Re: OBSD 6.8 vlan communication issues
On 11/11/20 3:06 PM, len zaifman wrote:
I am setting up a new system as a firewall using OpenBSD 6.8 current
-uname -a
OpenBSD fw1.lfz.net 6.8 GENERIC.MP#175 amd64.
I have 3 vlans 70,77,79 on the firewall using two em devices, em0 and
em1, in an aggregation to serve these vlans.
There is a Unifi switch which has 2 ports (where em0,em1 are attached)
set up to pass tagged vlans 70,77,79. The switch ip is 10.10.70.3.
I have a linux host setup on vans 70,77,79 and at address 77 -
10.10.70.77, 10.10.77.77,10.10.79.77.
So far i cannot communicate over the vlans. Before I vlanned these
subnets : ie only vlan 1 everywhere - communication worked fine.
So i do not believe there is a physical issue. The issues arose with
the introduction of the vlans. Is there a configuration issue that
anyone can spot?
Thank you for any help you can give.
Evidence:
ping on the firewall works locally
for n in 0 7 9 ; do ping -c 2 10.10.7${n}.1 ; done
PING 10.10.70.1 (10.10.70.1): 56 data bytes
64 bytes from 10.10.70.1: icmp_seq=0 ttl=255 time=0.037 ms
64 bytes from 10.10.70.1: icmp_seq=1 ttl=255 time=0.025 ms
--- 10.10.70.1 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.025/0.031/0.037/0.006 ms
PING 10.10.77.1 (10.10.77.1): 56 data bytes
64 bytes from 10.10.77.1: icmp_seq=0 ttl=255 time=0.038 ms
64 bytes from 10.10.77.1: icmp_seq=1 ttl=255 time=0.025 ms
--- 10.10.77.1 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.025/0.031/0.038/0.006 ms
PING 10.10.79.1 (10.10.79.1): 56 data bytes
64 bytes from 10.10.79.1: icmp_seq=0 ttl=255 time=0.038 ms
64 bytes from 10.10.79.1: icmp_seq=1 ttl=255 time=0.025 ms
--- 10.10.79.1 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.025/0.032/0.038/0.007 ms
ping to the switch does not work
ping -c 2 10.10.70.3
PING 10.10.70.3 (10.10.70.3): 56 data bytes
--- 10.10.70.3 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss
ping to the linux host does not work.
ping -c 2 10.10.70.3
PING 10.10.70.3 (10.10.70.3): 56 data bytes
--- 10.10.70.3 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss
[13:47:04] leonardz@fw1 etc>>for n in 0 7 9 ; do ping -c 2
10.10.7${n}.77 ; done
PING 10.10.70.77 (10.10.70.77): 56 data bytes
--- 10.10.70.77 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss
PING 10.10.77.77 (10.10.77.77): 56 data bytes
--- 10.10.77.77 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss
PING 10.10.79.77 (10.10.79.77): 56 data bytes
--- 10.10.79.77 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss
I did the tests both with pfctl -e (enabled) and pfctl -d (disabled).
It made no difference
The setup is described below
Here is the setup:
= hostname.aggr0
debug
trunkport em0
trunkport em1
up
inet 10.10.70.1/24
alias 10.10.77.1/24
alias 10.10.79.1/24
= hostname.em0
up
= hostname.em1
up
= hostname.vlan70
parent aggr0 vnetid 70
10.10.70.0/24
= hostname.vlan77
parent aggr0 vnetid 77
10.10.77.0/24
= hostname.vlan79
parent aggr0 vnetid 79
10.10.79.0/24
Ifconfig -A shows the vlans are setup
= aggr0
aggr0: flags=8847 mtu 1500
lladdr fe:e1:ba:d0:f4:8c
index 6 priority 0 llprio 7
trunk: trunkproto lacp
trunk id: [(8000,fe:e1:ba:d0:f4:8c,0006,,),
(8000,e0:63:da:8e:78:d7,03E8,,)]
em0 lacp actor system pri 0x8000 mac fe:e1:ba:d0:f4:8c, key
0x6, port pri 0x8000 number 0x1
em0 lacp actor state
activity,aggregation,sync,collecting,distributing
em0 lacp partner system pri 0x8000 mac e0:63:da:8e:78:d7, key
0x3e8, port pri 0x1 number 0x9
em0 lacp partner state
activity,aggregation,sync,collecting,distributing
em0 port active,collecting,distributing
em1 lacp actor system pri 0x8000 mac fe:e1:ba:d0:f4:8c, key
0x6, port pri 0x8000 number 0x2
em1 lacp actor state
activity,aggregation,sync,collecting,distributing
em1 lacp partner system pri 0x8000 mac e0:63:da:8e:78:d7, key
0x3e8, port pri 0x1 number 0xa
em1 lacp partner state
activity,aggregation,sync,collecting,distributing
em1 port active,collecting,distributing
groups: aggr
media: Ethernet autoselect
status: active
inet 10.10.70.1 netmask 0xff00 broadcast 10.10.70.255
inet 10.10.77.1 netmask 0xff00 broadcast 10.10.77.255
inet 10.10.79.1 netmask 0xff00 broadcast 10.10.79.255
= em0
em0: flags=8843 mtu 1500
lladdr fe:e1:ba:d0:f4:8c
index 1 priority 0 llprio 3
trunk: trunkdev aggr0
media: Ethernet autoselect (1000baseT full-duplex)
status: active
= em1
em1: flags=8843 mtu 1500
lladdr fe:e1:ba:d0:f4:8c
index
Re: OBSD 6.8 vlan communication issues
Hi Len
Jacob has a point re checking vlan setup first by setting the parent on the
vlans to the em0 or em1 interface first
when you validate your vlan config on the switch
setup the aggr0 interface
what does unifi say about the LACP status / Aggregation status on the
switch UI ?
also can you confirm that you are not doing any DHCP stuff / DHCP guard /
dhcp snooping in Unifi Switch which might affect network connectivity if
you have a dhcp server running on OpenBSD Box
On Thu, 12 Nov 2020 at 02:50, len zaifman wrote:
> Thanks Tom,Aaron: I did 2 things,
>
> 1 re IPs - all ips removed from aggr0 and 1 ip for each vlan
>
> ifconfig -A | grep -A 7 vlan7 | grep -E 'vlan7
> inet' ; ifconfig aggr0 | grep inet
> vlan70: flags=8843 mtu 1500
> inet 10.10.70.1 netmask 0xff00 broadcast 10.10.70.255
> vlan77: flags=8843 mtu 1500
> inet 10.10.77.1 netmask 0xff00 broadcast 10.10.77.255
> vlan79: flags=8843 mtu 1500
> inet 10.10.79.1 netmask 0xff00 broadcast 10.10.79.255
>
>
> Still no luck
>
>
> 2 I went to switch and made vlan70 the native vlan, with vlan 77,79
> still tagged to see if that would help. Still no ping even to the switch
> which is on vlan 70.
>
> Now the switch is back to all 3 vlans are tagged, no native vlan.
>
>
> I am trying to see vlan tags when i ping 10.10.7x.1 with tcpdump -e but
> no luck. I assume loopback interface is being used when i ping locally
> on the firewall so that doesn't work.
>
>
> I will contact switch vendor to see if they can help. But for openbsd,
> does the config look okay now? All ips on the vlan, not the parent
> interface?
>
>
> PS to Aaro'squestion re: sysctl
>
> sysctl for ip forwarding is set
>
> net.inet.ip.forwarding=1
>
>
> On 2020-11-11 7:32 p.m., Tom Smyth wrote:
> > Hi Len,
> > Hi Remove the Ip addresses from the agg0 interfaces
> >
> > put the Ip addresses on the vlan interfaces only
> >
> > ie
> > mg /etc/hostname.vlanxxx
> > up vnetid xxx
> > inet 10.10.xx.1/24
> >
> > if you need to route between the vlans make sure you enable forwarding in
> > the kernel with sysctl
> >
> > when you get it working make sure to post to the Misc List :)
> >
> >
> >
> > Hope this helps,
> >
> >
> >
> >
> >
> >
> > On Thu, 12 Nov 2020 at 00:18, len zaifman wrote:
> >
> >> I am setting up a new system as a firewall using OpenBSD 6.8 current
> >> -uname -a
> >> OpenBSD fw1.lfz.net 6.8 GENERIC.MP#175 amd64.
> >>
> >> I have 3 vlans 70,77,79 on the firewall using two em devices, em0 and
> >> em1, in an aggregation to serve these vlans.
> >>
> >>
> >> There is a Unifi switch which has 2 ports (where em0,em1 are attached)
> >> set up to pass tagged vlans 70,77,79. The switch ip is 10.10.70.3.
> >>
> >> I have a linux host setup on vans 70,77,79 and at address 77 -
> >> 10.10.70.77, 10.10.77.77,10.10.79.77.
> >>
> >>
> >> So far i cannot communicate over the vlans. Before I vlanned these
> >> subnets : ie only vlan 1 everywhere - communication worked fine.
> >>
> >> So i do not believe there is a physical issue. The issues arose with the
> >> introduction of the vlans. Is there a configuration issue that anyone
> >> can spot?
> >>
> >>
> >> Thank you for any help you can give.
> >>
> >> Evidence:
> >>
> >> ping on the firewall works locally
> >>
> >> for n in 0 7 9 ; do ping -c 2 10.10.7${n}.1 ; done
> >> PING 10.10.70.1 (10.10.70.1): 56 data bytes
> >> 64 bytes from 10.10.70.1: icmp_seq=0 ttl=255 time=0.037 ms
> >> 64 bytes from 10.10.70.1: icmp_seq=1 ttl=255 time=0.025 ms
> >>
> >> --- 10.10.70.1 ping statistics ---
> >> 2 packets transmitted, 2 packets received, 0.0% packet loss
> >> round-trip min/avg/max/std-dev = 0.025/0.031/0.037/0.006 ms
> >> PING 10.10.77.1 (10.10.77.1): 56 data bytes
> >> 64 bytes from 10.10.77.1: icmp_seq=0 ttl=255 time=0.038 ms
> >> 64 bytes from 10.10.77.1: icmp_seq=1 ttl=255 time=0.025 ms
> >>
> >> --- 10.10.77.1 ping statistics ---
> >> 2 packets transmitted, 2 packets received, 0.0% packet loss
> >> round-trip min/avg/max/std-dev = 0.025/0.031/0.038/0.006 ms
> >> PING 10.10.79.1 (10.10.79.1): 56 data bytes
> >> 64 bytes from 10.10.79.1: icmp_seq=0 ttl=255 time=0.038 ms
> >> 64 bytes from 10.10.79.1: icmp_seq=1 ttl=255 time=0.025 ms
> >>
> >> --- 10.10.79.1 ping statistics ---
> >> 2 packets transmitted, 2 packets received, 0.0% packet loss
> >> round-trip min/avg/max/std-dev = 0.025/0.032/0.038/0.007 ms
> >>
> >>
> >> ping to the switch does not work
> >>
> >> ping -c 2 10.10.70.3
> >> PING 10.10.70.3 (10.10.70.3): 56 data bytes
> >>
> >> --- 10.10.70.3 ping statistics ---
> >> 2 packets transmitted, 0 packets received, 100.0% packet loss
> >>
> >> ping to the linux host does not work.
> >>
> >> ping -c 2 10.10.70.3
> >> PING 10.10.70.3 (10.10.70.3): 56 data bytes
> >>
> >> --- 10.10.70.3 ping statistics ---
> >> 2 packets transmitted, 0 packets received, 100.0% packet loss
> >> [13:47:04] leonardz@fw1 etc>>for n in 0 7 9 ; do ping -c 2
> >> 10.10.7${n}.77 ; done
> >> PING 10.10.70.77 (10.10.70.77): 56 data bytes
Re: OBSD 6.8 vlan communication issues
On 11 Nov 2020 at 20:48, len zaifman wrote:
> Thanks Tom,Aaron: I did 2 things,
>
> 1 re IPs - all ips removed from aggr0 and 1 ip for each vlan
>
> ifconfig -A | grep -A 7 vlan7 | grep -E 'vlan7
> inet' ; ifconfig aggr0 | grep inet
> vlan70: flags=8843 mtu 1500
> inet 10.10.70.1 netmask 0xff00 broadcast 10.10.70.255
> vlan77: flags=8843 mtu 1500
> inet 10.10.77.1 netmask 0xff00 broadcast 10.10.77.255
> vlan79: flags=8843 mtu 1500
> inet 10.10.79.1 netmask 0xff00 broadcast 10.10.79.255
>
>
> Still no luck
>
>
> 2 I went to switch and made vlan70 the native vlan, with vlan 77,79
> still tagged to see if that would help. Still no ping even to the switch
> which is on vlan 70.
>
> Now the switch is back to all 3 vlans are tagged, no native vlan.
>
>
> I am trying to see vlan tags when i ping 10.10.7x.1 with tcpdump -e but
> no luck. I assume loopback interface is being used when i ping locally
> on the firewall so that doesn't work.
>
>
> I will contact switch vendor to see if they can help. But for openbsd,
> does the config look okay now? All ips on the vlan, not the parent
> interface?
>
>
> PS to Aaro'squestion re: sysctl
>
> sysctl for ip forwarding is set
>
> net.inet.ip.forwarding=1
>
Hi Len,
To narrow down the issue I would temporarily eliminate link aggregation
and focus on vlan tagging. Namely, recreate the setup with just one
physical link and all the tagged vlans to make sure that works. From
experience, getting link aggregation to work -- i.e. matching the
aggregation protocol -- between disparate devices can be rather tricky.
-Jacob.
>
> On 2020-11-11 7:32 p.m., Tom Smyth wrote:
> > Hi Len,
> > Hi Remove the Ip addresses from the agg0 interfaces
> >
> > put the Ip addresses on the vlan interfaces only
> >
> > ie
> > mg /etc/hostname.vlanxxx
> > up vnetid xxx
> > inet 10.10.xx.1/24
> >
> > if you need to route between the vlans make sure you enable forwarding in
> > the kernel with sysctl
> >
> > when you get it working make sure to post to the Misc List :)
> >
> >
> >
> > Hope this helps,
> >
> >
> >
> >
> >
> >
> > On Thu, 12 Nov 2020 at 00:18, len zaifman wrote:
> >
> >> I am setting up a new system as a firewall using OpenBSD 6.8 current
> >> -uname -a
> >> OpenBSD fw1.lfz.net 6.8 GENERIC.MP#175 amd64.
> >>
> >> I have 3 vlans 70,77,79 on the firewall using two em devices, em0 and
> >> em1, in an aggregation to serve these vlans.
> >>
> >>
> >> There is a Unifi switch which has 2 ports (where em0,em1 are attached)
> >> set up to pass tagged vlans 70,77,79. The switch ip is 10.10.70.3.
> >>
> >> I have a linux host setup on vans 70,77,79 and at address 77 -
> >> 10.10.70.77, 10.10.77.77,10.10.79.77.
> >>
> >>
> >> So far i cannot communicate over the vlans. Before I vlanned these
> >> subnets : ie only vlan 1 everywhere - communication worked fine.
> >>
> >> So i do not believe there is a physical issue. The issues arose with the
> >> introduction of the vlans. Is there a configuration issue that anyone
> >> can spot?
> >>
> >>
> >> Thank you for any help you can give.
> >>
> >> Evidence:
> >>
> >> ping on the firewall works locally
> >>
> >> for n in 0 7 9 ; do ping -c 2 10.10.7${n}.1 ; done
> >> PING 10.10.70.1 (10.10.70.1): 56 data bytes
> >> 64 bytes from 10.10.70.1: icmp_seq=0 ttl=255 time=0.037 ms
> >> 64 bytes from 10.10.70.1: icmp_seq=1 ttl=255 time=0.025 ms
> >>
> >> --- 10.10.70.1 ping statistics ---
> >> 2 packets transmitted, 2 packets received, 0.0% packet loss
> >> round-trip min/avg/max/std-dev = 0.025/0.031/0.037/0.006 ms
> >> PING 10.10.77.1 (10.10.77.1): 56 data bytes
> >> 64 bytes from 10.10.77.1: icmp_seq=0 ttl=255 time=0.038 ms
> >> 64 bytes from 10.10.77.1: icmp_seq=1 ttl=255 time=0.025 ms
> >>
> >> --- 10.10.77.1 ping statistics ---
> >> 2 packets transmitted, 2 packets received, 0.0% packet loss
> >> round-trip min/avg/max/std-dev = 0.025/0.031/0.038/0.006 ms
> >> PING 10.10.79.1 (10.10.79.1): 56 data bytes
> >> 64 bytes from 10.10.79.1: icmp_seq=0 ttl=255 time=0.038 ms
> >> 64 bytes from 10.10.79.1: icmp_seq=1 ttl=255 time=0.025 ms
> >>
> >> --- 10.10.79.1 ping statistics ---
> >> 2 packets transmitted, 2 packets received, 0.0% packet loss
> >> round-trip min/avg/max/std-dev = 0.025/0.032/0.038/0.007 ms
> >>
> >>
> >> ping to the switch does not work
> >>
> >> ping -c 2 10.10.70.3
> >> PING 10.10.70.3 (10.10.70.3): 56 data bytes
> >>
> >> --- 10.10.70.3 ping statistics ---
> >> 2 packets transmitted, 0 packets received, 100.0% packet loss
> >>
> >> ping to the linux host does not work.
> >>
> >> ping -c 2 10.10.70.3
> >> PING 10.10.70.3 (10.10.70.3): 56 data bytes
> >>
> >> --- 10.10.70.3 ping statistics ---
> >> 2 packets transmitted, 0 packets received, 100.0% packet loss
> >> [13:47:04] leonardz@fw1 etc>>for n in 0 7 9 ; do ping -c 2
> >> 10.10.7${n}.77 ; done
> >> PING 10.10.70.77 (10.10.70.77): 56 data bytes
> >>
> >> --- 10.10.70.77 ping statistics ---
> >> 2 packets transmitted, 0 packets received, 100.0% packet loss
> >> PING
Re: OBSD 6.8 vlan communication issues
Thanks Tom,Aaron: I did 2 things,
1 re IPs - all ips removed from aggr0 and 1 ip for each vlan
ifconfig -A | grep -A 7 vlan7 | grep -E 'vlan7
inet' ; ifconfig aggr0 | grep inet
vlan70: flags=8843 mtu 1500
inet 10.10.70.1 netmask 0xff00 broadcast 10.10.70.255
vlan77: flags=8843 mtu 1500
inet 10.10.77.1 netmask 0xff00 broadcast 10.10.77.255
vlan79: flags=8843 mtu 1500
inet 10.10.79.1 netmask 0xff00 broadcast 10.10.79.255
Still no luck
2 I went to switch and made vlan70 the native vlan, with vlan 77,79
still tagged to see if that would help. Still no ping even to the switch
which is on vlan 70.
Now the switch is back to all 3 vlans are tagged, no native vlan.
I am trying to see vlan tags when i ping 10.10.7x.1 with tcpdump -e but
no luck. I assume loopback interface is being used when i ping locally
on the firewall so that doesn't work.
I will contact switch vendor to see if they can help. But for openbsd,
does the config look okay now? All ips on the vlan, not the parent
interface?
PS to Aaro'squestion re: sysctl
sysctl for ip forwarding is set
net.inet.ip.forwarding=1
On 2020-11-11 7:32 p.m., Tom Smyth wrote:
Hi Len,
Hi Remove the Ip addresses from the agg0 interfaces
put the Ip addresses on the vlan interfaces only
ie
mg /etc/hostname.vlanxxx
up vnetid xxx
inet 10.10.xx.1/24
if you need to route between the vlans make sure you enable forwarding in
the kernel with sysctl
when you get it working make sure to post to the Misc List :)
Hope this helps,
On Thu, 12 Nov 2020 at 00:18, len zaifman wrote:
I am setting up a new system as a firewall using OpenBSD 6.8 current
-uname -a
OpenBSD fw1.lfz.net 6.8 GENERIC.MP#175 amd64.
I have 3 vlans 70,77,79 on the firewall using two em devices, em0 and
em1, in an aggregation to serve these vlans.
There is a Unifi switch which has 2 ports (where em0,em1 are attached)
set up to pass tagged vlans 70,77,79. The switch ip is 10.10.70.3.
I have a linux host setup on vans 70,77,79 and at address 77 -
10.10.70.77, 10.10.77.77,10.10.79.77.
So far i cannot communicate over the vlans. Before I vlanned these
subnets : ie only vlan 1 everywhere - communication worked fine.
So i do not believe there is a physical issue. The issues arose with the
introduction of the vlans. Is there a configuration issue that anyone
can spot?
Thank you for any help you can give.
Evidence:
ping on the firewall works locally
for n in 0 7 9 ; do ping -c 2 10.10.7${n}.1 ; done
PING 10.10.70.1 (10.10.70.1): 56 data bytes
64 bytes from 10.10.70.1: icmp_seq=0 ttl=255 time=0.037 ms
64 bytes from 10.10.70.1: icmp_seq=1 ttl=255 time=0.025 ms
--- 10.10.70.1 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.025/0.031/0.037/0.006 ms
PING 10.10.77.1 (10.10.77.1): 56 data bytes
64 bytes from 10.10.77.1: icmp_seq=0 ttl=255 time=0.038 ms
64 bytes from 10.10.77.1: icmp_seq=1 ttl=255 time=0.025 ms
--- 10.10.77.1 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.025/0.031/0.038/0.006 ms
PING 10.10.79.1 (10.10.79.1): 56 data bytes
64 bytes from 10.10.79.1: icmp_seq=0 ttl=255 time=0.038 ms
64 bytes from 10.10.79.1: icmp_seq=1 ttl=255 time=0.025 ms
--- 10.10.79.1 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.025/0.032/0.038/0.007 ms
ping to the switch does not work
ping -c 2 10.10.70.3
PING 10.10.70.3 (10.10.70.3): 56 data bytes
--- 10.10.70.3 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss
ping to the linux host does not work.
ping -c 2 10.10.70.3
PING 10.10.70.3 (10.10.70.3): 56 data bytes
--- 10.10.70.3 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss
[13:47:04] leonardz@fw1 etc>>for n in 0 7 9 ; do ping -c 2
10.10.7${n}.77 ; done
PING 10.10.70.77 (10.10.70.77): 56 data bytes
--- 10.10.70.77 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss
PING 10.10.77.77 (10.10.77.77): 56 data bytes
--- 10.10.77.77 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss
PING 10.10.79.77 (10.10.79.77): 56 data bytes
--- 10.10.79.77 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss
I did the tests both with pfctl -e (enabled) and pfctl -d (disabled). It
made no difference
The setup is described below
Here is the setup:
= hostname.aggr0
debug
trunkport em0
trunkport em1
up
inet 10.10.70.1/24
alias 10.10.77.1/24
alias 10.10.79.1/24
= hostname.em0
up
= hostname.em1
up
= hostname.vlan70
parent aggr0 vnetid 70
10.10.70.0/24
= hostname.vlan77
parent aggr0 vnetid 77
10.10.77.0/24
= hostname.vlan79
parent aggr0 vnetid 79
10.10.79.0/24
Ifconfig -A shows the vlans are setup
= aggr0
aggr0: flags=8847 mtu 1500
lladdr
Re: OBSD 6.8 vlan communication issues
On Thu, Nov 12, 2020 at 11:35 AM Tom Smyth wrote:
>
> Hi Len,
> Hi Remove the Ip addresses from the agg0 interfaces
>
> put the Ip addresses on the vlan interfaces only
>
> ie
> mg /etc/hostname.vlanxxx
> up vnetid xxx
> inet 10.10.xx.1/24
>
> if you need to route between the vlans make sure you enable forwarding in
> the kernel with sysctl
>
> when you get it working make sure to post to the Misc List :)
>
>
>
> Hope this helps,
>
>
>
>
>
>
> On Thu, 12 Nov 2020 at 00:18, len zaifman wrote:
>
> > I am setting up a new system as a firewall using OpenBSD 6.8 current
> > -uname -a
> > OpenBSD fw1.lfz.net 6.8 GENERIC.MP#175 amd64.
> >
> > I have 3 vlans 70,77,79 on the firewall using two em devices, em0 and
> > em1, in an aggregation to serve these vlans.
> >
> >
> > There is a Unifi switch which has 2 ports (where em0,em1 are attached)
> > set up to pass tagged vlans 70,77,79. The switch ip is 10.10.70.3.
> >
> > I have a linux host setup on vans 70,77,79 and at address 77 -
> > 10.10.70.77, 10.10.77.77,10.10.79.77.
> >
> >
> > So far i cannot communicate over the vlans. Before I vlanned these
> > subnets : ie only vlan 1 everywhere - communication worked fine.
> >
> > So i do not believe there is a physical issue. The issues arose with the
> > introduction of the vlans. Is there a configuration issue that anyone
> > can spot?
> >
> >
> > Thank you for any help you can give.
> >
> > Evidence:
> >
> > ping on the firewall works locally
> >
> > for n in 0 7 9 ; do ping -c 2 10.10.7${n}.1 ; done
> > PING 10.10.70.1 (10.10.70.1): 56 data bytes
> > 64 bytes from 10.10.70.1: icmp_seq=0 ttl=255 time=0.037 ms
> > 64 bytes from 10.10.70.1: icmp_seq=1 ttl=255 time=0.025 ms
> >
> > --- 10.10.70.1 ping statistics ---
> > 2 packets transmitted, 2 packets received, 0.0% packet loss
> > round-trip min/avg/max/std-dev = 0.025/0.031/0.037/0.006 ms
> > PING 10.10.77.1 (10.10.77.1): 56 data bytes
> > 64 bytes from 10.10.77.1: icmp_seq=0 ttl=255 time=0.038 ms
> > 64 bytes from 10.10.77.1: icmp_seq=1 ttl=255 time=0.025 ms
> >
> > --- 10.10.77.1 ping statistics ---
> > 2 packets transmitted, 2 packets received, 0.0% packet loss
> > round-trip min/avg/max/std-dev = 0.025/0.031/0.038/0.006 ms
> > PING 10.10.79.1 (10.10.79.1): 56 data bytes
> > 64 bytes from 10.10.79.1: icmp_seq=0 ttl=255 time=0.038 ms
> > 64 bytes from 10.10.79.1: icmp_seq=1 ttl=255 time=0.025 ms
> >
> > --- 10.10.79.1 ping statistics ---
> > 2 packets transmitted, 2 packets received, 0.0% packet loss
> > round-trip min/avg/max/std-dev = 0.025/0.032/0.038/0.007 ms
> >
> >
> > ping to the switch does not work
> >
> > ping -c 2 10.10.70.3
> > PING 10.10.70.3 (10.10.70.3): 56 data bytes
> >
> > --- 10.10.70.3 ping statistics ---
> > 2 packets transmitted, 0 packets received, 100.0% packet loss
> >
> > ping to the linux host does not work.
> >
> > ping -c 2 10.10.70.3
> > PING 10.10.70.3 (10.10.70.3): 56 data bytes
> >
> > --- 10.10.70.3 ping statistics ---
> > 2 packets transmitted, 0 packets received, 100.0% packet loss
> > [13:47:04] leonardz@fw1 etc>>for n in 0 7 9 ; do ping -c 2
> > 10.10.7${n}.77 ; done
> > PING 10.10.70.77 (10.10.70.77): 56 data bytes
> >
> > --- 10.10.70.77 ping statistics ---
> > 2 packets transmitted, 0 packets received, 100.0% packet loss
> > PING 10.10.77.77 (10.10.77.77): 56 data bytes
> >
> > --- 10.10.77.77 ping statistics ---
> > 2 packets transmitted, 0 packets received, 100.0% packet loss
> > PING 10.10.79.77 (10.10.79.77): 56 data bytes
> >
> > --- 10.10.79.77 ping statistics ---
> > 2 packets transmitted, 0 packets received, 100.0% packet loss
> >
> > I did the tests both with pfctl -e (enabled) and pfctl -d (disabled). It
> > made no difference
> >
> >
> > The setup is described below
> >
> > Here is the setup:
> >
> > = hostname.aggr0
> > debug
> > trunkport em0
> > trunkport em1
> > up
> > inet 10.10.70.1/24
> > alias 10.10.77.1/24
> > alias 10.10.79.1/24
> >
> >
> > = hostname.em0
> > up
> >
> > = hostname.em1
> > up
> >
> >
> > = hostname.vlan70
> > parent aggr0 vnetid 70
> > 10.10.70.0/24
> >
> > = hostname.vlan77
> > parent aggr0 vnetid 77
> > 10.10.77.0/24
> >
> > = hostname.vlan79
> > parent aggr0 vnetid 79
> > 10.10.79.0/24
> >
> >
> > Ifconfig -A shows the vlans are setup
> >
> > = aggr0
> > aggr0: flags=8847 mtu 1500
> > lladdr fe:e1:ba:d0:f4:8c
> > index 6 priority 0 llprio 7
> > trunk: trunkproto lacp
> > trunk id: [(8000,fe:e1:ba:d0:f4:8c,0006,,),
> > (8000,e0:63:da:8e:78:d7,03E8,,)]
> > em0 lacp actor system pri 0x8000 mac fe:e1:ba:d0:f4:8c, key
> > 0x6, port pri 0x8000 number 0x1
> > em0 lacp actor state
> > activity,aggregation,sync,collecting,distributing
> > em0 lacp partner system pri 0x8000 mac e0:63:da:8e:78:d7, key
> > 0x3e8, port pri 0x1 number 0x9
> > em0 lacp partner state
> > activity,aggregation,sync,collecting,distributing
> > em0 port
Re: OBSD 6.8 vlan communication issues
Hi Len,
Hi Remove the Ip addresses from the agg0 interfaces
put the Ip addresses on the vlan interfaces only
ie
mg /etc/hostname.vlanxxx
up vnetid xxx
inet 10.10.xx.1/24
if you need to route between the vlans make sure you enable forwarding in
the kernel with sysctl
when you get it working make sure to post to the Misc List :)
Hope this helps,
On Thu, 12 Nov 2020 at 00:18, len zaifman wrote:
> I am setting up a new system as a firewall using OpenBSD 6.8 current
> -uname -a
> OpenBSD fw1.lfz.net 6.8 GENERIC.MP#175 amd64.
>
> I have 3 vlans 70,77,79 on the firewall using two em devices, em0 and
> em1, in an aggregation to serve these vlans.
>
>
> There is a Unifi switch which has 2 ports (where em0,em1 are attached)
> set up to pass tagged vlans 70,77,79. The switch ip is 10.10.70.3.
>
> I have a linux host setup on vans 70,77,79 and at address 77 -
> 10.10.70.77, 10.10.77.77,10.10.79.77.
>
>
> So far i cannot communicate over the vlans. Before I vlanned these
> subnets : ie only vlan 1 everywhere - communication worked fine.
>
> So i do not believe there is a physical issue. The issues arose with the
> introduction of the vlans. Is there a configuration issue that anyone
> can spot?
>
>
> Thank you for any help you can give.
>
> Evidence:
>
> ping on the firewall works locally
>
> for n in 0 7 9 ; do ping -c 2 10.10.7${n}.1 ; done
> PING 10.10.70.1 (10.10.70.1): 56 data bytes
> 64 bytes from 10.10.70.1: icmp_seq=0 ttl=255 time=0.037 ms
> 64 bytes from 10.10.70.1: icmp_seq=1 ttl=255 time=0.025 ms
>
> --- 10.10.70.1 ping statistics ---
> 2 packets transmitted, 2 packets received, 0.0% packet loss
> round-trip min/avg/max/std-dev = 0.025/0.031/0.037/0.006 ms
> PING 10.10.77.1 (10.10.77.1): 56 data bytes
> 64 bytes from 10.10.77.1: icmp_seq=0 ttl=255 time=0.038 ms
> 64 bytes from 10.10.77.1: icmp_seq=1 ttl=255 time=0.025 ms
>
> --- 10.10.77.1 ping statistics ---
> 2 packets transmitted, 2 packets received, 0.0% packet loss
> round-trip min/avg/max/std-dev = 0.025/0.031/0.038/0.006 ms
> PING 10.10.79.1 (10.10.79.1): 56 data bytes
> 64 bytes from 10.10.79.1: icmp_seq=0 ttl=255 time=0.038 ms
> 64 bytes from 10.10.79.1: icmp_seq=1 ttl=255 time=0.025 ms
>
> --- 10.10.79.1 ping statistics ---
> 2 packets transmitted, 2 packets received, 0.0% packet loss
> round-trip min/avg/max/std-dev = 0.025/0.032/0.038/0.007 ms
>
>
> ping to the switch does not work
>
> ping -c 2 10.10.70.3
> PING 10.10.70.3 (10.10.70.3): 56 data bytes
>
> --- 10.10.70.3 ping statistics ---
> 2 packets transmitted, 0 packets received, 100.0% packet loss
>
> ping to the linux host does not work.
>
> ping -c 2 10.10.70.3
> PING 10.10.70.3 (10.10.70.3): 56 data bytes
>
> --- 10.10.70.3 ping statistics ---
> 2 packets transmitted, 0 packets received, 100.0% packet loss
> [13:47:04] leonardz@fw1 etc>>for n in 0 7 9 ; do ping -c 2
> 10.10.7${n}.77 ; done
> PING 10.10.70.77 (10.10.70.77): 56 data bytes
>
> --- 10.10.70.77 ping statistics ---
> 2 packets transmitted, 0 packets received, 100.0% packet loss
> PING 10.10.77.77 (10.10.77.77): 56 data bytes
>
> --- 10.10.77.77 ping statistics ---
> 2 packets transmitted, 0 packets received, 100.0% packet loss
> PING 10.10.79.77 (10.10.79.77): 56 data bytes
>
> --- 10.10.79.77 ping statistics ---
> 2 packets transmitted, 0 packets received, 100.0% packet loss
>
> I did the tests both with pfctl -e (enabled) and pfctl -d (disabled). It
> made no difference
>
>
> The setup is described below
>
> Here is the setup:
>
> = hostname.aggr0
> debug
> trunkport em0
> trunkport em1
> up
> inet 10.10.70.1/24
> alias 10.10.77.1/24
> alias 10.10.79.1/24
>
>
> = hostname.em0
> up
>
> = hostname.em1
> up
>
>
> = hostname.vlan70
> parent aggr0 vnetid 70
> 10.10.70.0/24
>
> = hostname.vlan77
> parent aggr0 vnetid 77
> 10.10.77.0/24
>
> = hostname.vlan79
> parent aggr0 vnetid 79
> 10.10.79.0/24
>
>
> Ifconfig -A shows the vlans are setup
>
> = aggr0
> aggr0: flags=8847 mtu 1500
> lladdr fe:e1:ba:d0:f4:8c
> index 6 priority 0 llprio 7
> trunk: trunkproto lacp
> trunk id: [(8000,fe:e1:ba:d0:f4:8c,0006,,),
> (8000,e0:63:da:8e:78:d7,03E8,,)]
> em0 lacp actor system pri 0x8000 mac fe:e1:ba:d0:f4:8c, key
> 0x6, port pri 0x8000 number 0x1
> em0 lacp actor state
> activity,aggregation,sync,collecting,distributing
> em0 lacp partner system pri 0x8000 mac e0:63:da:8e:78:d7, key
> 0x3e8, port pri 0x1 number 0x9
> em0 lacp partner state
> activity,aggregation,sync,collecting,distributing
> em0 port active,collecting,distributing
> em1 lacp actor system pri 0x8000 mac fe:e1:ba:d0:f4:8c, key
> 0x6, port pri 0x8000 number 0x2
> em1 lacp actor state
> activity,aggregation,sync,collecting,distributing
> em1 lacp partner system pri 0x8000 mac e0:63:da:8e:78:d7, key
> 0x3e8, port pri 0x1 number 0xa
> em1 lacp partner state
>
Re: OBSD 6.8 vlan communication issues
Hi!
On Thu, Nov 12, 2020 at 11:09 AM len zaifman wrote:
>
> I am setting up a new system as a firewall using OpenBSD 6.8 current
> -uname -a
> OpenBSD fw1.lfz.net 6.8 GENERIC.MP#175 amd64.
>
> I have 3 vlans 70,77,79 on the firewall using two em devices, em0 and
> em1, in an aggregation to serve these vlans.
>
>
> There is a Unifi switch which has 2 ports (where em0,em1 are attached)
> set up to pass tagged vlans 70,77,79. The switch ip is 10.10.70.3.
>
> I have a linux host setup on vans 70,77,79 and at address 77 -
> 10.10.70.77, 10.10.77.77,10.10.79.77.
>
>
> So far i cannot communicate over the vlans. Before I vlanned these
> subnets : ie only vlan 1 everywhere - communication worked fine.
>
> So i do not believe there is a physical issue. The issues arose with the
> introduction of the vlans. Is there a configuration issue that anyone
> can spot?
>
>
> Thank you for any help you can give.
>
> Evidence:
>
> ping on the firewall works locally
>
> for n in 0 7 9 ; do ping -c 2 10.10.7${n}.1 ; done
> PING 10.10.70.1 (10.10.70.1): 56 data bytes
> 64 bytes from 10.10.70.1: icmp_seq=0 ttl=255 time=0.037 ms
> 64 bytes from 10.10.70.1: icmp_seq=1 ttl=255 time=0.025 ms
>
> --- 10.10.70.1 ping statistics ---
> 2 packets transmitted, 2 packets received, 0.0% packet loss
> round-trip min/avg/max/std-dev = 0.025/0.031/0.037/0.006 ms
> PING 10.10.77.1 (10.10.77.1): 56 data bytes
> 64 bytes from 10.10.77.1: icmp_seq=0 ttl=255 time=0.038 ms
> 64 bytes from 10.10.77.1: icmp_seq=1 ttl=255 time=0.025 ms
>
> --- 10.10.77.1 ping statistics ---
> 2 packets transmitted, 2 packets received, 0.0% packet loss
> round-trip min/avg/max/std-dev = 0.025/0.031/0.038/0.006 ms
> PING 10.10.79.1 (10.10.79.1): 56 data bytes
> 64 bytes from 10.10.79.1: icmp_seq=0 ttl=255 time=0.038 ms
> 64 bytes from 10.10.79.1: icmp_seq=1 ttl=255 time=0.025 ms
>
> --- 10.10.79.1 ping statistics ---
> 2 packets transmitted, 2 packets received, 0.0% packet loss
> round-trip min/avg/max/std-dev = 0.025/0.032/0.038/0.007 ms
>
>
> ping to the switch does not work
>
> ping -c 2 10.10.70.3
> PING 10.10.70.3 (10.10.70.3): 56 data bytes
>
> --- 10.10.70.3 ping statistics ---
> 2 packets transmitted, 0 packets received, 100.0% packet loss
>
> ping to the linux host does not work.
>
> ping -c 2 10.10.70.3
> PING 10.10.70.3 (10.10.70.3): 56 data bytes
>
> --- 10.10.70.3 ping statistics ---
> 2 packets transmitted, 0 packets received, 100.0% packet loss
> [13:47:04] leonardz@fw1 etc>>for n in 0 7 9 ; do ping -c 2
> 10.10.7${n}.77 ; done
> PING 10.10.70.77 (10.10.70.77): 56 data bytes
>
> --- 10.10.70.77 ping statistics ---
> 2 packets transmitted, 0 packets received, 100.0% packet loss
> PING 10.10.77.77 (10.10.77.77): 56 data bytes
>
> --- 10.10.77.77 ping statistics ---
> 2 packets transmitted, 0 packets received, 100.0% packet loss
> PING 10.10.79.77 (10.10.79.77): 56 data bytes
>
> --- 10.10.79.77 ping statistics ---
> 2 packets transmitted, 0 packets received, 100.0% packet loss
>
> I did the tests both with pfctl -e (enabled) and pfctl -d (disabled). It
> made no difference
>
>
> The setup is described below
>
> Here is the setup:
>
> = hostname.aggr0
> debug
> trunkport em0
> trunkport em1
> up
> inet 10.10.70.1/24
> alias 10.10.77.1/24
> alias 10.10.79.1/24
>
>
> = hostname.em0
> up
>
> = hostname.em1
> up
>
>
> = hostname.vlan70
> parent aggr0 vnetid 70
> 10.10.70.0/24
>
> = hostname.vlan77
> parent aggr0 vnetid 77
> 10.10.77.0/24
>
> = hostname.vlan79
> parent aggr0 vnetid 79
> 10.10.79.0/24
>
>
> Ifconfig -A shows the vlans are setup
>
> = aggr0
> aggr0: flags=8847 mtu 1500
> lladdr fe:e1:ba:d0:f4:8c
> index 6 priority 0 llprio 7
> trunk: trunkproto lacp
> trunk id: [(8000,fe:e1:ba:d0:f4:8c,0006,,),
> (8000,e0:63:da:8e:78:d7,03E8,,)]
> em0 lacp actor system pri 0x8000 mac fe:e1:ba:d0:f4:8c, key
> 0x6, port pri 0x8000 number 0x1
> em0 lacp actor state
> activity,aggregation,sync,collecting,distributing
> em0 lacp partner system pri 0x8000 mac e0:63:da:8e:78:d7, key
> 0x3e8, port pri 0x1 number 0x9
> em0 lacp partner state
> activity,aggregation,sync,collecting,distributing
> em0 port active,collecting,distributing
> em1 lacp actor system pri 0x8000 mac fe:e1:ba:d0:f4:8c, key
> 0x6, port pri 0x8000 number 0x2
> em1 lacp actor state
> activity,aggregation,sync,collecting,distributing
> em1 lacp partner system pri 0x8000 mac e0:63:da:8e:78:d7, key
> 0x3e8, port pri 0x1 number 0xa
> em1 lacp partner state
> activity,aggregation,sync,collecting,distributing
> em1 port active,collecting,distributing
> groups: aggr
> media: Ethernet autoselect
> status: active
> inet 10.10.70.1 netmask 0xff00 broadcast 10.10.70.255
> inet 10.10.77.1 netmask 0xff00 broadcast 10.10.77.255
> inet 10.10.79.1 netmask 0xff00 broadcast 10.10.79.255
>
OBSD 6.8 vlan communication issues
I am setting up a new system as a firewall using OpenBSD 6.8 current
-uname -a
OpenBSD fw1.lfz.net 6.8 GENERIC.MP#175 amd64.
I have 3 vlans 70,77,79 on the firewall using two em devices, em0 and
em1, in an aggregation to serve these vlans.
There is a Unifi switch which has 2 ports (where em0,em1 are attached)
set up to pass tagged vlans 70,77,79. The switch ip is 10.10.70.3.
I have a linux host setup on vans 70,77,79 and at address 77 -
10.10.70.77, 10.10.77.77,10.10.79.77.
So far i cannot communicate over the vlans. Before I vlanned these
subnets : ie only vlan 1 everywhere - communication worked fine.
So i do not believe there is a physical issue. The issues arose with the
introduction of the vlans. Is there a configuration issue that anyone
can spot?
Thank you for any help you can give.
Evidence:
ping on the firewall works locally
for n in 0 7 9 ; do ping -c 2 10.10.7${n}.1 ; done
PING 10.10.70.1 (10.10.70.1): 56 data bytes
64 bytes from 10.10.70.1: icmp_seq=0 ttl=255 time=0.037 ms
64 bytes from 10.10.70.1: icmp_seq=1 ttl=255 time=0.025 ms
--- 10.10.70.1 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.025/0.031/0.037/0.006 ms
PING 10.10.77.1 (10.10.77.1): 56 data bytes
64 bytes from 10.10.77.1: icmp_seq=0 ttl=255 time=0.038 ms
64 bytes from 10.10.77.1: icmp_seq=1 ttl=255 time=0.025 ms
--- 10.10.77.1 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.025/0.031/0.038/0.006 ms
PING 10.10.79.1 (10.10.79.1): 56 data bytes
64 bytes from 10.10.79.1: icmp_seq=0 ttl=255 time=0.038 ms
64 bytes from 10.10.79.1: icmp_seq=1 ttl=255 time=0.025 ms
--- 10.10.79.1 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.025/0.032/0.038/0.007 ms
ping to the switch does not work
ping -c 2 10.10.70.3
PING 10.10.70.3 (10.10.70.3): 56 data bytes
--- 10.10.70.3 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss
ping to the linux host does not work.
ping -c 2 10.10.70.3
PING 10.10.70.3 (10.10.70.3): 56 data bytes
--- 10.10.70.3 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss
[13:47:04] leonardz@fw1 etc>>for n in 0 7 9 ; do ping -c 2
10.10.7${n}.77 ; done
PING 10.10.70.77 (10.10.70.77): 56 data bytes
--- 10.10.70.77 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss
PING 10.10.77.77 (10.10.77.77): 56 data bytes
--- 10.10.77.77 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss
PING 10.10.79.77 (10.10.79.77): 56 data bytes
--- 10.10.79.77 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss
I did the tests both with pfctl -e (enabled) and pfctl -d (disabled). It
made no difference
The setup is described below
Here is the setup:
= hostname.aggr0
debug
trunkport em0
trunkport em1
up
inet 10.10.70.1/24
alias 10.10.77.1/24
alias 10.10.79.1/24
= hostname.em0
up
= hostname.em1
up
= hostname.vlan70
parent aggr0 vnetid 70
10.10.70.0/24
= hostname.vlan77
parent aggr0 vnetid 77
10.10.77.0/24
= hostname.vlan79
parent aggr0 vnetid 79
10.10.79.0/24
Ifconfig -A shows the vlans are setup
= aggr0
aggr0: flags=8847 mtu 1500
lladdr fe:e1:ba:d0:f4:8c
index 6 priority 0 llprio 7
trunk: trunkproto lacp
trunk id: [(8000,fe:e1:ba:d0:f4:8c,0006,,),
(8000,e0:63:da:8e:78:d7,03E8,,)]
em0 lacp actor system pri 0x8000 mac fe:e1:ba:d0:f4:8c, key
0x6, port pri 0x8000 number 0x1
em0 lacp actor state
activity,aggregation,sync,collecting,distributing
em0 lacp partner system pri 0x8000 mac e0:63:da:8e:78:d7, key
0x3e8, port pri 0x1 number 0x9
em0 lacp partner state
activity,aggregation,sync,collecting,distributing
em0 port active,collecting,distributing
em1 lacp actor system pri 0x8000 mac fe:e1:ba:d0:f4:8c, key
0x6, port pri 0x8000 number 0x2
em1 lacp actor state
activity,aggregation,sync,collecting,distributing
em1 lacp partner system pri 0x8000 mac e0:63:da:8e:78:d7, key
0x3e8, port pri 0x1 number 0xa
em1 lacp partner state
activity,aggregation,sync,collecting,distributing
em1 port active,collecting,distributing
groups: aggr
media: Ethernet autoselect
status: active
inet 10.10.70.1 netmask 0xff00 broadcast 10.10.70.255
inet 10.10.77.1 netmask 0xff00 broadcast 10.10.77.255
inet 10.10.79.1 netmask 0xff00 broadcast 10.10.79.255
= em0
em0: flags=8843 mtu 1500
lladdr fe:e1:ba:d0:f4:8c
index 1 priority 0 llprio 3
trunk: trunkdev aggr0
media: Ethernet autoselect (1000baseT full-duplex)
status: active
= em1
em1: flags=8843 mtu 1500
lladdr fe:e1:ba:d0:f4:8c
index 2 priority 0 llprio 3
trunk: trunkdev
