[Closed, No Fix] Netgear "Easy Smart" trunk port for OPNsense with required PVID

Started by OPNenthu, March 16, 2025, 11:53:33 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
March 16, 2025, 11:53:33 PM Last Edit: March 23, 2025, 02:00:15 PM by OPNenthu Reason: image resize
Today's adventure is a small home network for my parents and I'm trying with an inexpensive Netgear GS308EP managed switch. Unlike my UniFi switch, Netgear doesn't provide an obvious way create a tags-only trunk through its GUI, as recommended for OPNsense.  It enforces that every port has a PVID which I interpret as it only allows mixed mode trunks (?)

Indeed in my initial attempt I had a DHCP leak and the switch picked up an IP from the Guest network after a reboot.

What I have done now is defined a throw-away VLAN (3999) that will only act as the PVID for the OPNsense trunk.

You cannot view this attachment.


With this change I was initially seeing some icmp-v6 traffic on the 'igb2' parent interface in the live firewall view, so I went ahead and also defined a VLAN in OPNsense (igb2_vlan3999) and I assigned this to an interface named BLACKHOLE with en empty rule set (default deny).  I'm not sure if it's also necessary to assign an IP to this interface for 'pf' to function?  I've just left it enabled for now.

You cannot view this attachment.

You cannot view this attachment.

The setup at the moment uses two switch ports for OPNsense and I've not tried to consolidate them, though I'm thinking that keeping the management network on its own link has some benefits.  I'm undecided on this.

Am I on the right track with this?







March 17, 2025, 03:40:39 AM #1
Not using untagged traffic on a parent interface for VLANs is indeed the recommended setup. And for switches that enforce having a "native VLAN" or "PVID" I always use a dummy VLAN that is not used anywhere else.

I don't think replicating that on the OPNsense side is really necessary. If the parent interface is not assigned and configured all untagged frames should be dropped.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 17, 2025, 08:55:41 AM #2
Thanks Patrick, I've unassigned the VLAN parent.  That's more elegant.
March 19, 2025, 08:05:31 AM #3 Last Edit: March 19, 2025, 08:37:18 AM by OPNenthu
I transferred the equipment today and the PC connected on the 'Home' access port (VLAN 30) was getting IPv6 addresses from all of the VLANs.  Seems the RAs are crossing over.  Is this a misconfiguration on my part, or should this cheap L2 switch not be used with IPv6?
March 19, 2025, 08:45:31 AM #4
Can you do a tcpdump of the RAs? Are they sent with VLAN tags or all untagged?

@meyergru observed a similar bug in a specific Unifi switch - flooding all VLANs.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 19, 2025, 05:04:44 PM #5 Last Edit: March 19, 2025, 05:08:48 PM by OPNenthu
I can try to run a capture later today.

I found an article that explains something about Netgear specific requirements but the site is in German and the Google-translated version is not so good.  They mention something about needing an additional VLAN ID on the Untagged access ports? 

https://administrator.de/tutorial/vlan-installation-und-routing-mit-pfsense-mikrotik-dd-wrt-oder-cisco-rv-routern-110259.html#toc-14

Auto-translated version:
Quote3.) The third step is a NetGear special feature (or should you say "messish"), which creates a lot of confusion and about the unfortunately many VLAN beginners stumble upon NetGear Switch hardware.
NetGear forces a VLAN ID to assign a VLAN ID for untagged ports, i.e. ports to the devices such as PCs etc!
Other switch manufacturers do this automatically with the global VLAN port assignment, not so NetGear. So you have to be careful here!
So you have to go untagged ports explicitly additionally assign a VLAN ID, although you have already placed this port untagged in a VLAN with the previous config step.
(For the technically interested: NetGear must know in which VLAN this traffic has to be forgotten if there is incoming untagged traffic, hence the repeated dedicated assignment of the VLAN ID belonging to the port. If it is missing, the traffic ends in VLAN 1)

I've already tagged the access ports to VID 30 and made the same as PVID.  Is this article saying that I need to assign some additional VID on the access port also?

They are discussing the ProSafe series with a different UI than what I have, but maybe there's some common behavior among Netgear switches...
March 19, 2025, 05:13:03 PM #6
It seems to mean that you must set the port to "U"(ntagged) in the VLAN membership menue and additionally assign the same VLAN as a PVID.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 19, 2025, 05:18:42 PM #7
Ah sorry, I misspoke.  I meant to say I added VID 30 to the port.  I did not actually set it as tagged.  I'll double check this... thank you!
March 19, 2025, 10:58:19 PM #8 Last Edit: March 19, 2025, 11:00:55 PM by OPNenthu
I enabled only two interfaces (LAN, HOME) using Track Interface with /64 prefix IDs 0x1 and 0x3 respectively, and RAs set to Unmanaged for SLAAC.  The flooding started right away.

As captured on the client PC connected to the VLAN 30 access port using 'tcpdump -vvvv -i enp6s0 "icmp6 && ip6[40] == 134"':

Code Select
17:07:06.036838 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 112) _gateway > ip6-allnodes: [icmp6 sum ok] ICMP6, router advertisement, length 112
    hop limit 64, Flags [none], pref medium, router lifetime 0s, reachable time 0ms, retrans timer 0ms
      prefix info option (3), length 32 (4): 26xx:xxxx:xxxx:xxx3::/64, Flags [onlink, auto], valid time 7200s, pref. time 0s
        0x0000:  <redacted>
        0x0010:  <redacted>
      rdnss option (25), length 24 (3):  lifetime 0s, addr: 26xx:xxxx:xxxx:xxx3:66xx:xxxx:xxxx:xx49
        0x0000:  <redacted>
        0x0010:  <redacted>
      dnssl option (31), length 24 (3):  lifetime 0s, domain(s): h2.home.arpa.
        0x0000:  <redacted>
        0x0010:  <redacted>
      mtu option (5), length 8 (1):  1500
        0x0000:  0000 0000 05dc
      source link-address option (1), length 8 (1): 64:xx:xx:xx:xx:49
        0x0000:  <redacted>
...

17:07:13.161370 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 112) _gateway > ip6-allnodes: [icmp6 sum ok] ICMP6, router advertisement, length 112
    hop limit 64, Flags [none], pref medium, router lifetime 1800s, reachable time 0ms, retrans timer 0ms
      prefix info option (3), length 32 (4): 26xx:xxxx:xxxx:xxx1::/64, Flags [onlink, auto], valid time 86400s, pref. time 14400s
        0x0000:  <redacted>
        0x0010:  <redacted>
      rdnss option (25), length 24 (3):  lifetime 1800s, addr: 26xx:xxxx:xxxx:xxx1:66xx:xxxx:xxxx:xx47
        0x0000:  <redacted>
        0x0010:  <redacted>
      dnssl option (31), length 24 (3):  lifetime 1800s, domain(s): h2.home.arpa.
        0x0000:  <redacted>
        0x0010:  <redacted>
      mtu option (5), length 8 (1):  1500
        0x0000:  0000 0000 05dc
      source link-address option (1), length 8 (1): 64:xx:xx:xx:xx:47
        0x0000:  <redacted>

Result on link:

Code Select
2: enp6s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:xx:xx:xx:xx:53 brd ff:ff:ff:ff:ff:ff
    inet 192.168.130.101/24 brd 192.168.130.255 scope global dynamic noprefixroute enp6s0
       valid_lft 6869sec preferred_lft 6869sec
    inet6 26xx:xxxx:xxxx:xxx1:f229:dba2:f9d3:1508/64 scope global temporary dynamic
       valid_lft 86316sec preferred_lft 14316sec
    inet6 26xx:xxxx:xxxx:xxx1:224:xxxx:xxxx:xxxx/64 scope global dynamic mngtmpaddr
       valid_lft 86316sec preferred_lft 14316sec
    inet6 26xx:xxxx:xxxx:xxx3:d685:f036:318f:1395/64 scope global temporary dynamic
       valid_lft 86316sec preferred_lft 14316sec
    inet6 26xx:xxxx:xxxx:xxx3:224:xxxx:xxxx:xxxx/64 scope global dynamic mngtmpaddr
       valid_lft 86316sec preferred_lft 14316sec
    inet6 26xx:xxxx:xxxx:xxx3:d4ce:610:4aca:4954/64 scope global temporary deprecated dynamic
       valid_lft 7077sec preferred_lft 0sec
    inet6 26xx:xxxx:xxxx:xxx3:224:xxxx:xxxx:xxxx/64 scope global deprecated dynamic mngtmpaddr
       valid_lft 7077sec preferred_lft 0sec
    inet6 26xx:xxxx:xxxx:xxx3:fd21:1443:9bf8:2301/64 scope global temporary deprecated dynamic
       valid_lft 7044sec preferred_lft 0sec
    inet6 26xx:xxxx:xxxx:xxx3:224:xxxx:xxxx:xxxx/64 scope global deprecated dynamic mngtmpaddr
       valid_lft 7044sec preferred_lft 0sec
    inet6 fe80::224:xxxx:xxxx:xxxx/64 scope link
       valid_lft forever preferred_lft forever

I had already uploaded the PVID mapping table.  Here are the Port<->VLAN mapping and the tag settings for VLAN 30 to show that it's tagged on the trunk and untagged on the access ports.

You cannot view this attachment.

You cannot view this attachment.
March 19, 2025, 11:51:51 PM #9
FWIW, on my TP-link gear, using VLAN 1 (even tagged) caused DHCP issues.
Although my switches were all configured to use VLAN 2 for their management, they randomly showed up with IP addresses in the VLAN 1 subnet...
In my case, the "Default" interface in the controller GUI was/is set to use a random VLAN ID.
All the other VLANs (including 1 at first) were declared just as VLAN (not interface).

I got tired of troubleshooting this, and their forums didn't provide much help.
I no longer use VLAN ID 1 in the controller/switches/APs.
I just changed the value without adjusting the subnet to match (breaking my matching convention, preserving my rings of trust).

I still have a DHCP server enabled in that subnet (just in case) but no leases ever reappeared.
All hosts in that subnet have static IPs (proxmox and OPN).
March 20, 2025, 02:14:26 AM #10 Last Edit: March 20, 2025, 02:19:56 AM by OPNenthu
I'll give it one last try with a different default VLAN ID for the Management LAN.

I've struck out twice now in trying to get a problem-free IPv6+SLAAC experience with smaller (desktop) fanless consumer-level switches.  My UniFi connected clients have problems with automatic privacy address regeneration, but at least basic VLAN isolation is working.
March 20, 2025, 03:17:09 PM #11 Last Edit: March 20, 2025, 03:28:21 PM by OPNenthu
I realized that I hadn't passed the option to tcpdump to actually capture the link-level information.  I'm also now capturing from the VLAN parent interface 'igb2' on the router, using "tcpdump -vvv -i igb2 -nn -e ..."

Interesting result.  IPv4 traffic is leaving the router interface with VLAN tags:

Code Select
10:01:26.617384 00:xx:xx:xx:xx:53 > 64:xx:xx:xx:xx:49, ethertype 802.1Q (0x8100), length 104: vlan 30, p 0, ethertype IPv4 (0x0800), (tos 0x0, ttl 64, id 18058, offset 0, flags [none], proto UDP (17), length 86)
    192.168.130.101.59775 > 192.168.130.1.53: [udp sum ok] 7191+ [1au] AAAA? connectivity-check.ubuntu.com. ar: . OPT UDPsize=1472 (58)

IPv6 traffic appears untagged:

Code Select
root@fw1:~ # tcpdump -vvv -i igb2 -nn -e ip6
tcpdump: listening on igb2, link-type EN10MB (Ethernet), snapshot length 262144 bytes
10:08:40.509014 64:xx:xx:xx:xx:47 > 33:33:00:00:00:01, ethertype IPv6 (0x86dd), length 110: (hlim 255, next-header ICMPv6 (58) payload length: 56) fe80::66xx:xxxx:xxxx:xx47 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 56
    hop limit 64, Flags [none], pref medium, router lifetime 1800s, reachable time 0ms, retrans timer 0ms
      dnssl option (31), length 24 (3):  lifetime 1800s, domain(s): h2.home.arpa.
        0x0000:  <redacted>
        0x0010:  <redacted>
      mtu option (5), length 8 (1):  1500
        0x0000:  0000 0000 05dc
      source link-address option (1), length 8 (1): 64:xx:xx:xx:xx:47
        0x0000:  <redacted>
10:08:40.700725 64:xx:xx:xx:xx:47 > 33:33:00:00:00:16, ethertype IPv6 (0x86dd), length 90: (hlim 1, next-header Options (0) payload length: 36) fe80::66xx:xxx:xxxx:xx47 > ff02::16: HBH (padn)(rtalert: 0x0000)  [icmp6 sum ok] ICMP6, multicast listener report v2, 1 group record(s) [gaddr ff02::2 to_ex { }]
10:08:42.557491 64:xx:xx:xx:xx:47 > 33:33:00:00:00:16, ethertype IPv6 (0x86dd), length 90: (hlim 1, next-header Options (0) payload length: 36) fe80::66xx:xxxx:xxxx:xx47 > ff02::16: HBH (padn)(rtalert: 0x0000)  [icmp6 sum ok] ICMP6, multicast listener report v2, 1 group record(s) [gaddr ff02::2 to_ex { }]
10:08:43.094471 64:xx:xx:xx:xx:47 > 33:xx:xx:xx:xx:47, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) :: > ff02::1:ff22:xx47: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 26xx:xxxx:xxxx:xxx1:66xx:xxxx:xxxx:xx47
      unknown option (14), length 8 (1):
        0x0000:  <redacted>

Does this possibly have to do with OPNsense?  I have the parent VLAN interface unassigned, as per the first few messages in this thread. 
March 20, 2025, 03:39:02 PM #12
I think I know... a little embarrassing, but I left the LAN interface (igb0) as native in OPNsense.  I think I need to convert it to a VLAN also with the VLAN ID 1.
March 20, 2025, 05:55:10 PM #13
Yes.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 23, 2025, 01:58:50 PM #14
I didn't have success even with tagging the LAN network and also changing the default VLAN from 1 to 2.  I think Patrick's initial assessment that the switch has a bug is likely correct.

I found a UniFi Lite-16 for an OK price at a local store, so giving that a go now.

Thanks for the suggestions.  Hopefully this thread saves someone considering the same model switch.  FWIW, the firmware version on the Netgear is 1.0.1.4.
Print
Go Up Pages1 2
User actions