xx:xx:49
0x0000: <redacted>
...
17:07:13.161370 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 112) _gateway > ip6-allnodes: [icmp6 sum ok] ICMP6, router advertisement, length 112
hop limit 64, Flags [none], pref medium, router lifetime 1800s, reachable time 0ms, retrans timer 0ms
prefix info option (3), length 32 (4): 26xx:xxxx:xxxx:xxx1::/64, Flags [onlink, auto], valid time 86400s, pref. time 14400s
0x0000: <redacted>
0x0010: <redacted>
rdnss option (25), length 24 (3): lifetime 1800s, addr: 26xx:xxxx:xxxx:xxx1:66xx:xxxx:xxxx:xx47
0x0000: <redacted>
0x0010: <redacted>
dnssl option (31), length 24 (3): lifetime 1800s, domain(s): h2.home.arpa.
0x0000: <redacted>
0x0010: <redacted>
mtu option (5), length 8 (1): 1500
0x0000: 0000 0000 05dc
source link-address option (1), length 8 (1): 64:xx:xx:xx:xx:47
0x0000: <redacted>
Result on link:
2: enp6s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:xx:xx:xx:xx:53 brd ff:ff:ff:ff:ff:ff
inet 192.168.130.101/24 brd 192.168.130.255 scope global dynamic noprefixroute enp6s0
valid_lft 6869sec preferred_lft 6869sec
inet6 26xx:xxxx:xxxx:xxx1:f229:dba2:f9d3:1508/64 scope global temporary dynamic
valid_lft 86316sec preferred_lft 14316sec
inet6 26xx:xxxx:xxxx:xxx1:224:xxxx:xxxx:xxxx/64 scope global dynamic mngtmpaddr
valid_lft 86316sec preferred_lft 14316sec
inet6 26xx:xxxx:xxxx:xxx3:d685:f036:318f:1395/64 scope global temporary dynamic
valid_lft 86316sec preferred_lft 14316sec
inet6 26xx:xxxx:xxxx:xxx3:224:xxxx:xxxx:xxxx/64 scope global dynamic mngtmpaddr
valid_lft 86316sec preferred_lft 14316sec
inet6 26xx:xxxx:xxxx:xxx3:d4ce:610:4aca:4954/64 scope global temporary deprecated dynamic
valid_lft 7077sec preferred_lft 0sec
inet6 26xx:xxxx:xxxx:xxx3:224:xxxx:xxxx:xxxx/64 scope global deprecated dynamic mngtmpaddr
valid_lft 7077sec preferred_lft 0sec
inet6 26xx:xxxx:xxxx:xxx3:fd21:1443:9bf8:2301/64 scope global temporary deprecated dynamic
valid_lft 7044sec preferred_lft 0sec
inet6 26xx:xxxx:xxxx:xxx3:224:xxxx:xxxx:xxxx/64 scope global deprecated dynamic mngtmpaddr
valid_lft 7044sec preferred_lft 0sec
inet6 fe80::224:xxxx:xxxx:xxxx/64 scope link
valid_lft forever preferred_lft forever
I had already uploaded the PVID mapping table. Here are the Port<->VLAN mapping and the tag settings for VLAN 30 to show that it's tagged on the trunk and untagged on the access ports.
port_vlan_mapping.png
vlan_30_tags.png
FWIW, on my TP-link gear, using VLAN 1 (even tagged) caused DHCP issues.
Although my switches were all configured to use VLAN 2 for their management, they randomly showed up with IP addresses in the VLAN 1 subnet...
In my case, the "Default" interface in the controller GUI was/is set to use a random VLAN ID.
All the other VLANs (including 1 at first) were declared just as VLAN (not interface).
I got tired of troubleshooting this, and their forums didn't provide much help.
I no longer use VLAN ID 1 in the controller/switches/APs.
I just changed the value without adjusting the subnet to match (breaking my matching convention, preserving my rings of trust).
I still have a DHCP server enabled in that subnet (just in case) but no leases ever reappeared.
All hosts in that subnet have static IPs (proxmox and OPN).
I'll give it one last try with a different default VLAN ID for the Management LAN.
I've struck out twice now in trying to get a problem-free IPv6+SLAAC experience with smaller (desktop) fanless consumer-level switches. My UniFi connected clients have problems with automatic privacy address regeneration (https://community.ui.com/questions/Unreliable-IPv6-temporary-address-generation/64ae65cb-f7d7-4a79-8bfc-c97efdc0005d), but at least basic VLAN isolation is working.
I realized that I hadn't passed the option to tcpdump to actually capture the link-level information. I'm also now capturing from the VLAN parent interface 'igb2' on the router, using "tcpdump -vvv -i igb2 -nn -e ..."
Interesting result. IPv4 traffic is leaving the router interface with VLAN tags:
10:01:26.617384 00:xx:xx:xx:xx:53 > 64:xx:xx:xx:xx:49, ethertype 802.1Q (0x8100), length 104: vlan 30, p 0, ethertype IPv4 (0x0800), (tos 0x0, ttl 64, id 18058, offset 0, flags [none], proto UDP (17), length 86)
192.168.130.101.59775 > 192.168.130.1.53: [udp sum ok] 7191+ [1au] AAAA? connectivity-check.ubuntu.com. ar: . OPT UDPsize=1472 (58)
IPv6 traffic appears untagged:
root@fw1:~ # tcpdump -vvv -i igb2 -nn -e ip6
tcpdump: listening on igb2, link-type EN10MB (Ethernet), snapshot length 262144 bytes
10:08:40.509014 64:xx:xx:xx:xx:47 > 33:33:00:00:00:01, ethertype IPv6 (0x86dd), length 110: (hlim 255, next-header ICMPv6 (58) payload length: 56) fe80::66xx:xxxx:xxxx:xx47 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 56
hop limit 64, Flags [none], pref medium, router lifetime 1800s, reachable time 0ms, retrans timer 0ms
dnssl option (31), length 24 (3): lifetime 1800s, domain(s): h2.home.arpa.
0x0000: <redacted>
0x0010: <redacted>
mtu option (5), length 8 (1): 1500
0x0000: 0000 0000 05dc
source link-address option (1), length 8 (1): 64:xx:xx:xx:xx:47
0x0000: <redacted>
10:08:40.700725 64:xx:xx:xx:xx:47 > 33:33:00:00:00:16, ethertype IPv6 (0x86dd), length 90: (hlim 1, next-header Options (0) payload length: 36) fe80::66xx:xxx:xxxx:xx47 > ff02::16: HBH (padn)(rtalert: 0x0000) [icmp6 sum ok] ICMP6, multicast listener report v2, 1 group record(s) [gaddr ff02::2 to_ex { }]
10:08:42.557491 64:xx:xx:xx:xx:47 > 33:33:00:00:00:16, ethertype IPv6 (0x86dd), length 90: (hlim 1, next-header Options (0) payload length: 36) fe80::66xx:xxxx:xxxx:xx47 > ff02::16: HBH (padn)(rtalert: 0x0000) [icmp6 sum ok] ICMP6, multicast listener report v2, 1 group record(s) [gaddr ff02::2 to_ex { }]
10:08:43.094471 64:xx:xx:xx:xx:47 > 33:xx:xx:xx:xx:47, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) :: > ff02::1:ff22:xx47: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 26xx:xxxx:xxxx:xxx1:66xx:xxxx:xxxx:xx47
unknown option (14), length 8 (1):
0x0000: <redacted>
Does this possibly have to do with OPNsense? I have the parent VLAN interface unassigned, as per the first few messages in this thread.
I think I know... a little embarrassing, but I left the LAN interface (igb0) as native in OPNsense. I think I need to convert it to a VLAN also with the VLAN ID 1.
Yes.
I didn't have success even with tagging the LAN network and also changing the default VLAN from 1 to 2. I think Patrick's initial assessment that the switch has a bug is likely correct.
I found a UniFi Lite-16 for an OK price at a local store, so giving that a go now.
Thanks for the suggestions. Hopefully this thread saves someone considering the same model switch. FWIW, the firmware version on the Netgear is 1.0.1.4.
I have been having issues getting my WAP working on this same switch. OPNsense LAN port on Netgear Port 1, Zyxel WAP on Port 2, other switch ports on various VLANs. Laptop gets the right DHCP address from the local switch ports for the various VLANs, but the WAP doesn't seem to be happy with the various port2 configs I have tried...
Quote from: Praetoriate on March 24, 2025, 09:45:54 PMLaptop gets the right DHCP address from the local switch ports for the various VLANs, [...]
I'm not sure if you are referring to IPv4 DHCP here but I only saw issues with IPv6 for the time that I had the switch.