Bug #7167
closed
Error creating higher VLAN ID on SG-1000
100%
Description
SG-1000 connected to an Apple Airport Extreme ac on the LAN interface.
Created a VLAN interface with tag 1003 and assigned an interface and DHCP server. Clients don't get an IP assigned by DHCP. Clients can't reach any network even if they are assigned an IP manually. The logs show the following error:
process: php-fpm
pid: 351/interfaces_vlan_edit.php: The command '/sbin/etherswitchcfg vlangroup1003 vlan 1003 members 0t,2t' returned exit code '64', the output was 'etherswitchcfg: vlangroup unit must be between 0 and 127'
Similar setup works with an SG-2440
Files
Updated by Jim Thompson about 7 years ago
- Assignee set to Luiz Souza
- Target version set to 2.4.0
Updated by Luiz Souza about 7 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Fixed in the latest snapshot.
Updated by Constantine Kormashev about 7 years ago
I have updated to
FreeBSD pfSense.localdomain 11.0-RELEASE-p7 FreeBSD 11.0-RELEASE-p7 #0 b95dbdb097f(RELENG_2_4): Tue Feb 7 20:47:38 CST 2017 root@buildbot2.netgate.com:/xbuilder/pfsense-crossbuild/work/obj-ufw-armv6/arm.armv6/builder/factory/tmp/FreeBSD-src/sys/pfSense-uFW arm
Can create VLAN more than 127. But there are not any traffic from these VLAN interfaces. If I enable tcpdump for any of them traffic is forwarded. I can see MACs on switch ports and egress ARP traffic but it seems like all incoming traffic does not accepted.
12:31:22.454352 ARP, Request who-has 172.16.150.1 tell 172.16.150.102, length 46 12:31:22.454530 ARP, Reply 172.16.150.1 is-at 00:15:17:91:d8:60, length 46 12:31:23.510942 ARP, Request who-has 172.16.150.1 tell 172.16.150.102, length 46 12:31:23.511107 ARP, Reply 172.16.150.1 is-at 00:15:17:91:d8:60, length 46 12:31:24.547341 ARP, Request who-has 172.16.150.1 tell 172.16.150.102, length 46 12:31:24.547509 ARP, Reply 172.16.150.1 is-at 00:15:17:91:d8:60, length 46 12:31:25.233937 ARP, Request who-has 172.16.150.1 tell 172.16.150.102, length 46 12:31:25.234185 ARP, Reply 172.16.150.1 is-at 00:15:17:91:d8:60, length 46 12:31:26.171043 ARP, Request who-has 172.16.150.1 tell 172.16.150.102, length 46 12:31:26.171288 ARP, Reply 172.16.150.1 is-at 00:15:17:91:d8:60, length 46 12:31:27.233852 ARP, Request who-has 172.16.150.1 tell 172.16.150.102, length 46
172.16.150.102 is VLAN interface and 172.16.150.1 is GW in same VLAN
ifconfig
cpsw0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8000b<RXCSUM,TXCSUM,VLAN_MTU,LINKSTATE>
ether 68:9e:19:9c:a7:ad
cpsw0_vlan1150: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 68:9e:19:9c:a7:ad
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 689e.199c.a7ad DYNAMIC Fa0/33
1150 689e.199c.a7ad DYNAMIC Fa0/33
Updated by Phillip Davis about 7 years ago
Just to be sure, did you put a firewall pass rule onto the interface that is the VLAN? It will need that in order to accept incoming traffic.
Updated by Constantine Kormashev about 7 years ago
- File ufw_switch_ping.pcap ufw_switch_ping.pcap added
- File ufw_side_ping.pcap ufw_side_ping.pcap added
- File ufw_side_dhcp.pcap ufw_side_dhcp.pcap added
- File ufw_dhcp.pcap ufw_dhcp.pcap added
It did not help.
Ok. I restored uFw settings on factory. Assigned VLAN 11 on cpsw0 and chose it as WAN
I can see DHCP server gave one an IP but there is not IP on cpsw0_vlan11
cpsw0_vlan11: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether *68:9e:19:9c:a7:ad*
inet6 fe80::6a9e:19ff:fe9c:a7ad%cpsw0_vlan11 prefixlen 64 scopeid 0x8
*inet 0.0.0.0 netmask 0xff000000 broadcast 255.255.255.255*
groups: vlan
vlan: 11 vlanpcp: 0 parent interface: cpsw0
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
10.0.11.13 01 *689e199ca7ad* Feb 09 2017 08:29 AM Automatic
I have just rebooted and I see:
WAN (wan) -> cpsw0 -> _??? Where is VLAN11 interface ???_ LAN (lan) -> cpsw1 -> v4: 192.168.1.1/24 OPT1 (opt1) -> cpsw0 -> OPT2 (opt2) -> cpsw0_vlan12 ->
Cause until reboot I saw:
*WAN (wan) -> cpsw0_vlan11 ->* LAN (lan) -> cpsw1 -> v4: 192.168.1.1/24 OPT1 (opt1) -> cpsw0 -> OPT2 (opt2) -> cpsw0_vlan12 ->
VLAN11 is still exist
cpsw0_vlan11: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 68:9e:19:9c:a7:ad
inet6 fe80::6a9e:19ff:fe9c:a7ad%cpsw0_vlan11 prefixlen 64 scopeid 0x8
groups: vlan
vlan: 11 vlanpcp: 0 parent interface: cpsw0
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
But one is not exist in interface in 'Set interface(s) IP address' menu:
Enter an option: 2 Available interfaces: 1 - WAN (cpsw0 - dhcp, dhcp6) 2 - LAN (cpsw1 - static) 3 - OPT1 (cpsw0) 4 - OPT2 (cpsw0_vlan12)
reassigned interfaces manually again
The interfaces will be assigned as follows: WAN -> cpsw0_vlan11 LAN -> cpsw1 OPT1 -> cpsw0 OPT2 -> cpsw0_vlan12
VLAN11 got IP
10.0.11.14 0168.9e19.9ca7.ad Feb 09 2017 08:46 AM Automatic
and result is same there is not IP for VLAN11 interface
uFw does not process DHCP messages on VLAN11. I see only DHCP Discover on port which uFw is connected to switch
I could not connect to uFw via LAN port from flat L2 net, but can ping it and receive ARP and answers on telnet via 22 or 80 ports and in logs I can see
1000000103,cpsw1,match,block,in,4,0x0,,64,6834,0,DF,6,tcp,60,192.168.1.16,192.168.1.1,38230,443,0,S,1723447793,,29200,,mss;sackOK;TS;nop;wscale
192.168.1.16 is a host I use for connect to LAN 192.168.1.1
I reassigned interfaces deleted VLANs and got console lock there is not answer from console until reboot uFw
pcap from uFw with DHCP discover with tcpdump -p. There is not ingress traffic
I manually disabled pf with pfctl -d assigned IP to cpsw0_vlan11 manually one could ping itself IP 10.0.11.9 but not 10.0.11.1 which in same VLAN. I see MAC in proper VLAN. And I see ARP request from uFw for 10.0.11.1 and see ARP reply from 10.0.11.1 but it seems like it does not receive replies, see pcaps
I destroy all VLAN interfaces, connected to LAN via HTTP and made new on cpsw1. And picture is same, after I manually assigned IP on VLAN11 and added firewall rules pass all and result the same. Interface without VLAN can forward traffic and with VLAN can not
ping 10.0.11.1 PING 10.0.11.1 (10.0.11.1): 56 data bytes ping: sendto: Host is down arp -an ? (10.0.11.1) at (incomplete) on cpsw1_vlan11 expired [vlan] ? (10.0.11.9) at 68:9e:19:9c:a7:af on cpsw1_vlan11 permanent [vlan] Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---- ----------- -------- ----- 11 689e.199c.a7af DYNAMIC Fa0/34 _<- does not work_ 192 689e.199c.a7af DYNAMIC Fa0/34 _<- works_ sh ip arp Internet 10.0.11.1 - 0024.c4f0.5543 ARPA Vlan11 Internet 10.0.11.9 5 689e.199c.a7af ARPA Vlan11 Internet 192.168.1.1 6 689e.199c.a7af ARPA Vlan192 Internet 192.168.1.16 41 000c.296b.89d6 ARPA Vlan192 Internet 192.168.1.100 - 0024.c4f0.5544 ARPA Vlan192
And it is not a problem of my switch, cause I have just taken 2440 and made VLAN11 on it and there are not any problem, VLAN11 got DHCP and traffic forwards through VLAN11 interface
Updated by Luiz Souza about 7 years ago
Constantine, I cannot reproduce these issues.
I can use VLANs on LAN interface (but need to add the default pass rules as noted by Phillip).
After run the factory reset, set a VLAN on WAN interface and set it to DHCP, it worked without any other changes.
The only difference is that I'm not using a switch, my SG-1000 is directly connect to other FreeBSD/pfSense devices (but this should really make no difference... it just can't...)
Updated by Netnewb net about 7 years ago
I've tested the new update and it worked as expected. Client connected to Guest Wifi from Airport Extreme worked on VLAN 1003 and was able to access the internet
Updated by Jim Pingle about 7 years ago
- Status changed from Feedback to Resolved