WAN DHCP6 VLAN Priority tagging

[marjohn56]

I am about to look at this as it's a requirement for Orange France users.

Now, there are three things, well probably more but at the moment only three come to mind. ;)

1. The addition of the priority setting to filter.lib.inc at line 294 this

'set-prio' => '2'

and I'm using the value 2 as an example (when implemented this will be selectable in the  GUI) it does show in rules.debug, but it has no effect, this leads us to 2.

1. I believe the lack of "net.link.vlan.mtag_pcp" => "1", from system.inc is the reason, I'm waiting on Kev to check this for me as he has a test unit with orange france settings. There are several other sysctl values that appear in p****** that are not in opnsense, perhaps this needs to be looked at. In this instance though, I am only looking at the vlan priority stuff.

3. Where to put this option - On the darkside I added it to the dhcp6c settings section, but I am not sure this is the correct location, perhaps the system->advanced.network.

Thoughts?

[franco]

Hmm, different question: do you want to prioritise DHCP6-only or the whole VLAN? Because there is a VLAN-priority setting as well.

[marjohn56]

DHCP6 only.

I'll bring Kev in here, he can describe the requirements much better than I can.

[franco]

3. Where to put this option - On the darkside I added it to the dhcp6c settings section, but I am not sure this is the correct location, perhaps the system->advanced.network.

It's the right place as we could have different priorities per outgoing interface.

[nivek1612]

Hi Franco

Orange France supply a FTTP service

The requirement is for the dhcp and dhcp6c request to have prio 6 but all other traffic priory 0.
Tagging the whole vlan means dhcp and dhcp6 request get an IP but flow is reduced massively

As dhclient uses raw sockets that has been solved via the modified client so we are done there
Dhcp6 however passes through the firewall and it should be possible to tag the packet but even when rules.debug has the correct value the priority is not honoured

We had this working on the darkside but I know they did quiet some work around vlans as things changed from freeBSD 10 to 11

[franco]

1. I believe the lack of "net.link.vlan.mtag_pcp" => "1", from system.inc is the reason, I'm waiting on Kev to check this for me as he has a test unit with orange france settings. There are several other sysctl values that appear in p****** that are not in opnsense, perhaps this needs to be looked at. In this instance though, I am only looking at the vlan priority stuff.

Ok so the "set prio 2" is written in the pf.conf indeed and:

# sysctl -a | grep mtag_pcp
net.link.vlan.mtag_pcp: 0

I don't know the impact of that sysctl, but flipping it for testing should be easy. :)

Edit: Code says this... but somehow we should try to figure out and set the sysctl without user interaction.

Code Select Expand


159 /*                                                                             
160  * For now, make preserving PCP via an mbuf tag optional, as it increases       
161  * per-packet memory allocations and frees.  In the future, it would be         
162  * preferable to reuse ether_vtag for this, or similar.                         
163  */     
 

[nivek1612]

I hand modified sytems.inc to add  "net.link.vlan.mtag_pcp" => "1"
I dont have the GITHIB skills :-)

But a wireshark trace is still showing the dhcp6 request with 0 as the priority

I can see in rules.debug that the changes Martin and I made to both systems.inc and filter.lib.inc seem to be creating the correct rule modification heres the modified rule.

pass out log quick on igb0_vlan832 proto udp from {any}  port {546} to {any}  port {547}  set prio 6 label "allow dhcpv6 client in WAN"

[marjohn56]

As dhclient uses raw sockets that has been solved via the modified client so we are done there
Dhcp6 however passes through the firewall and it should be possible to tag the packet but even when rules.debug has the correct value the priority is not honoured

Sorry Kev, it did not occur to before, but could we use the same VLAN  tagging we are applying to IPv6 to the dhcpv4 packets, thus making the use of a modified dhclient mute?

[nivek1612]

I dont think so but I may be wrong
But I believe 'raw sockets' don't pass through the firewall rules in the same way

[marjohn56]

no... its me having an idiot moment...  :-X

[marjohn56]

Well I've spent a couple of hours on this tonight, it appears it should work but it does not. In fact I cannot get anything to go over the VLAN!

I'll have another look in the morning if I get time

[franco]

Hmm, both the VLAN and the firewall priority settings were added in early 17.1.x by @djGrrr and this would mean it was written and tested on FreeBSD 11.0.

I'm fairly sure nothing changed since then, but just in case there is also a 11.1 test around.

https://forum.opnsense.org/index.php?topic=6257.0

[marjohn56]

I've got the VLAN's working now, it was some oddity with my APU device. I've switched now to a VM and i'm getting the VLANs OK, still cannot see why the set priority is not working on the dhcp6 packets, rules.debug shows its there, and here's the pfinfo. Can you see anything wrong there?

@49 pass out log quick on em0_vlan832 proto udp from any port = dhcpv6-client to any port = dhcpv6-server set ( prio 6 ) keep state label "allow dhcpv6 client in WAN"
  [ Evaluations: 6171      Packets: 17        Bytes: 1972        States: 1     ]
  [ Inserted: uid 0 pid 68116 State Creations: 11    ]

[franco]

Looks ok, no priority at all? Or is the priority tag being overwritten by the VLAN priority setup value?

[marjohn56]

Priority is being sent out as 0, I hadn't though that maybe the VLAN priority is overiding it.