Re: OBSD 6.8 vlan communication issues
On 11/11/20 3:06 PM, len zaifman wrote: I am setting up a new system as a firewall using OpenBSD 6.8 current -uname -a OpenBSD fw1.lfz.net 6.8 GENERIC.MP#175 amd64. I have 3 vlans 70,77,79 on the firewall using two em devices, em0 and em1, in an aggregation to serve these vlans. There is a Unifi switch which has 2 ports (where em0,em1 are attached) set up to pass tagged vlans 70,77,79. The switch ip is 10.10.70.3. I have a linux host setup on vans 70,77,79 and at address 77 - 10.10.70.77, 10.10.77.77,10.10.79.77. So far i cannot communicate over the vlans. Before I vlanned these subnets : ie only vlan 1 everywhere - communication worked fine. So i do not believe there is a physical issue. The issues arose with the introduction of the vlans. Is there a configuration issue that anyone can spot? Thank you for any help you can give. Evidence: ping on the firewall works locally for n in 0 7 9 ; do ping -c 2 10.10.7${n}.1 ; done PING 10.10.70.1 (10.10.70.1): 56 data bytes 64 bytes from 10.10.70.1: icmp_seq=0 ttl=255 time=0.037 ms 64 bytes from 10.10.70.1: icmp_seq=1 ttl=255 time=0.025 ms --- 10.10.70.1 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.025/0.031/0.037/0.006 ms PING 10.10.77.1 (10.10.77.1): 56 data bytes 64 bytes from 10.10.77.1: icmp_seq=0 ttl=255 time=0.038 ms 64 bytes from 10.10.77.1: icmp_seq=1 ttl=255 time=0.025 ms --- 10.10.77.1 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.025/0.031/0.038/0.006 ms PING 10.10.79.1 (10.10.79.1): 56 data bytes 64 bytes from 10.10.79.1: icmp_seq=0 ttl=255 time=0.038 ms 64 bytes from 10.10.79.1: icmp_seq=1 ttl=255 time=0.025 ms --- 10.10.79.1 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.025/0.032/0.038/0.007 ms ping to the switch does not work ping -c 2 10.10.70.3 PING 10.10.70.3 (10.10.70.3): 56 data bytes --- 10.10.70.3 ping statistics --- 2 packets transmitted, 0 packets received, 100.0% packet loss ping to the linux host does not work. ping -c 2 10.10.70.3 PING 10.10.70.3 (10.10.70.3): 56 data bytes --- 10.10.70.3 ping statistics --- 2 packets transmitted, 0 packets received, 100.0% packet loss [13:47:04] leonardz@fw1 etc>>for n in 0 7 9 ; do ping -c 2 10.10.7${n}.77 ; done PING 10.10.70.77 (10.10.70.77): 56 data bytes --- 10.10.70.77 ping statistics --- 2 packets transmitted, 0 packets received, 100.0% packet loss PING 10.10.77.77 (10.10.77.77): 56 data bytes --- 10.10.77.77 ping statistics --- 2 packets transmitted, 0 packets received, 100.0% packet loss PING 10.10.79.77 (10.10.79.77): 56 data bytes --- 10.10.79.77 ping statistics --- 2 packets transmitted, 0 packets received, 100.0% packet loss I did the tests both with pfctl -e (enabled) and pfctl -d (disabled). It made no difference The setup is described below Here is the setup: = hostname.aggr0 debug trunkport em0 trunkport em1 up inet 10.10.70.1/24 alias 10.10.77.1/24 alias 10.10.79.1/24 = hostname.em0 up = hostname.em1 up = hostname.vlan70 parent aggr0 vnetid 70 10.10.70.0/24 = hostname.vlan77 parent aggr0 vnetid 77 10.10.77.0/24 = hostname.vlan79 parent aggr0 vnetid 79 10.10.79.0/24 Ifconfig -A shows the vlans are setup = aggr0 aggr0: flags=8847 mtu 1500 lladdr fe:e1:ba:d0:f4:8c index 6 priority 0 llprio 7 trunk: trunkproto lacp trunk id: [(8000,fe:e1:ba:d0:f4:8c,0006,,), (8000,e0:63:da:8e:78:d7,03E8,,)] em0 lacp actor system pri 0x8000 mac fe:e1:ba:d0:f4:8c, key 0x6, port pri 0x8000 number 0x1 em0 lacp actor state activity,aggregation,sync,collecting,distributing em0 lacp partner system pri 0x8000 mac e0:63:da:8e:78:d7, key 0x3e8, port pri 0x1 number 0x9 em0 lacp partner state activity,aggregation,sync,collecting,distributing em0 port active,collecting,distributing em1 lacp actor system pri 0x8000 mac fe:e1:ba:d0:f4:8c, key 0x6, port pri 0x8000 number 0x2 em1 lacp actor state activity,aggregation,sync,collecting,distributing em1 lacp partner system pri 0x8000 mac e0:63:da:8e:78:d7, key 0x3e8, port pri 0x1 number 0xa em1 lacp partner state activity,aggregation,sync,collecting,distributing em1 port active,collecting,distributing groups: aggr media: Ethernet autoselect status: active inet 10.10.70.1 netmask 0xff00 broadcast 10.10.70.255 inet 10.10.77.1 netmask 0xff00 broadcast 10.10.77.255 inet 10.10.79.1 netmask 0xff00 broadcast 10.10.79.255 = em0 em0: flags=8843 mtu 1500 lladdr fe:e1:ba:d0:f4:8c index 1 priority 0 llprio 3 trunk: trunkdev aggr0 media: Ethernet autoselect (1000baseT full-duplex) status: active = em1 em1: flags=8843 mtu 1500 lladdr fe:e1:ba:d0:f4:8c index 2
Re: OBSD 6.8 vlan communication issues
Hi Len Jacob has a point re checking vlan setup first by setting the parent on the vlans to the em0 or em1 interface first when you validate your vlan config on the switch setup the aggr0 interface what does unifi say about the LACP status / Aggregation status on the switch UI ? also can you confirm that you are not doing any DHCP stuff / DHCP guard / dhcp snooping in Unifi Switch which might affect network connectivity if you have a dhcp server running on OpenBSD Box On Thu, 12 Nov 2020 at 02:50, len zaifman wrote: > Thanks Tom,Aaron: I did 2 things, > > 1 re IPs - all ips removed from aggr0 and 1 ip for each vlan > > ifconfig -A | grep -A 7 vlan7 | grep -E 'vlan7 > inet' ; ifconfig aggr0 | grep inet > vlan70: flags=8843 mtu 1500 > inet 10.10.70.1 netmask 0xff00 broadcast 10.10.70.255 > vlan77: flags=8843 mtu 1500 > inet 10.10.77.1 netmask 0xff00 broadcast 10.10.77.255 > vlan79: flags=8843 mtu 1500 > inet 10.10.79.1 netmask 0xff00 broadcast 10.10.79.255 > > > Still no luck > > > 2 I went to switch and made vlan70 the native vlan, with vlan 77,79 > still tagged to see if that would help. Still no ping even to the switch > which is on vlan 70. > > Now the switch is back to all 3 vlans are tagged, no native vlan. > > > I am trying to see vlan tags when i ping 10.10.7x.1 with tcpdump -e but > no luck. I assume loopback interface is being used when i ping locally > on the firewall so that doesn't work. > > > I will contact switch vendor to see if they can help. But for openbsd, > does the config look okay now? All ips on the vlan, not the parent > interface? > > > PS to Aaro'squestion re: sysctl > > sysctl for ip forwarding is set > > net.inet.ip.forwarding=1 > > > On 2020-11-11 7:32 p.m., Tom Smyth wrote: > > Hi Len, > > Hi Remove the Ip addresses from the agg0 interfaces > > > > put the Ip addresses on the vlan interfaces only > > > > ie > > mg /etc/hostname.vlanxxx > > up vnetid xxx > > inet 10.10.xx.1/24 > > > > if you need to route between the vlans make sure you enable forwarding in > > the kernel with sysctl > > > > when you get it working make sure to post to the Misc List :) > > > > > > > > Hope this helps, > > > > > > > > > > > > > > On Thu, 12 Nov 2020 at 00:18, len zaifman wrote: > > > >> I am setting up a new system as a firewall using OpenBSD 6.8 current > >> -uname -a > >> OpenBSD fw1.lfz.net 6.8 GENERIC.MP#175 amd64. > >> > >> I have 3 vlans 70,77,79 on the firewall using two em devices, em0 and > >> em1, in an aggregation to serve these vlans. > >> > >> > >> There is a Unifi switch which has 2 ports (where em0,em1 are attached) > >> set up to pass tagged vlans 70,77,79. The switch ip is 10.10.70.3. > >> > >> I have a linux host setup on vans 70,77,79 and at address 77 - > >> 10.10.70.77, 10.10.77.77,10.10.79.77. > >> > >> > >> So far i cannot communicate over the vlans. Before I vlanned these > >> subnets : ie only vlan 1 everywhere - communication worked fine. > >> > >> So i do not believe there is a physical issue. The issues arose with the > >> introduction of the vlans. Is there a configuration issue that anyone > >> can spot? > >> > >> > >> Thank you for any help you can give. > >> > >> Evidence: > >> > >> ping on the firewall works locally > >> > >> for n in 0 7 9 ; do ping -c 2 10.10.7${n}.1 ; done > >> PING 10.10.70.1 (10.10.70.1): 56 data bytes > >> 64 bytes from 10.10.70.1: icmp_seq=0 ttl=255 time=0.037 ms > >> 64 bytes from 10.10.70.1: icmp_seq=1 ttl=255 time=0.025 ms > >> > >> --- 10.10.70.1 ping statistics --- > >> 2 packets transmitted, 2 packets received, 0.0% packet loss > >> round-trip min/avg/max/std-dev = 0.025/0.031/0.037/0.006 ms > >> PING 10.10.77.1 (10.10.77.1): 56 data bytes > >> 64 bytes from 10.10.77.1: icmp_seq=0 ttl=255 time=0.038 ms > >> 64 bytes from 10.10.77.1: icmp_seq=1 ttl=255 time=0.025 ms > >> > >> --- 10.10.77.1 ping statistics --- > >> 2 packets transmitted, 2 packets received, 0.0% packet loss > >> round-trip min/avg/max/std-dev = 0.025/0.031/0.038/0.006 ms > >> PING 10.10.79.1 (10.10.79.1): 56 data bytes > >> 64 bytes from 10.10.79.1: icmp_seq=0 ttl=255 time=0.038 ms > >> 64 bytes from 10.10.79.1: icmp_seq=1 ttl=255 time=0.025 ms > >> > >> --- 10.10.79.1 ping statistics --- > >> 2 packets transmitted, 2 packets received, 0.0% packet loss > >> round-trip min/avg/max/std-dev = 0.025/0.032/0.038/0.007 ms > >> > >> > >> ping to the switch does not work > >> > >> ping -c 2 10.10.70.3 > >> PING 10.10.70.3 (10.10.70.3): 56 data bytes > >> > >> --- 10.10.70.3 ping statistics --- > >> 2 packets transmitted, 0 packets received, 100.0% packet loss > >> > >> ping to the linux host does not work. > >> > >> ping -c 2 10.10.70.3 > >> PING 10.10.70.3 (10.10.70.3): 56 data bytes > >> > >> --- 10.10.70.3 ping statistics --- > >> 2 packets transmitted, 0 packets received, 100.0% packet loss > >> [13:47:04] leonardz@fw1 etc>>for n in 0 7 9 ; do ping -c 2 > >> 10.10.7${n}.77 ; done > >> PING 10.10.70.77 (10.10.70.77): 56 data bytes >
Re: OBSD 6.8 vlan communication issues
On 11 Nov 2020 at 20:48, len zaifman wrote: > Thanks Tom,Aaron: I did 2 things, > > 1 re IPs - all ips removed from aggr0 and 1 ip for each vlan > > ifconfig -A | grep -A 7 vlan7 | grep -E 'vlan7 > inet' ; ifconfig aggr0 | grep inet > vlan70: flags=8843 mtu 1500 > inet 10.10.70.1 netmask 0xff00 broadcast 10.10.70.255 > vlan77: flags=8843 mtu 1500 > inet 10.10.77.1 netmask 0xff00 broadcast 10.10.77.255 > vlan79: flags=8843 mtu 1500 > inet 10.10.79.1 netmask 0xff00 broadcast 10.10.79.255 > > > Still no luck > > > 2 I went to switch and made vlan70 the native vlan, with vlan 77,79 > still tagged to see if that would help. Still no ping even to the switch > which is on vlan 70. > > Now the switch is back to all 3 vlans are tagged, no native vlan. > > > I am trying to see vlan tags when i ping 10.10.7x.1 with tcpdump -e but > no luck. I assume loopback interface is being used when i ping locally > on the firewall so that doesn't work. > > > I will contact switch vendor to see if they can help. But for openbsd, > does the config look okay now? All ips on the vlan, not the parent > interface? > > > PS to Aaro'squestion re: sysctl > > sysctl for ip forwarding is set > > net.inet.ip.forwarding=1 > Hi Len, To narrow down the issue I would temporarily eliminate link aggregation and focus on vlan tagging. Namely, recreate the setup with just one physical link and all the tagged vlans to make sure that works. From experience, getting link aggregation to work -- i.e. matching the aggregation protocol -- between disparate devices can be rather tricky. -Jacob. > > On 2020-11-11 7:32 p.m., Tom Smyth wrote: > > Hi Len, > > Hi Remove the Ip addresses from the agg0 interfaces > > > > put the Ip addresses on the vlan interfaces only > > > > ie > > mg /etc/hostname.vlanxxx > > up vnetid xxx > > inet 10.10.xx.1/24 > > > > if you need to route between the vlans make sure you enable forwarding in > > the kernel with sysctl > > > > when you get it working make sure to post to the Misc List :) > > > > > > > > Hope this helps, > > > > > > > > > > > > > > On Thu, 12 Nov 2020 at 00:18, len zaifman wrote: > > > >> I am setting up a new system as a firewall using OpenBSD 6.8 current > >> -uname -a > >> OpenBSD fw1.lfz.net 6.8 GENERIC.MP#175 amd64. > >> > >> I have 3 vlans 70,77,79 on the firewall using two em devices, em0 and > >> em1, in an aggregation to serve these vlans. > >> > >> > >> There is a Unifi switch which has 2 ports (where em0,em1 are attached) > >> set up to pass tagged vlans 70,77,79. The switch ip is 10.10.70.3. > >> > >> I have a linux host setup on vans 70,77,79 and at address 77 - > >> 10.10.70.77, 10.10.77.77,10.10.79.77. > >> > >> > >> So far i cannot communicate over the vlans. Before I vlanned these > >> subnets : ie only vlan 1 everywhere - communication worked fine. > >> > >> So i do not believe there is a physical issue. The issues arose with the > >> introduction of the vlans. Is there a configuration issue that anyone > >> can spot? > >> > >> > >> Thank you for any help you can give. > >> > >> Evidence: > >> > >> ping on the firewall works locally > >> > >> for n in 0 7 9 ; do ping -c 2 10.10.7${n}.1 ; done > >> PING 10.10.70.1 (10.10.70.1): 56 data bytes > >> 64 bytes from 10.10.70.1: icmp_seq=0 ttl=255 time=0.037 ms > >> 64 bytes from 10.10.70.1: icmp_seq=1 ttl=255 time=0.025 ms > >> > >> --- 10.10.70.1 ping statistics --- > >> 2 packets transmitted, 2 packets received, 0.0% packet loss > >> round-trip min/avg/max/std-dev = 0.025/0.031/0.037/0.006 ms > >> PING 10.10.77.1 (10.10.77.1): 56 data bytes > >> 64 bytes from 10.10.77.1: icmp_seq=0 ttl=255 time=0.038 ms > >> 64 bytes from 10.10.77.1: icmp_seq=1 ttl=255 time=0.025 ms > >> > >> --- 10.10.77.1 ping statistics --- > >> 2 packets transmitted, 2 packets received, 0.0% packet loss > >> round-trip min/avg/max/std-dev = 0.025/0.031/0.038/0.006 ms > >> PING 10.10.79.1 (10.10.79.1): 56 data bytes > >> 64 bytes from 10.10.79.1: icmp_seq=0 ttl=255 time=0.038 ms > >> 64 bytes from 10.10.79.1: icmp_seq=1 ttl=255 time=0.025 ms > >> > >> --- 10.10.79.1 ping statistics --- > >> 2 packets transmitted, 2 packets received, 0.0% packet loss > >> round-trip min/avg/max/std-dev = 0.025/0.032/0.038/0.007 ms > >> > >> > >> ping to the switch does not work > >> > >> ping -c 2 10.10.70.3 > >> PING 10.10.70.3 (10.10.70.3): 56 data bytes > >> > >> --- 10.10.70.3 ping statistics --- > >> 2 packets transmitted, 0 packets received, 100.0% packet loss > >> > >> ping to the linux host does not work. > >> > >> ping -c 2 10.10.70.3 > >> PING 10.10.70.3 (10.10.70.3): 56 data bytes > >> > >> --- 10.10.70.3 ping statistics --- > >> 2 packets transmitted, 0 packets received, 100.0% packet loss > >> [13:47:04] leonardz@fw1 etc>>for n in 0 7 9 ; do ping -c 2 > >> 10.10.7${n}.77 ; done > >> PING 10.10.70.77 (10.10.70.77): 56 data bytes > >> > >> --- 10.10.70.77 ping statistics --- > >> 2 packets transmitted, 0 packets received, 100.0% packet loss > >> PING
Re: OBSD 6.8 vlan communication issues
Thanks Tom,Aaron: I did 2 things, 1 re IPs - all ips removed from aggr0 and 1 ip for each vlan ifconfig -A | grep -A 7 vlan7 | grep -E 'vlan7 inet' ; ifconfig aggr0 | grep inet vlan70: flags=8843 mtu 1500 inet 10.10.70.1 netmask 0xff00 broadcast 10.10.70.255 vlan77: flags=8843 mtu 1500 inet 10.10.77.1 netmask 0xff00 broadcast 10.10.77.255 vlan79: flags=8843 mtu 1500 inet 10.10.79.1 netmask 0xff00 broadcast 10.10.79.255 Still no luck 2 I went to switch and made vlan70 the native vlan, with vlan 77,79 still tagged to see if that would help. Still no ping even to the switch which is on vlan 70. Now the switch is back to all 3 vlans are tagged, no native vlan. I am trying to see vlan tags when i ping 10.10.7x.1 with tcpdump -e but no luck. I assume loopback interface is being used when i ping locally on the firewall so that doesn't work. I will contact switch vendor to see if they can help. But for openbsd, does the config look okay now? All ips on the vlan, not the parent interface? PS to Aaro'squestion re: sysctl sysctl for ip forwarding is set net.inet.ip.forwarding=1 On 2020-11-11 7:32 p.m., Tom Smyth wrote: Hi Len, Hi Remove the Ip addresses from the agg0 interfaces put the Ip addresses on the vlan interfaces only ie mg /etc/hostname.vlanxxx up vnetid xxx inet 10.10.xx.1/24 if you need to route between the vlans make sure you enable forwarding in the kernel with sysctl when you get it working make sure to post to the Misc List :) Hope this helps, On Thu, 12 Nov 2020 at 00:18, len zaifman wrote: I am setting up a new system as a firewall using OpenBSD 6.8 current -uname -a OpenBSD fw1.lfz.net 6.8 GENERIC.MP#175 amd64. I have 3 vlans 70,77,79 on the firewall using two em devices, em0 and em1, in an aggregation to serve these vlans. There is a Unifi switch which has 2 ports (where em0,em1 are attached) set up to pass tagged vlans 70,77,79. The switch ip is 10.10.70.3. I have a linux host setup on vans 70,77,79 and at address 77 - 10.10.70.77, 10.10.77.77,10.10.79.77. So far i cannot communicate over the vlans. Before I vlanned these subnets : ie only vlan 1 everywhere - communication worked fine. So i do not believe there is a physical issue. The issues arose with the introduction of the vlans. Is there a configuration issue that anyone can spot? Thank you for any help you can give. Evidence: ping on the firewall works locally for n in 0 7 9 ; do ping -c 2 10.10.7${n}.1 ; done PING 10.10.70.1 (10.10.70.1): 56 data bytes 64 bytes from 10.10.70.1: icmp_seq=0 ttl=255 time=0.037 ms 64 bytes from 10.10.70.1: icmp_seq=1 ttl=255 time=0.025 ms --- 10.10.70.1 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.025/0.031/0.037/0.006 ms PING 10.10.77.1 (10.10.77.1): 56 data bytes 64 bytes from 10.10.77.1: icmp_seq=0 ttl=255 time=0.038 ms 64 bytes from 10.10.77.1: icmp_seq=1 ttl=255 time=0.025 ms --- 10.10.77.1 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.025/0.031/0.038/0.006 ms PING 10.10.79.1 (10.10.79.1): 56 data bytes 64 bytes from 10.10.79.1: icmp_seq=0 ttl=255 time=0.038 ms 64 bytes from 10.10.79.1: icmp_seq=1 ttl=255 time=0.025 ms --- 10.10.79.1 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.025/0.032/0.038/0.007 ms ping to the switch does not work ping -c 2 10.10.70.3 PING 10.10.70.3 (10.10.70.3): 56 data bytes --- 10.10.70.3 ping statistics --- 2 packets transmitted, 0 packets received, 100.0% packet loss ping to the linux host does not work. ping -c 2 10.10.70.3 PING 10.10.70.3 (10.10.70.3): 56 data bytes --- 10.10.70.3 ping statistics --- 2 packets transmitted, 0 packets received, 100.0% packet loss [13:47:04] leonardz@fw1 etc>>for n in 0 7 9 ; do ping -c 2 10.10.7${n}.77 ; done PING 10.10.70.77 (10.10.70.77): 56 data bytes --- 10.10.70.77 ping statistics --- 2 packets transmitted, 0 packets received, 100.0% packet loss PING 10.10.77.77 (10.10.77.77): 56 data bytes --- 10.10.77.77 ping statistics --- 2 packets transmitted, 0 packets received, 100.0% packet loss PING 10.10.79.77 (10.10.79.77): 56 data bytes --- 10.10.79.77 ping statistics --- 2 packets transmitted, 0 packets received, 100.0% packet loss I did the tests both with pfctl -e (enabled) and pfctl -d (disabled). It made no difference The setup is described below Here is the setup: = hostname.aggr0 debug trunkport em0 trunkport em1 up inet 10.10.70.1/24 alias 10.10.77.1/24 alias 10.10.79.1/24 = hostname.em0 up = hostname.em1 up = hostname.vlan70 parent aggr0 vnetid 70 10.10.70.0/24 = hostname.vlan77 parent aggr0 vnetid 77 10.10.77.0/24 = hostname.vlan79 parent aggr0 vnetid 79 10.10.79.0/24 Ifconfig -A shows the vlans are setup = aggr0 aggr0: flags=8847 mtu 1500 lladdr fe:e1:ba:d0:f4
Re: OBSD 6.8 vlan communication issues
On Thu, Nov 12, 2020 at 11:35 AM Tom Smyth wrote: > > Hi Len, > Hi Remove the Ip addresses from the agg0 interfaces > > put the Ip addresses on the vlan interfaces only > > ie > mg /etc/hostname.vlanxxx > up vnetid xxx > inet 10.10.xx.1/24 > > if you need to route between the vlans make sure you enable forwarding in > the kernel with sysctl > > when you get it working make sure to post to the Misc List :) > > > > Hope this helps, > > > > > > > On Thu, 12 Nov 2020 at 00:18, len zaifman wrote: > > > I am setting up a new system as a firewall using OpenBSD 6.8 current > > -uname -a > > OpenBSD fw1.lfz.net 6.8 GENERIC.MP#175 amd64. > > > > I have 3 vlans 70,77,79 on the firewall using two em devices, em0 and > > em1, in an aggregation to serve these vlans. > > > > > > There is a Unifi switch which has 2 ports (where em0,em1 are attached) > > set up to pass tagged vlans 70,77,79. The switch ip is 10.10.70.3. > > > > I have a linux host setup on vans 70,77,79 and at address 77 - > > 10.10.70.77, 10.10.77.77,10.10.79.77. > > > > > > So far i cannot communicate over the vlans. Before I vlanned these > > subnets : ie only vlan 1 everywhere - communication worked fine. > > > > So i do not believe there is a physical issue. The issues arose with the > > introduction of the vlans. Is there a configuration issue that anyone > > can spot? > > > > > > Thank you for any help you can give. > > > > Evidence: > > > > ping on the firewall works locally > > > > for n in 0 7 9 ; do ping -c 2 10.10.7${n}.1 ; done > > PING 10.10.70.1 (10.10.70.1): 56 data bytes > > 64 bytes from 10.10.70.1: icmp_seq=0 ttl=255 time=0.037 ms > > 64 bytes from 10.10.70.1: icmp_seq=1 ttl=255 time=0.025 ms > > > > --- 10.10.70.1 ping statistics --- > > 2 packets transmitted, 2 packets received, 0.0% packet loss > > round-trip min/avg/max/std-dev = 0.025/0.031/0.037/0.006 ms > > PING 10.10.77.1 (10.10.77.1): 56 data bytes > > 64 bytes from 10.10.77.1: icmp_seq=0 ttl=255 time=0.038 ms > > 64 bytes from 10.10.77.1: icmp_seq=1 ttl=255 time=0.025 ms > > > > --- 10.10.77.1 ping statistics --- > > 2 packets transmitted, 2 packets received, 0.0% packet loss > > round-trip min/avg/max/std-dev = 0.025/0.031/0.038/0.006 ms > > PING 10.10.79.1 (10.10.79.1): 56 data bytes > > 64 bytes from 10.10.79.1: icmp_seq=0 ttl=255 time=0.038 ms > > 64 bytes from 10.10.79.1: icmp_seq=1 ttl=255 time=0.025 ms > > > > --- 10.10.79.1 ping statistics --- > > 2 packets transmitted, 2 packets received, 0.0% packet loss > > round-trip min/avg/max/std-dev = 0.025/0.032/0.038/0.007 ms > > > > > > ping to the switch does not work > > > > ping -c 2 10.10.70.3 > > PING 10.10.70.3 (10.10.70.3): 56 data bytes > > > > --- 10.10.70.3 ping statistics --- > > 2 packets transmitted, 0 packets received, 100.0% packet loss > > > > ping to the linux host does not work. > > > > ping -c 2 10.10.70.3 > > PING 10.10.70.3 (10.10.70.3): 56 data bytes > > > > --- 10.10.70.3 ping statistics --- > > 2 packets transmitted, 0 packets received, 100.0% packet loss > > [13:47:04] leonardz@fw1 etc>>for n in 0 7 9 ; do ping -c 2 > > 10.10.7${n}.77 ; done > > PING 10.10.70.77 (10.10.70.77): 56 data bytes > > > > --- 10.10.70.77 ping statistics --- > > 2 packets transmitted, 0 packets received, 100.0% packet loss > > PING 10.10.77.77 (10.10.77.77): 56 data bytes > > > > --- 10.10.77.77 ping statistics --- > > 2 packets transmitted, 0 packets received, 100.0% packet loss > > PING 10.10.79.77 (10.10.79.77): 56 data bytes > > > > --- 10.10.79.77 ping statistics --- > > 2 packets transmitted, 0 packets received, 100.0% packet loss > > > > I did the tests both with pfctl -e (enabled) and pfctl -d (disabled). It > > made no difference > > > > > > The setup is described below > > > > Here is the setup: > > > > = hostname.aggr0 > > debug > > trunkport em0 > > trunkport em1 > > up > > inet 10.10.70.1/24 > > alias 10.10.77.1/24 > > alias 10.10.79.1/24 > > > > > > = hostname.em0 > > up > > > > = hostname.em1 > > up > > > > > > = hostname.vlan70 > > parent aggr0 vnetid 70 > > 10.10.70.0/24 > > > > = hostname.vlan77 > > parent aggr0 vnetid 77 > > 10.10.77.0/24 > > > > = hostname.vlan79 > > parent aggr0 vnetid 79 > > 10.10.79.0/24 > > > > > > Ifconfig -A shows the vlans are setup > > > > = aggr0 > > aggr0: flags=8847 mtu 1500 > > lladdr fe:e1:ba:d0:f4:8c > > index 6 priority 0 llprio 7 > > trunk: trunkproto lacp > > trunk id: [(8000,fe:e1:ba:d0:f4:8c,0006,,), > > (8000,e0:63:da:8e:78:d7,03E8,,)] > > em0 lacp actor system pri 0x8000 mac fe:e1:ba:d0:f4:8c, key > > 0x6, port pri 0x8000 number 0x1 > > em0 lacp actor state > > activity,aggregation,sync,collecting,distributing > > em0 lacp partner system pri 0x8000 mac e0:63:da:8e:78:d7, key > > 0x3e8, port pri 0x1 number 0x9 > > em0 lacp partner state > > activity,aggregation,sync,collecting,distributing > > em0 port active,collecting
Re: OBSD 6.8 vlan communication issues
Hi Len, Hi Remove the Ip addresses from the agg0 interfaces put the Ip addresses on the vlan interfaces only ie mg /etc/hostname.vlanxxx up vnetid xxx inet 10.10.xx.1/24 if you need to route between the vlans make sure you enable forwarding in the kernel with sysctl when you get it working make sure to post to the Misc List :) Hope this helps, On Thu, 12 Nov 2020 at 00:18, len zaifman wrote: > I am setting up a new system as a firewall using OpenBSD 6.8 current > -uname -a > OpenBSD fw1.lfz.net 6.8 GENERIC.MP#175 amd64. > > I have 3 vlans 70,77,79 on the firewall using two em devices, em0 and > em1, in an aggregation to serve these vlans. > > > There is a Unifi switch which has 2 ports (where em0,em1 are attached) > set up to pass tagged vlans 70,77,79. The switch ip is 10.10.70.3. > > I have a linux host setup on vans 70,77,79 and at address 77 - > 10.10.70.77, 10.10.77.77,10.10.79.77. > > > So far i cannot communicate over the vlans. Before I vlanned these > subnets : ie only vlan 1 everywhere - communication worked fine. > > So i do not believe there is a physical issue. The issues arose with the > introduction of the vlans. Is there a configuration issue that anyone > can spot? > > > Thank you for any help you can give. > > Evidence: > > ping on the firewall works locally > > for n in 0 7 9 ; do ping -c 2 10.10.7${n}.1 ; done > PING 10.10.70.1 (10.10.70.1): 56 data bytes > 64 bytes from 10.10.70.1: icmp_seq=0 ttl=255 time=0.037 ms > 64 bytes from 10.10.70.1: icmp_seq=1 ttl=255 time=0.025 ms > > --- 10.10.70.1 ping statistics --- > 2 packets transmitted, 2 packets received, 0.0% packet loss > round-trip min/avg/max/std-dev = 0.025/0.031/0.037/0.006 ms > PING 10.10.77.1 (10.10.77.1): 56 data bytes > 64 bytes from 10.10.77.1: icmp_seq=0 ttl=255 time=0.038 ms > 64 bytes from 10.10.77.1: icmp_seq=1 ttl=255 time=0.025 ms > > --- 10.10.77.1 ping statistics --- > 2 packets transmitted, 2 packets received, 0.0% packet loss > round-trip min/avg/max/std-dev = 0.025/0.031/0.038/0.006 ms > PING 10.10.79.1 (10.10.79.1): 56 data bytes > 64 bytes from 10.10.79.1: icmp_seq=0 ttl=255 time=0.038 ms > 64 bytes from 10.10.79.1: icmp_seq=1 ttl=255 time=0.025 ms > > --- 10.10.79.1 ping statistics --- > 2 packets transmitted, 2 packets received, 0.0% packet loss > round-trip min/avg/max/std-dev = 0.025/0.032/0.038/0.007 ms > > > ping to the switch does not work > > ping -c 2 10.10.70.3 > PING 10.10.70.3 (10.10.70.3): 56 data bytes > > --- 10.10.70.3 ping statistics --- > 2 packets transmitted, 0 packets received, 100.0% packet loss > > ping to the linux host does not work. > > ping -c 2 10.10.70.3 > PING 10.10.70.3 (10.10.70.3): 56 data bytes > > --- 10.10.70.3 ping statistics --- > 2 packets transmitted, 0 packets received, 100.0% packet loss > [13:47:04] leonardz@fw1 etc>>for n in 0 7 9 ; do ping -c 2 > 10.10.7${n}.77 ; done > PING 10.10.70.77 (10.10.70.77): 56 data bytes > > --- 10.10.70.77 ping statistics --- > 2 packets transmitted, 0 packets received, 100.0% packet loss > PING 10.10.77.77 (10.10.77.77): 56 data bytes > > --- 10.10.77.77 ping statistics --- > 2 packets transmitted, 0 packets received, 100.0% packet loss > PING 10.10.79.77 (10.10.79.77): 56 data bytes > > --- 10.10.79.77 ping statistics --- > 2 packets transmitted, 0 packets received, 100.0% packet loss > > I did the tests both with pfctl -e (enabled) and pfctl -d (disabled). It > made no difference > > > The setup is described below > > Here is the setup: > > = hostname.aggr0 > debug > trunkport em0 > trunkport em1 > up > inet 10.10.70.1/24 > alias 10.10.77.1/24 > alias 10.10.79.1/24 > > > = hostname.em0 > up > > = hostname.em1 > up > > > = hostname.vlan70 > parent aggr0 vnetid 70 > 10.10.70.0/24 > > = hostname.vlan77 > parent aggr0 vnetid 77 > 10.10.77.0/24 > > = hostname.vlan79 > parent aggr0 vnetid 79 > 10.10.79.0/24 > > > Ifconfig -A shows the vlans are setup > > = aggr0 > aggr0: flags=8847 mtu 1500 > lladdr fe:e1:ba:d0:f4:8c > index 6 priority 0 llprio 7 > trunk: trunkproto lacp > trunk id: [(8000,fe:e1:ba:d0:f4:8c,0006,,), > (8000,e0:63:da:8e:78:d7,03E8,,)] > em0 lacp actor system pri 0x8000 mac fe:e1:ba:d0:f4:8c, key > 0x6, port pri 0x8000 number 0x1 > em0 lacp actor state > activity,aggregation,sync,collecting,distributing > em0 lacp partner system pri 0x8000 mac e0:63:da:8e:78:d7, key > 0x3e8, port pri 0x1 number 0x9 > em0 lacp partner state > activity,aggregation,sync,collecting,distributing > em0 port active,collecting,distributing > em1 lacp actor system pri 0x8000 mac fe:e1:ba:d0:f4:8c, key > 0x6, port pri 0x8000 number 0x2 > em1 lacp actor state > activity,aggregation,sync,collecting,distributing > em1 lacp partner system pri 0x8000 mac e0:63:da:8e:78:d7, key > 0x3e8, port pri 0x1 number 0xa > em1 lacp partner state > activity,aggregation,syn
Re: OBSD 6.8 vlan communication issues
Hi! On Thu, Nov 12, 2020 at 11:09 AM len zaifman wrote: > > I am setting up a new system as a firewall using OpenBSD 6.8 current > -uname -a > OpenBSD fw1.lfz.net 6.8 GENERIC.MP#175 amd64. > > I have 3 vlans 70,77,79 on the firewall using two em devices, em0 and > em1, in an aggregation to serve these vlans. > > > There is a Unifi switch which has 2 ports (where em0,em1 are attached) > set up to pass tagged vlans 70,77,79. The switch ip is 10.10.70.3. > > I have a linux host setup on vans 70,77,79 and at address 77 - > 10.10.70.77, 10.10.77.77,10.10.79.77. > > > So far i cannot communicate over the vlans. Before I vlanned these > subnets : ie only vlan 1 everywhere - communication worked fine. > > So i do not believe there is a physical issue. The issues arose with the > introduction of the vlans. Is there a configuration issue that anyone > can spot? > > > Thank you for any help you can give. > > Evidence: > > ping on the firewall works locally > > for n in 0 7 9 ; do ping -c 2 10.10.7${n}.1 ; done > PING 10.10.70.1 (10.10.70.1): 56 data bytes > 64 bytes from 10.10.70.1: icmp_seq=0 ttl=255 time=0.037 ms > 64 bytes from 10.10.70.1: icmp_seq=1 ttl=255 time=0.025 ms > > --- 10.10.70.1 ping statistics --- > 2 packets transmitted, 2 packets received, 0.0% packet loss > round-trip min/avg/max/std-dev = 0.025/0.031/0.037/0.006 ms > PING 10.10.77.1 (10.10.77.1): 56 data bytes > 64 bytes from 10.10.77.1: icmp_seq=0 ttl=255 time=0.038 ms > 64 bytes from 10.10.77.1: icmp_seq=1 ttl=255 time=0.025 ms > > --- 10.10.77.1 ping statistics --- > 2 packets transmitted, 2 packets received, 0.0% packet loss > round-trip min/avg/max/std-dev = 0.025/0.031/0.038/0.006 ms > PING 10.10.79.1 (10.10.79.1): 56 data bytes > 64 bytes from 10.10.79.1: icmp_seq=0 ttl=255 time=0.038 ms > 64 bytes from 10.10.79.1: icmp_seq=1 ttl=255 time=0.025 ms > > --- 10.10.79.1 ping statistics --- > 2 packets transmitted, 2 packets received, 0.0% packet loss > round-trip min/avg/max/std-dev = 0.025/0.032/0.038/0.007 ms > > > ping to the switch does not work > > ping -c 2 10.10.70.3 > PING 10.10.70.3 (10.10.70.3): 56 data bytes > > --- 10.10.70.3 ping statistics --- > 2 packets transmitted, 0 packets received, 100.0% packet loss > > ping to the linux host does not work. > > ping -c 2 10.10.70.3 > PING 10.10.70.3 (10.10.70.3): 56 data bytes > > --- 10.10.70.3 ping statistics --- > 2 packets transmitted, 0 packets received, 100.0% packet loss > [13:47:04] leonardz@fw1 etc>>for n in 0 7 9 ; do ping -c 2 > 10.10.7${n}.77 ; done > PING 10.10.70.77 (10.10.70.77): 56 data bytes > > --- 10.10.70.77 ping statistics --- > 2 packets transmitted, 0 packets received, 100.0% packet loss > PING 10.10.77.77 (10.10.77.77): 56 data bytes > > --- 10.10.77.77 ping statistics --- > 2 packets transmitted, 0 packets received, 100.0% packet loss > PING 10.10.79.77 (10.10.79.77): 56 data bytes > > --- 10.10.79.77 ping statistics --- > 2 packets transmitted, 0 packets received, 100.0% packet loss > > I did the tests both with pfctl -e (enabled) and pfctl -d (disabled). It > made no difference > > > The setup is described below > > Here is the setup: > > = hostname.aggr0 > debug > trunkport em0 > trunkport em1 > up > inet 10.10.70.1/24 > alias 10.10.77.1/24 > alias 10.10.79.1/24 > > > = hostname.em0 > up > > = hostname.em1 > up > > > = hostname.vlan70 > parent aggr0 vnetid 70 > 10.10.70.0/24 > > = hostname.vlan77 > parent aggr0 vnetid 77 > 10.10.77.0/24 > > = hostname.vlan79 > parent aggr0 vnetid 79 > 10.10.79.0/24 > > > Ifconfig -A shows the vlans are setup > > = aggr0 > aggr0: flags=8847 mtu 1500 > lladdr fe:e1:ba:d0:f4:8c > index 6 priority 0 llprio 7 > trunk: trunkproto lacp > trunk id: [(8000,fe:e1:ba:d0:f4:8c,0006,,), > (8000,e0:63:da:8e:78:d7,03E8,,)] > em0 lacp actor system pri 0x8000 mac fe:e1:ba:d0:f4:8c, key > 0x6, port pri 0x8000 number 0x1 > em0 lacp actor state > activity,aggregation,sync,collecting,distributing > em0 lacp partner system pri 0x8000 mac e0:63:da:8e:78:d7, key > 0x3e8, port pri 0x1 number 0x9 > em0 lacp partner state > activity,aggregation,sync,collecting,distributing > em0 port active,collecting,distributing > em1 lacp actor system pri 0x8000 mac fe:e1:ba:d0:f4:8c, key > 0x6, port pri 0x8000 number 0x2 > em1 lacp actor state > activity,aggregation,sync,collecting,distributing > em1 lacp partner system pri 0x8000 mac e0:63:da:8e:78:d7, key > 0x3e8, port pri 0x1 number 0xa > em1 lacp partner state > activity,aggregation,sync,collecting,distributing > em1 port active,collecting,distributing > groups: aggr > media: Ethernet autoselect > status: active > inet 10.10.70.1 netmask 0xff00 broadcast 10.10.70.255 > inet 10.10.77.1 netmask 0xff00 broadcast 10.10.77.255 > inet 10.10.79.1 netmask 0xff00 broadcast 10.10.79.255 > >
OBSD 6.8 vlan communication issues
I am setting up a new system as a firewall using OpenBSD 6.8 current -uname -a OpenBSD fw1.lfz.net 6.8 GENERIC.MP#175 amd64. I have 3 vlans 70,77,79 on the firewall using two em devices, em0 and em1, in an aggregation to serve these vlans. There is a Unifi switch which has 2 ports (where em0,em1 are attached) set up to pass tagged vlans 70,77,79. The switch ip is 10.10.70.3. I have a linux host setup on vans 70,77,79 and at address 77 - 10.10.70.77, 10.10.77.77,10.10.79.77. So far i cannot communicate over the vlans. Before I vlanned these subnets : ie only vlan 1 everywhere - communication worked fine. So i do not believe there is a physical issue. The issues arose with the introduction of the vlans. Is there a configuration issue that anyone can spot? Thank you for any help you can give. Evidence: ping on the firewall works locally for n in 0 7 9 ; do ping -c 2 10.10.7${n}.1 ; done PING 10.10.70.1 (10.10.70.1): 56 data bytes 64 bytes from 10.10.70.1: icmp_seq=0 ttl=255 time=0.037 ms 64 bytes from 10.10.70.1: icmp_seq=1 ttl=255 time=0.025 ms --- 10.10.70.1 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.025/0.031/0.037/0.006 ms PING 10.10.77.1 (10.10.77.1): 56 data bytes 64 bytes from 10.10.77.1: icmp_seq=0 ttl=255 time=0.038 ms 64 bytes from 10.10.77.1: icmp_seq=1 ttl=255 time=0.025 ms --- 10.10.77.1 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.025/0.031/0.038/0.006 ms PING 10.10.79.1 (10.10.79.1): 56 data bytes 64 bytes from 10.10.79.1: icmp_seq=0 ttl=255 time=0.038 ms 64 bytes from 10.10.79.1: icmp_seq=1 ttl=255 time=0.025 ms --- 10.10.79.1 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.025/0.032/0.038/0.007 ms ping to the switch does not work ping -c 2 10.10.70.3 PING 10.10.70.3 (10.10.70.3): 56 data bytes --- 10.10.70.3 ping statistics --- 2 packets transmitted, 0 packets received, 100.0% packet loss ping to the linux host does not work. ping -c 2 10.10.70.3 PING 10.10.70.3 (10.10.70.3): 56 data bytes --- 10.10.70.3 ping statistics --- 2 packets transmitted, 0 packets received, 100.0% packet loss [13:47:04] leonardz@fw1 etc>>for n in 0 7 9 ; do ping -c 2 10.10.7${n}.77 ; done PING 10.10.70.77 (10.10.70.77): 56 data bytes --- 10.10.70.77 ping statistics --- 2 packets transmitted, 0 packets received, 100.0% packet loss PING 10.10.77.77 (10.10.77.77): 56 data bytes --- 10.10.77.77 ping statistics --- 2 packets transmitted, 0 packets received, 100.0% packet loss PING 10.10.79.77 (10.10.79.77): 56 data bytes --- 10.10.79.77 ping statistics --- 2 packets transmitted, 0 packets received, 100.0% packet loss I did the tests both with pfctl -e (enabled) and pfctl -d (disabled). It made no difference The setup is described below Here is the setup: = hostname.aggr0 debug trunkport em0 trunkport em1 up inet 10.10.70.1/24 alias 10.10.77.1/24 alias 10.10.79.1/24 = hostname.em0 up = hostname.em1 up = hostname.vlan70 parent aggr0 vnetid 70 10.10.70.0/24 = hostname.vlan77 parent aggr0 vnetid 77 10.10.77.0/24 = hostname.vlan79 parent aggr0 vnetid 79 10.10.79.0/24 Ifconfig -A shows the vlans are setup = aggr0 aggr0: flags=8847 mtu 1500 lladdr fe:e1:ba:d0:f4:8c index 6 priority 0 llprio 7 trunk: trunkproto lacp trunk id: [(8000,fe:e1:ba:d0:f4:8c,0006,,), (8000,e0:63:da:8e:78:d7,03E8,,)] em0 lacp actor system pri 0x8000 mac fe:e1:ba:d0:f4:8c, key 0x6, port pri 0x8000 number 0x1 em0 lacp actor state activity,aggregation,sync,collecting,distributing em0 lacp partner system pri 0x8000 mac e0:63:da:8e:78:d7, key 0x3e8, port pri 0x1 number 0x9 em0 lacp partner state activity,aggregation,sync,collecting,distributing em0 port active,collecting,distributing em1 lacp actor system pri 0x8000 mac fe:e1:ba:d0:f4:8c, key 0x6, port pri 0x8000 number 0x2 em1 lacp actor state activity,aggregation,sync,collecting,distributing em1 lacp partner system pri 0x8000 mac e0:63:da:8e:78:d7, key 0x3e8, port pri 0x1 number 0xa em1 lacp partner state activity,aggregation,sync,collecting,distributing em1 port active,collecting,distributing groups: aggr media: Ethernet autoselect status: active inet 10.10.70.1 netmask 0xff00 broadcast 10.10.70.255 inet 10.10.77.1 netmask 0xff00 broadcast 10.10.77.255 inet 10.10.79.1 netmask 0xff00 broadcast 10.10.79.255 = em0 em0: flags=8843 mtu 1500 lladdr fe:e1:ba:d0:f4:8c index 1 priority 0 llprio 3 trunk: trunkdev aggr0 media: Ethernet autoselect (1000baseT full-duplex) status: active = em1 em1: flags=8843 mtu 1500 lladdr fe:e1:ba:d0:f4:8c index 2 priority 0 llprio 3 trunk: trunkdev agg