https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162014-12-12T19:07:46ZpfSense bugtrackerpfSense - Bug #4103: Xen xn NICs can't tag VLANshttps://redmine.pfsense.org/issues/4103?journal_id=161322014-12-12T19:07:46ZChris Buechlercbuechler@gmail.com
<ul><li><strong>Subject</strong> changed from <i>VLAN tagging always possible</i> to <i>Xen xn NICs can't tag VLANs</i></li><li><strong>Category</strong> set to <i>Operating System</i></li><li><strong>Status</strong> changed from <i>New</i> to <i>Rejected</i></li></ul><p>they don't show up because they report themselves as not being VLAN-capable. Those who have forced their way around the fact that they don't show up have seen major issues. There are problems in xn NICs with VLAN tagging that need to be reported and fixed upstream.</p> pfSense - Bug #4103: Xen xn NICs can't tag VLANshttps://redmine.pfsense.org/issues/4103?journal_id=161332014-12-12T20:20:02ZGrischa Zengel
<ul></ul><p>That's to lapidary.<br />Tagging is something which is handled by software and could be in hardware.<br />Without anything written I didn't believe.</p> pfSense - Bug #4103: Xen xn NICs can't tag VLANshttps://redmine.pfsense.org/issues/4103?journal_id=161342014-12-12T20:50:56ZGrischa Zengel
<ul></ul><p>That's in the code:</p>
<pre>
is_jumbo_capable - Test if interface is jumbo frame capable. Useful for determining VLAN capability
</pre>
<p>But that's not the whole story. Tagging is always possible.<br />If your interface can't handle jumbo frames you have to reduce MTU and that's what freebsd does.</p> pfSense - Bug #4103: Xen xn NICs can't tag VLANshttps://redmine.pfsense.org/issues/4103?journal_id=161352014-12-12T21:30:37ZChris Buechlercbuechler@gmail.com
<ul></ul><p>There are problems in VLAN tagging in that driver. That's outside of our control. Please replicate the problem on stock FreeBSD 10.1 and report upstream.</p> pfSense - Bug #4103: Xen xn NICs can't tag VLANshttps://redmine.pfsense.org/issues/4103?journal_id=161382014-12-13T05:48:31ZGrischa Zengel
<ul></ul><p>In XN there couldn't be tagging problems, because it didn't know anything about tagging.<br />They will tell me that the problems are of the reduced MTU and that some protocols have problems with Path MTU Discovery. Mostly UDP based protocols if fragmentation is disabled.</p>
<p>So what should I report?</p>
<p>I still have the opinion that it should be possible to use tagging on interfaces with smaller MTU.</p>
<p>VLANMTU shows only the fact that an interface can have packet sizes greater than 1512 bytes.</p>
<p>Can you add an switch on Advanced/Interfaces which allows to use tagging with smaller MTU?</p>
<p><a class="external" href="http://en.wikipedia.org/wiki/Path_MTU_Discovery">http://en.wikipedia.org/wiki/Path_MTU_Discovery</a>:</p>
<pre>
Problems with PMTUD
Many network security devices block all ICMP messages for perceived security benefits,[6] including the errors that are necessary for the proper operation of PMTUD. This can result in connections that complete the TCP three-way handshake correctly, but then hang when data is transferred. This state is referred to as a black hole connection.[7]
Some implementations of PMTUD attempt to prevent this problem by inferring that large payload packets have been dropped due to MTU rather than because of link congestion. However, in order for the Transmission Control Protocol (TCP) to operate most efficiently, ICMP Unreachable messages (type 3) should be permitted. A robust method for PMTUD that relies on TCP or another protocol to probe the path with progressively larger packets has been standardized in RFC 4821.[8]
A workaround used by some routers is to change the maximum segment size (MSS) of all TCP connections passing through links with MTU lower than the Ethernet default of 1500. This is known as MSS clamping.[9]
</pre> pfSense - Bug #4103: Xen xn NICs can't tag VLANshttps://redmine.pfsense.org/issues/4103?journal_id=161452014-12-14T08:09:28ZGrischa Zengel
<ul></ul><p>On Interfaces/VLAN is written:</p>
<pre>
Note:
Not all drivers/NICs support 802.1Q VLAN tagging properly. On cards that do not explicitly support it, VLAN tagging will still work, but the reduced MTU may cause problems. See the pfSense handbook for information on supported cards.
</pre>
<p>So this bug still exists (not only for xn).<br />It should be my decision if I use vlans for unsupported NICs.</p> pfSense - Bug #4103: Xen xn NICs can't tag VLANshttps://redmine.pfsense.org/issues/4103?journal_id=183552015-05-08T08:27:09ZEduardo Stelmaszczykemsspam@terra.com.br
<ul></ul><p>Hello Chris,</p>
<p>I've read many reports about this issue and this one is the best by far. But I still think the problem deservers a bit more clarification. I'm not sure if we're discussing lack of a capability (in this case, VLANMTU) or a bug.</p>
<p>First, could you please provide a link to a report of any kind about the "major issues" encountered by people who "have forced their way around the fact that [the interfaces] don't show up [as VLAN-capable]"? Are these issues related to reduced MTU, as Grischa explained?</p>
<p>Also, you asked us to "please replicate the problem on stock FreeBSD 10.1 and report upstream." What "problem", exactly, are we talking about? VLAN tagging works with stock FreeBSD, unless you're mentioning a not so obvious bug. A FreeBSD developer tested it without problems (<a class="external" href="https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=195978">https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=195978</a>) and I tested it too, as did Grischa, without any apparent issues.</p>
<p>In a broader sense, what I don't understand is this: FreeBSD's own vlan creating tool doesn't check if the physical interface reports itself with a VLANMTU capability. Should pfSense do it? As Grischa mentioned, quoting the "vlan" manpage, "other Ethernet interfaces can run VLANs using software emulation in the vlan driver." So, is there really a problem here or is pfSense being too zealous about this?</p>
<p>To sum everything up: are you recommending that we don't use xn NICs with VLANS because of the lack of VLANMTU capability (that's what pfSense checks for, after all) or because of other problems? In the latter case, can you please provide some sources for this?</p>
<p>Thank you,</p>
<p>Eduardo</p> pfSense - Bug #4103: Xen xn NICs can't tag VLANshttps://redmine.pfsense.org/issues/4103?journal_id=191692015-07-13T05:26:57ZMichael Jephcote
<ul></ul><p>FYI, manually adjusting the select box HTML using an inline edit from the browser allows you to create the VLAN on the correct interface. After doing this VLANs work as expected including DHCP addressing.</p>
<p>I think that pfSense shouldn't be restrictive here and should show all interfaces.</p>