Q in Q but not 802.1ad

[wizdude]

greetings,

i need to run multiple VLANS to my ISP and originally i thought they wanted Q-in-Q 802.1ad so I tested this up in my lab and provided some packet dumps to confirm all was ok.

it turns out what they are after is "classic" Q-in-Q with both packets tagged with 0x8100 (802.1q)

i have been advised that my carriage service provider will drop packets tagged with 0x88a8 (802.1ad).

is there a way to configure this up? i need to have two VLAN's encapsulated inside another VLAN with all packets tagged as 802.1q

many thanks in advance,

cheers, Wiz!!

edit: i can see this original change was discussed here:
https://github.com/opnsense/core/issues/5893
double tagged VLAN's used to be both set to 802.1q, but this is not standard and 802.1ad is the preference.

the commit here:
https://github.com/opnsense/core/commit/021f656fd6adc93d55a72221252eb6289711a6d7
changes behaviour so that once a VLAN is created with an upstream VLAN as a parent, the parent is changed from 802.1q to 802.1ad.

in general this makes good sense. in my case it would be great to see this as an option which could be turned on and off for each interface. probably a small change, but i don't have a suitable build environment to even test this.

in any case, what i'm asking for is if there is some config way or otherwise i can work around this.

[franco]

Hi,

It's possible but not exposed via GUI.

https://github.com/opnsense/core/blob/24dbe30cadd83fa5a1fcea8ed6b38357794a4d6a/src/opnsense/scripts/interfaces/reconfigure_vlans.php#L77

Currently it enforces the "more correct" value but I think you can try to change that locally and see if it appeases your ISP. Might be an option to add a setting, but design needs to be taken into account.


Cheers,
Franco

[wizdude]

thank you. i shall play with this.

can i offer a suggestion/trick? i'm trying to play with this at the moment, but i'm not experienced with this code base so it's quite hard for me.

here's my idea:

when you create a VLAN which has a parent of a VLAN, you are forced to give the device a name starting with "qinq0".

if i create a VLAN natively to an interface, i can give it a name starting with "vlan0" and then come back afterwards and change the parent to another VLAN.

would it be possible to modify the code so if the device name starts with "vlan0" and it has a parent which is a VLAN, it would set the parent to 802.1q, but if the device name starts with "qinq0" it would set the parent to 802.1ad?

this seems like a smart way to give flexible options without having to add another "custom" setting.

what do you think?

cheers, Wiz!!

[franco]

We'd like to keep "qinq" prefix specific to being on top of "vlan" prefixed device as it makes ordering consecutive operations easier.

The way I see it it would be beneficial to have a "protocol" setting for either "vlan" or both "vlan" and "qinq" but I'm not sure if all of the combinations are supported... or perhaps only offer a global override. It's a bit tricky to get this neatly integrated as mentioned.


Cheers,
Franco

[wizdude]

agreed.

the only thing i can think of would be to add a configuration setting into the VLAN such as "Bridge Protocol" with settings such as "Force 802.1q", "Force 802.1ad" and "Automatic" (where "Automatic" would be exactly what happens right now).

the thing i am very wary of is that I make a change to the code now to fix my problem, but when the next release of OPNsense comes out and I update, that change will be lost and if I (or someone else) edits the VLANS I/they will lose connectivity as a result.

i'm sorry that i'm not familiar enough with this code base to actually work on this. it would be a great enhancement for specific edge cases such as this.

cheers, Wiz!!

[wizdude]

i've just had a better think about this and realised i'm over-engineering this.

all is needed is a single global override. an additional option in "Interfaces > Settings" and then check for that in the reconfigure_vlans.php file.

cheers, Wiz!!

[Patrick M. Hausen]

You might not want the same setting for all interfaces. I'll try to look into it for a merge request tomorrow.

[wizdude]

Many thanks  :)

cheers, Wiz!!

[wizdude]

greetings,

i've experienced an issue here with my workaround. what i initially did was change the line you specified here:

https://github.com/opnsense/core/blob/24dbe30cadd83fa5a1fcea8ed6b38357794a4d6a/src/opnsense/scripts/interfaces/reconfigure_vlans.php#L77

i simply replaced this with: $vlan['proto'] = '802.1q';

when i save the settings for the parent interface, it correctly changes to 802.1q and everything is great.

but now i've discovered - when i reboot the box, the parent interface changes back to 802.1ad.

are you able to assist here? i was planning on putting this box into production tomorrow, but i don't want to have a scenario where a reboot would take out my WAN services.

many thanks in advance,

cheers, Wiz!!

[wizdude]

i took a punt and i think i worked this out.

i assume that the interfaces.inc is run during initialisation and this is what changes it back

https://github.com/opnsense/core/blob/a4f6a8f8d604271f81984cfcbba0471af58e34dc/src/etc/inc/interfaces.inc#L164

i also changed this line to force 802.1q and did a reboot and it came back with the parent interface on 802.1q as i required.

this will be fine for the time being. i look forward to when there could be an option to disable this correctly so that my home hacks don't bite me when i go to perform my next upgrade.

cheers, Wiz!!

[franco]

Yeah there are two spots for legacy reasons. Nice catch.


Cheers,
Franco

[wizdude]

greetings,

just curious if this change made it's way into a dev queue anywhere or whether i should be opening an issue on github? i'd love this option to be included somehow because each time i upgrade i need to manually patch those two files or my 802.1q inside 802.1q breaks.

many thanks

cheers, Wiz!!

[franco]

It's available from 23.7 onwards.


Cheers,
Franco