Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense Hangout July 2018

Slides for the July 2018 pfSense Hangout video

  • Login to see the comments

Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense Hangout July 2018

  1. 1. Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 July 2018 Hangout Jim Pingle
  2. 2. About this Hangout ● Netgate News ● Netgate Hardware with Integrated Switches ● Integrated Switch Capabilities ● Integrated Switch Limitations ● Switch Modes ● Default Switch Configuration ● Configuring the switch and pfSense to use discrete ports ● Other Example Configurations
  3. 3. Netgate News ● 2.4.4 Release Highlights article – ● pfSense Gold content will be free starting with 2.4.4-RELEASE – See the blog for details – AutoConfigBackup service integrated into 2.4.4 and is free for all – Book will be free to access – Hangouts will be migrating to Youtube – Certified VMWare appliance discontinued, but you can still install from iso and install the tools, just no certification process run ● XG-7100 Desktop now available for Preorder – ● 2.4.4 will natively support the MinnowBoard Turbot Dual Ethernet we sell – Can run CE, not preinstalled, but will install/run and the HDMI issue has been resolved – ● More new hardware coming very soon!
  4. 4. Netgate Hardware with Integrated Switches ● XG-7100 1U and Desktop – Marvell 6000 Series – Switch has 8x 1Gbit/s ports plus 2x internal 2.5Gbit/s uplinks ● SG-3100 – Marvell 6000 Series – Switch has 4x 1Gbit/s ports plus 1x internal 2.5Gbit/s uplink ● SG-1000 – TI Common Platform Ethernet Switch – Two ports are on a switch, but primarily useful as LAN+WAN – This switch is handled differently than the 7100/3100 switches and won’t be covered today ● More devices with switches coming soon!
  5. 5. Integrated Switch Capabilities ● True switch in that traffic between ports in the same group/VLAN does not get processed by the uplink (pfSense) ● Can work in 802.1q mode or port VLAN mode ● Ports can be configured in one or more groups to effectively have multiple switches or one large switch ● Ports can be configured as discrete ports, individually addressable/isolated as if they were separate physical ports ● Supports link aggregation between multiple ports (LAGG) in 2.4.4 ● Switch port status shown in the Interfaces widget on the Dashboard
  6. 6. Integrated Switch Limitations ● 128 VLAN tag limit in 802.1q mode on the switch – Port VLAN mode passes tags, can be used to trunk >128 VLANs to another switch if necessary ● Though the individual port status can be tied to interface status on 2.4.4, it does not yet affect HA so HA using switch ports is not ideal – This is still being actively worked on and may be resolved before 2.4.4-RELEASE ● Though the switch supports LAGG, the only supported LAGG mode at this time is Load Balance – No support for LACP ● Can't set speed/duplex on switch ports at this time ● Restoring from another platform can be tricky due to the differences in interface layouts – We are working on ways to make this easier, including a switch configuration wizard – Pre-configure switch and VLANs, take backup, splice switch/VLAN settings from there into old backup from old hardware, adjust interfaces
  7. 7. Switch Modes ● 802.1q Mode – Supports multiple VLANs (Up to 128) – Can send tagged or untagged traffic on a port – Configurable PVID to set VLAN ID of arriving untagged traffic – Through the use of VLANs, can effectively make isolated interfaces out of switch ports – Assign and use VLAN tagged interfaces for discrete ports using the uplink as a VLAN parent ● lagg0 or ix2/ix3 on 7100, mvneta1 on 3100 ● Port VLAN Mode – Retains VLAN tags, does not add or remove them – Untagged traffic from the uplink (pfSense) is sent untagged – Ports can be configured in groups similar to separate switches/VLANs – Assign and use the uplink interface directly to talk to clients sharing a port group with uplink ● lagg0 or ix2/ix3 on 7100, mvneta1 on 3100
  8. 8. Default Switch Configuration ● XG-7100 1U/DT – 10 switch ports, 8 physical plus 2 uplink – Uplinks are 2.5Gbit/s ix2 & ix3 configured as lagg0 in pfSense and as LAGG 0 on switch – Default mode is 802.1q – First port tied to VLAN 4090 and assigned as WAN – Remaining ports on VLAN 4091 and assigned as LAN ● SG-3100 – 5 switch ports, 4 physical plus 1 uplink – Uplink is 2.5Gbit/s, mvneta1 – Default mode is Port VLAN – Uplink assigned as the pfSense LAN by default
  9. 9. Configuring Discrete Ports ● This assumes a default starting configuration and that all ports will be separate ● Do not perform this configuration from a port on the switch, you will lose connectivity! – On 7100, configure and use OPT1 (ix0), OPT2 (ix1), or an add-in port – On 3100, configure and use OPT1 (mvneta0) or WAN (in a lab setup) ● Before staring, need a plan – What VLANs to use? Which port for which VLAN? – These VLANs are internal to the switch. – Packets will be untagged so clients do not need to know VLANs – If there are other VLANs on the network, these should be different/not conflict. ● For example on an SG-3100 – VLAN 4081 = Port 1, VLAN 4082 = Port 2, VLAN 4083 = Port 3, VLAN 4084 = Port 4 ● For 7100, use 4081-4088 for ports 1-8 ● These are only suggestions, change to suit your needs! ● Required tasks: – Configure Switch – Create VLAN tagged interfaces – Assign and configure VLAN tagged interfaces ● The switch may be configured before or after the interfaces
  10. 10. Discrete Ports – Switch Configuration ● Interfaces > Switches, VLANs tab ● Check Enable 802.1q VLAN mode, click Save – SG-3100 needs changed by default, XG-7100 defaults to this mode (and clear out existing entries) ● For each VLAN (4081, 4082, etc) click +Add Tag – For this example, VLAN 4081 for Port 1 – Enter the VLAN Tag for this VLAN (4081) – Set Member set to the port number decided previously (Port 1) – For this member entry, Tagged should be unchecked – Add another member entry for 5 and check Tagged (on 7100, add 9 and 10 as tagged) ● For the uplink so pfSense can talk to that VLAN – Repeat for each port that will be mapped to a VLAN ● Edit VLAN group 0, remove Member entries for ports that now have individual VLANs ● Switch to the Ports tab ● Click the PVID and change to the corresponding VLAN (e.g. Port 1, PVID 4081), repeat for each port ● Click Save
  11. 11. Discrete Ports – VLAN Tags ● Interfaces > Assignments, VLANs tab ● For each VLAN… – Click + Add – Pick mvneta1 for the parent (SG-3100) or lagg0 (XG-7100) – Set VLAN tag to the one picked earlier (e.g. 4081) – Click Save – Repeat for each other port (e.g. 4082, 4083, 4084)
  12. 12. Discrete Ports – Interface Configuration ● Interfaces > Assignments ● Assign each VLAN as its own interface ● For each of these interfaces (OPT3, OPT4, etc) – Interfaces > OPTx – Check Enable – Choose Switch Port to monitor status – Set an IP address (e.g. – Click Save, Apply Changes ● These now can be used like any other physical port ● You will have to setup DHCP, add firewall rules, and so on, the same as any other interface ● With each port on its own network, no need for the old “LAN” – Can be disabled, reassigned as one of these ports, etc.
  13. 13. Other Examples ● More documentation on the website – – ● Other common examples: – All ports on one switch, or discrete ports (already covered) – Mix of separate and discrete ports (similar to 7100 default configuration) – Two isolated 4-port switches, each using one uplink (7100) ● In docs above – Port isolation (clients can reach uplink but not each other) ● – Many other common switch configuration scenarios, varies widely from customer to customer!
  14. 14. Conclusion ● Questions? ● New Hangout format starting next month, details to come ● Ideas for hangout topics? Post on forum, Reddit, etc