OPNsense Forum

Archive => 15.1 Legacy Series => Topic started by: pah on May 09, 2015, 01:07:01 pm

Title: Problem with VLAN
Post by: pah on May 09, 2015, 01:07:01 pm

Hello,

I´m running now for 2 weeks OPNsense 15.1.9-amd64 on a PCengines APU1D. One week ago I setup vlan for the management stuff like switches etc. It is called vlan99 placed on interface re1 ("LAN", vlan1):

re1_vlan99: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
   options=3<RXCSUM,TXCSUM>
   ether 00:0d:b9:3a:15:c9
   inet6 fe80::20d:b9ff:fe3a:15c9%re1_vlan99 prefixlen 64 scopeid 0xb
   inet 192.168.99.1 netmask 0xffffff00 broadcast 192.168.99.255
   nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
   media: Ethernet autoselect (1000baseT <full-duplex>)
   status: active
   vlan: 99 vlanpcp: 0 parent interface: re1

re1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
   options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
   ether 00:0d:b9:3a:15:c9
   inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
   nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
   media: Ethernet autoselect (1000baseT <full-duplex>)
   status: active

Everything was ok - vlan99 was accessible from vlan1 and backwards. Now I tried to move my Managment-Client from vlan1 ("LAN") into this vlan99 by changing IP-Adresse of the client. I also checked the vlan-configuration on the switch for it´s port. Didn´t work, so I changed the IP back to vlan1.

Everything was ok again but devices in vlan99 aren´t accessible any more from vlan1. From the OPNsense-box I can access devices in vlan99 with source re1_vlan99 but not any other. From vlan1 I only can see SYN/requests to vlan99, on vlan99 I can see requests and reply´s. The firewall doesn´t block. Devices also do not block. But packets from vlan99 could not be seen on vlan1. The vlan interface 192.168.99.1 (the WebUI and ssh) is still accessible althought.

tcpdump -ni re1 host 192.168.99.5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on re1, link-type EN10MB (Ethernet), capture size 65535 bytes
capability mode sandbox enabled
12:00:19.164739 IP 192.168.1.55 > 192.168.99.5: ICMP echo request, id 3685, seq 15, length 64
12:00:20.164665 IP 192.168.1.55 > 192.168.99.5: ICMP echo request, id 3685, seq 16, length 64
12:00:21.164959 IP 192.168.1.55 > 192.168.99.5: ICMP echo request, id 3685, seq 17, length 64
12:00:22.164908 IP 192.168.1.55 > 192.168.99.5: ICMP echo request, id 3685, seq 18, length 64

tcpdump -ni re1_vlan99 host 192.168.99.5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on re1_vlan99, link-type EN10MB (Ethernet), capture size 65535 bytes
capability mode sandbox enabled
12:00:10.163495 IP 192.168.1.55 > 192.168.99.5: ICMP echo request, id 3685, seq 6, length 64
12:00:10.168680 IP 192.168.99.5 > 192.168.1.55: ICMP echo reply, id 3685, seq 6, length 64
12:00:11.163511 IP 192.168.1.55 > 192.168.99.5: ICMP echo request, id 3685, seq 7, length 64
12:00:11.168393 IP 192.168.99.5 > 192.168.1.55: ICMP echo reply, id 3685, seq 7, length 64
12:00:12.163468 IP 192.168.1.55 > 192.168.99.5: ICMP echo request, id 3685, seq 8, length 64
12:00:12.168372 IP 192.168.99.5 > 192.168.1.55: ICMP echo reply, id 3685, seq 8, length 64
12:00:13.165096 IP 192.168.1.55 > 192.168.99.5: ICMP echo request, id 3685, seq 9, length 64
12:00:13.169983 IP 192.168.99.5 > 192.168.1.55: ICMP echo reply, id 3685, seq 9, length 64
12:00:14.165067 IP 192.168.1.55 > 192.168.99.5: ICMP echo request, id 3685, seq 10, length 64
12:00:14.169965 IP 192.168.99.5 > 192.168.1.55: ICMP echo reply, id 3685, seq 10, length 64
^C
10 packets captured
10 packets received by filter
0 packets dropped by kernel

I restarted the box and the devices in vlan99, still the same problem. What´s wrong?

Further information: I´m using 3x "ProCurve Switch 1800-8G" Switches connected like this:

sw01 <=Portchannel=> sw02 <-1uplink-> sw03

Best regards,
Herbert P.

Title: Re: Problem with VLAN
Post by: pah on May 09, 2015, 01:45:31 pm

Looks like the MAC doesn´t disapear on vlan1 and is only incomplete in vlan99. So it could be the vlan configuration in the clients port.

But port 4 is configured for vlan1 & vlan4:

System Configuration:
    Name: sw01
    S/W Version: PA.03.10
    CVS Tag: $Name$
    Compile Date: Nov 15 2012 11:05:53
    H/W Version: R01

    MAC address: 00-18-71-49-40-b0
    SNMP:  enabled
    Trap IP: 0.0.0.0
    Readcommunity: public
    Trapcommunity: public

VLAN Configuration:
    Port  Aware    PVID  Ingress Filtering  Frame Type
     1:   enabled     1           disabled  All                      # OPNsense
     2:   enabled     1           disabled  All                      # Portchannel
     3:   enabled     1           disabled  All                      # Portchannel
     4:   enabled     1           disabled  All                      # Client
     5:   enabled     1           disabled  All
     6:   enabled     1           disabled  All
     7:   enabled     1           disabled  All
     8:   enabled     1           disabled  All

    Entries in permanent table:
       1:  1,2,3,4,5,6,7,8
      11:  1,4,5,6,7,8
      99:  1,2,3,4