Project

General

Profile

Actions

Bug #12070

open

VLAN0 for WAN DHCP

Added by Michael LaCroix 3 months ago. Updated about 1 month ago.

Status:
New
Priority:
Low
Assignee:
-
Category:
DHCP (IPv4)
Target version:
-
Start date:
06/22/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
All
Affected Architecture:
All

Description

Hello, I'm not sure if this should be a bug or feature request. Internet fiber providers in the USA and abroad tag their packets with vlan0 id and pfsense is unable to negotiate an IP address from their DHCP servers. Their are several 3rd party scripts out there that are being used to accommodate pfsense users who are using these services like myself. But, it would be so much better if pfsense can handle this itself without using such scripts. If a $30 dollar router off of a Walmart shelf can negotiate an IP address from these providers pfsense should also be able to. Thanks


Files

dhcp_vlan0_pcap.png (18 KB) dhcp_vlan0_pcap.png Marcos Mendoza, 07/13/2021 12:40 PM
Actions #1

Updated by Marcos Mendoza 3 months ago

This would likely have to be resolved in FreeBSD itself. More details on the issue here:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=224961

There have been workarounds using netgraph - most prominent is pfatt ( https://github.com/MonkWho/pfatt ) which can be adopted for VLAN0 specifically, e.g.:

#!/bin/sh
set -e

# LOCAL_IF: Device interface to use with netgraph
# UPSTREAM_MAC: MAC address of ISP router
# tap_ng0: Uses excluded interface name https://github.com/pfsense/pfsense/blob/8707550072636f852ed6755ed430174b307ab1e2/src/etc/inc/util.inc#L2401
LOCAL_IF='xx0'
UPSTREAM_MAC='xx:xx:xx:xx:xx:xx'
LOG=/var/log/vlan0bypass.log

getTimestamp(){
    echo `date "+%Y-%m-%d %H:%M:%S :: [vlan0bypass] ::"`
}

{
    echo "$(getTimestamp) LOCAL_IF: $LOCAL_IF" 
    echo "$(getTimestamp) UPSTREAM_MAC: $UPSTREAM_MAC" 

    echo -n "$(getTimestamp) attaching interfaces to ng_ether... " 
    /usr/local/bin/php -r "pfSense_ngctl_attach('.', '$LOCAL_IF');" 
    echo "OK!" 

    echo "$(getTimestamp) building netgraph nodes..." 

    echo -n "$(getTimestamp) creating ng_one2many... " 
    /usr/sbin/ngctl mkpeer $LOCAL_IF: vlan lower downstream
    /usr/sbin/ngctl name $LOCAL_IF:lower vlan0
    echo "OK!" 

    echo -n "$(getTimestamp) creating vlan node and interface... " 
    /usr/sbin/ngctl mkpeer vlan0: eiface vlan0 ether
    /usr/sbin/ngctl msg vlan0: 'addfilter { vlan=0 hook="vlan0" }'
    /usr/sbin/ngctl msg tap_ng0: set $UPSTREAM_MAC
    echo "OK!" 

    echo -n "$(getTimestamp) enabling $LOCAL_IF interface... " 
    /sbin/ifconfig $LOCAL_IF up
    echo "OK!" 

    echo -n "$(getTimestamp) enabling promiscuous mode on $LOCAL_IF... " 
    /sbin/ifconfig $LOCAL_IF promisc
    echo "OK!" 

    echo "$(getTimestamp) tap_ng0 should now be available to configure as WAN" 
    echo "$(getTimestamp) done!" 
} >> $LOG

More info here:
https://forum.netgate.com/topic/160592/how-to-get-pfsense-wan-to-accept-vlan-0

Actions #2

Updated by Jim Pingle about 1 month ago

  • Priority changed from High to Low

Anything that would potentially touch VLAN0 needs to be aware of potential security problems with it as well:

And likely more vendors to come as that is still being actively worked on by others.

Since FreeBSD and pfSense reject VLAN 0 by default that is currently a non-issue, but if that is relaxed then we must ensure it is done in a safe manner.

Actions

Also available in: Atom PDF