traffic between untagged vlan and a tagged vlan basically dies

[yolocoffee]

I am scratching my head on how to solve this.

I have one primary untagged LAN (60_LAN)  and 3 VLANs (70_VLAN/80_VLAN/90_VLAN). No VLAN is allowed to access the primary lan but primary lan can access all other VLANs.

My speeds from primary LAN to any other tagged LAN (60_LAN -> 70_VLAN) are atrocius. Connections can be established in the case of accessing a web page or starting a remote desktop session but the performance is very spotty. In other cases, I cannot establish a connection at all. iperf3 basically dies after getting to 2 Mbps. rsync won't work at all.

If I disable pf (from the GUI or the shell), everything works correctly with the expected speed and performance. As soon as I enable pf, all traffic from primary lan to other vlans goes to shit. All traffic between the tagged VLANs is fine with pf enabled.

I have disabled all hardware filtering etc.
I do not have any intrusion detection turned on.
I do not have any trafffic shaping/QoS rules.
I have a single WAN configuration.
I installed the vendor realtek driver (the card does not have issues passing traffic between tagged VLANs or between the tagged and untagged vlan if i disable pf)

What gives?

[Patrick M. Hausen]

Don't run tagged and untagged traffic over the same interface.

[franco]

> As soon as I enable pf, all traffic from primary lan to other vlans goes to shit.

https://bugs.freebsd.org


Good luck,
Franco

[pes]

Don't run tagged and untagged traffic over the same interface.

WHY NOT??

[Patrick M. Hausen]

Because it doesn't work in unexpected ways?

It's a "deficiency" - if you want to call it that - of the FreeBSD network stack and nothing that can easily and quickly be fixed, so it's going to stay that way for the foreseeable future.

FreeBSD is not a switch so neither is OPNsense. The invention of the "native VLAN" in the 802.1q specification is problematic in my opinion. I never use untagged frames on trunk ports, not even on my Cisco switches.