Full Router on a stick and other questions..

[bcookatpcsd]

I have an OptiPlex 9020 with an onboard em0 (disabled) and a dual bce0/1 pcie card in use.

wan0 is bce1

vlan10, vlan20, vlan172 is bce0

I keep getting interface errors on the bce0/1 card..

I've done all the hardware troubleshooting and disabling tso and such.

Can I put wan0 on a trunk interface as well?

Can I remove the dual bce card, enable em0, and reconfigure vlan10, vlan20, vlan172, wan0 to all be on em0?

Obviously configuring another port/vlan tag for wan0..

wan0 is currently a self purchased cable modem compatiable with Optimum Online..

I'm not ruling out the self purchased cable modem, I have had the modem for 3+ years and is still the current "non Altice service" given out today.

Service is 200/35 (<rant> currently costs $95 a month with no modem rental, which is a sin because the latency and reliability of the service is horrid, but it is our only option.. </rant>) (insert monty python song every sperm is sacred.. ) Every packet is sacred..

I was thinking if em0 was trunked and the add-on card removed, then that would rule out possible irq conflicts, which might be the cause of the errors..

screenshot is.. rebooted machine, and watched a YT video and listened to something on Spotify while downloading a small iso and doing a wifi speed test.. pushed 1G of traffic and got 71 input errors.. (wan0 bce1)

Opinions?

(thanks in advance for taking the time to read.. )

[Patrick M. Hausen]

Short answer: yes you can. Firewall on a stick is perfectly possible. Just make sure to run all VLANs as tagged - never mix tagged and untagged on a single physical link with FreeBSD.

Kind regards,
Patrick

[bcookatpcsd]

Thank you for the response..

(unifi gear should you be interested..)

created vlan42, added it to the trunk, created vlan42 on bce0, assigned it to the wan0 interface, checked on Interfaces -> Overview

confirmed wan0 was assigned to bce0_vlan42.

assigned a switch port to vlan42, plugged the cable modem into the configured switch port, bounced the modem.. had link light (was thinking about needing a crossover; device to device and all, just to rule out possible mismatch - didn't change anything)

even bounced the opnsense box afterwards.. just in case I missed releasing something, etc..

wan0 as bce0_vlan42 didn't get an ip..

disabled lldp, tcn, and stp..

open to any valid suggestion.. like possibly Optimum blocking oui ranges for Unifi..

layer2-wise I think nothing is wrong..

I was thinking about static assigning my wan_bce1 ip and mask to the wan_vlan42 just to see if I can see a mac on the other side.. I'm delegated as part of a /23..

arp -an | grep bce1 yields valid and accurate information..

thoughts/opinions?

(thanks in advance)

[Patrick M. Hausen]

A VLAN is limited to a single port in FreeBSD. You need a bridge interface to span multiple ports - tagged or untagged.
I.e. to have VLAN 42 tagged on the trunk and untagged on bce0 create a bridge interface with the VLAN interface and bce0 as members.

"Bridge" is FreeBSD's name for a vSwitch.

[bcookatpcsd]

vlan42 is working, static assigned the bce1 dhcp to the bce0_vlan42.. could see L2 on the other side..

no icmp to the default gw or any outbound host..

another satisfied optimum client..

one screenshot was the contents of:
 /var/db/dhclient.leases.bce1
and
 /var/db/dhclient.leases.bce0_vlan42

*WAIT*

dhcp relay..

If I temp disabled dhcp relay.. I'd break dhcp for vlan20 and vlan172.. but I'd have working dhcp for vlan42..

.. maybe optimum isn't the bad guy here (not about this.. not yet.. )

*BUT* dhcp relay wouldn't have anything to do with not passing icmp.. *sigh*

I have automatic outbound nat.. it wouldn't care what was on the other side (as evidenced by L2 mac address on the other side..)

connected interfaces :: bce0_vlan42 -> unifi trunk -> cable bridge/modem -> provider gw and I have arp on opnsense..

there is something L3 and up.. possibly all the way to L8.. again Optimum..

https://imgur.com/a/qxrJXL9

I didn't look at netstat -rn .. but I still should have been able to get to that host as I can get to to it when I get a dhcp address..

Think I'm going to tip my hat at Optimum.. unless someone else has something to share about getting this working w/ Optimum specifically.. Or can point out something I might have missed..

No point in calling Optimum.. always feels like I'm in Celebrity Jeopardy..