Should router on a stick work?

Started by dragon2611, December 21, 2021, 10:07:27 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 21, 2021, 10:07:27 AM Last Edit: December 21, 2021, 10:09:18 AM by dragon2611
i3-6100T USFF machine 8gb ram, ~300Mbit connection.

Wan is a VLAN on em0
Lan is native
Various other VLANs.

Opnsense 21.7.7

Having Zenarmor installed even running in passive mode seemed to cause some weridness like connections hanging or being slow to establish.

Not sure if it's underpowered hardware or it gets upset at seeing the WAN vlans as well.

Only way to split the WAN and LAN interfaces would be to add a USB3 NIC.
December 21, 2021, 10:09:31 AM #1
Quote from: dragon2611 on December 21, 2021, 10:07:27 AM

Wan is a VLAN on em0
Lan is native
Various other VLANs.

Opnsense 21.7.7


Does that mean to mix tagged and untagged traffic on the same physical interface? Don't do that on BSD...
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
December 21, 2021, 12:46:20 PM #2
Quote from: chemlud on December 21, 2021, 10:09:31 AM
Quote from: dragon2611 on December 21, 2021, 10:07:27 AM

Wan is a VLAN on em0
Lan is native
Various other VLANs.

Opnsense 21.7.7


Does that mean to mix tagged and untagged traffic on the same physical interface? Don't do that on BSD...

He stated Native which is a std dot1q feature. This should work without an issue. I am not sure how to set a Native vlan in OPNSense.
December 21, 2021, 01:40:22 PM #3
You don't set a native VLAN. Just don't assign an interface to the physical ports and only use tagged VLANs.
On the connected switch set the native to an unused one - I use 1001 ...

OPNsense although a firewall is essentially a Unix host and not a switch. So you have to live with the FreeBSD network stack. Using a native VLAN will lead to all sorts of trouble. Don't do it.

Not sure if Zenarmor on VLANs is supported at all. Suricata officially isn't for IPS mode - only IDS works.

HTH,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 21, 2021, 02:03:12 PM #4
I presume your statement to be incorrect, since I work with Juniper JunOS which is based on FreeBSD and it does support all the features.
December 21, 2021, 05:21:11 PM #5
Hi,

@dragon2611 can you send a bug report from the upper right corner of Sensei GUI?

December 21, 2021, 06:32:42 PM #6 Last Edit: December 21, 2021, 06:40:16 PM by pmhausen
Quote from: lilsense on December 21, 2021, 02:03:12 PM
I presume your statement to be incorrect, since I work with Juniper JunOS which is based on FreeBSD and it does support all the features.
Juniper is based on FreeBSD but they have their own proprietary forwarding plane. Otherwise anyone could build a product  that is feature and performance comparable with Juniper by just installing FreeBSD.

Also their later variants of JunOS are based on Linux.

If you don't want to take my word for it, ask Kristof Provost, one of the main FreeBSD networking developers. I have been exchanging messages back and forth with him while designing our network infrastructure for an entire data centre running on FreeBSD and I do claim to know the FreeBSD network stack from an operations point of view really well.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 21, 2021, 09:29:17 PM #7
Quote from: chemlud on December 21, 2021, 10:09:31 AM


Does that mean to mix tagged and untagged traffic on the same physical interface? Don't do that on BSD...

Oh, wasn't aware that causes an issue  :o
December 21, 2021, 09:31:03 PM #8 Last Edit: December 21, 2021, 09:38:04 PM by dragon2611
Quote from: sy on December 21, 2021, 05:21:11 PM
Hi,

@dragon2611 can you send a bug report from the upper right corner of Sensei GUI?

I think it might actually have been down to broken IPv6 that was being annoyingly intermittent, Turns out I had more than one V6 gateway and they had the same metric
December 22, 2021, 01:16:17 PM #9
Quote from: pmhausen on December 21, 2021, 06:32:42 PM
Quote from: lilsense on December 21, 2021, 02:03:12 PM
I presume your statement to be incorrect, since I work with Juniper JunOS which is based on FreeBSD and it does support all the features.
Juniper is based on FreeBSD but they have their own proprietary forwarding plane. Otherwise anyone could build a product  that is feature and performance comparable with Juniper by just installing FreeBSD.

Also their later variants of JunOS are based on Linux.

If you don't want to take my word for it, ask Kristof Provost, one of the main FreeBSD networking developers. I have been exchanging messages back and forth with him while designing our network infrastructure for an entire data centre running on FreeBSD and I do claim to know the FreeBSD network stack from an operations point of view really well.

Thanks for that... Currently, the later version of the JunOS is running on a linux KVM in FreeBSD. I have heard they are planning to move to linux kernel, but I have not seen a product running it. The current QFX runs FreeBSD as well.

One thing to note is that I do not understand that FreeBSD is not supporting the full spec IEEE 802.1Q which allows native vlan to be identified as anything but vlan1.
December 22, 2021, 03:11:44 PM #10
It does. But things like pf might get confused. Which is the point of OPNsense  ;)

And if you want to use if_bridge - which is frequently the case in the TrueNAS environment, not so much over here - then making the physical/native a member of a bridge interface results in tagged VLANs not working at all. You cannot have VLANs on a bridge member in FreeBSD.

So it's discouraged - that's all.

And VLAN 1 is allowed as native, default state for e.g. Cisco. I guess the reasoning being not to lock yourself out of the management plane, which is also VLAN 1 by default.

At work I simply don't want a customer with a trunk port to be able to throw untagged packets at my management plane, so I set the native VLAN to 1001 on every trunk and do not use that VLAN anywhere.

Whoever is responsible for that part of the spec deserves to be shot. Most network professionals I work with agree with me on that. A trunk is a trunk and carries only tagged frames. Period.

So I might have a strong opinion on that topic, but in general it helps to hammer that point home at people with little to no experience, because the "native VLAN" is a frequent source of all kinds of problems.

Kind regards
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 22, 2021, 05:18:11 PM #11
Quote from: pmhausen on December 22, 2021, 03:11:44 PM

And VLAN 1 is allowed as native, default state for e.g. Cisco. I guess the reasoning being not to lock yourself out of the management plane, which is also VLAN 1 by default.

At work I simply don't want a customer with a trunk port to be able to throw untagged packets at my management plane, so I set the native VLAN to 1001 on every trunk and do not use that VLAN anywhere.


Right, so the question is how do you set the native VLAN to 1001 in OPNSense rather than VLAN 1.
December 22, 2021, 05:49:37 PM #12 Last Edit: December 22, 2021, 05:51:45 PM by pmhausen
Simply run VLAN 1 tagged and don't assign an IP address to the untagged parent interface. No need to mess with "native" at all. FreeBSD is a host in that regard, not a router or switch.

On OPNsense: in Interfaces > Assignments don't assign anything to e.g. igb0. Create a separate VLAN with igb0 as parent for every single firewall interface --> no untagged use of igb0 ever.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions