Community discussions

MikroTik App
 
evillerbob
just joined
Topic Author
Posts: 4
Joined: Fri Sep 16, 2022 2:23 am

CSS326-24G-2S+RM, 802.1ad, removing VLAN0

Fri Sep 16, 2022 3:13 am

VLANS and SwOS are not my usual territory so apologies if this seems a simple (or stupid!) question.

My PFSense gateway is failing to pick up a DHCP response when directly connected to a fibre ONT. The ISP have confirmed that it should be working, no MAC whitelisting needed.

On further investigation, they are using 802.1ad/QinQ with the service tag of vlan911. The inner customer tag is vlan0. PFSense (more specifically the version of FreeBSD they use) throws a wobbly over the use of vlan0 resulting in packets getting dropped and no DHCP response being received. This will eventually be fixed when they move to a newer version of FreeBSD but that could be some time.

One recommendation is to try using a switch between the ONT and PFSense to remove the vlan0 tag.

I have a CSS326-24G-2S+RM (running SwOS 2.13) with some spare ports that is conveniently right next to my PFSense gateway and the ONT.

I plan to use port isolation to create essentially a two-port switch just for this purpose. What I need to achieve is to have the vlan0 removed from the incoming packets. I guess this would be converting the 802.1ad/QinQ (with vlan911 and vlan0) to just an 802.1Q (with vlan 911), which matches what I have on the PFSense WAN connection.

Is this possible within SwOS or am I going about this completely the wrong way? I see the option to force a vlan id but I'm not clear how that would effect the 802.1ad packets?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: CSS326-24G-2S+RM, 802.1ad, removing VLAN0

Fri Sep 16, 2022 12:12 pm

Typically switches/bridges only deal with outer-most VLAN tag. In your case that means switch will (say) remove the outer 802.1ad tag and leave inner 802.1q tag (with VID=0). Which means you'd need another switch that would strip the 802.1q tag (802.1q header with VID=0 is technically not a VLAN tag, it's a QoS tag). And another one to add the service tag again (you could re-use the first switch for that). At least with ROS there's another gotcha: bridge as a whole can only deal with one type of tags (either 802.1q or 802.1ad, but not both); however with ROS it's realtively easy ... one can stack bridges and make each do a part of the whole job.

Perhaps there's some other fancy way of stripping 802.1q tag (after frame is de-capsulated from 802.1ad that is) without involving CPU but I'm not aware of any.

I don't know if any of above is doable in SwOS, I've no experience with it.
 
evillerbob
just joined
Topic Author
Posts: 4
Joined: Fri Sep 16, 2022 2:23 am

Re: CSS326-24G-2S+RM, 802.1ad, removing VLAN0

Fri Sep 16, 2022 3:15 pm

Thank you for that.

So if I have the ONT into Port 1, then Port 2 out to the PFSense WAN, do I understand you correctly that the packet coming in to Port 1 would be 802.1ad (vlan 911/0) and the packet leaving Port 2 would be 802.1Q (vlan0)? If so, it seems like using the "force vlan id" option to change it to 911 (which is what the PFSense interface would use because the ISP is expecting to see that vlan) should solve the issue.

The other side to this that I'm trying to understand is the outbound traffic. If the PFSense is using 802.1Q vlan 911, wouldn't this also be stripped, or would the "force vlan id" also make sure these outbound packets were on the vlan the ISP is expecting?

I appreciate you said that you're not as familiar with SwOS so I'm mostly thinking out loud rather than expecting you to know the answer.

Usually I'd solve most things by trial-and-error tinkering with settings; in this case, that means bringing the internet down for each test so I'm trying to work out the right way "on paper" before giving it a go. What's annoying is that the usual advice seems to be "just stick any stupid cheap switch in between and the problem magically goes away." If I'm doing that I might as well leave the ISP router in place.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: CSS326-24G-2S+RM, 802.1ad, removing VLAN0

Fri Sep 16, 2022 5:51 pm

I don't think it would work the way you're describing it. Remember that 802.1ad and 802.1q use different ether type (to make distinction). So service tag with VLAN ID 911 will have ether type 0x88a8 and inner customer taf with VLAN ID 0 will have ether type 0x8100. If switch strips the outer service tag, then PFsense will indeed see only the normal VLAN TAG with ID 0 (which it's alergic to as you write). If you'd make switch also replace VLAN ID=0 with VLAN ID=911, it would still be 802.1Q VLAN tag, not 802.1ad service tag. Not sure if PFsense would handle it fine or not.

The way back (from PFsense to WAN) is pretty simple. When configuring switch ports for VLANs, only configure one as tagged member of VLAN ID 911 (the upstream port) and the other port as untagged member of same VLAN (for connection towards PFsense). Switch will then automatically strip VLAN tag on egress and add VLAN tag on ingress for port connecting PFsense and keep tags for WAN port. A possible complication can be if PFsense doesn't include the 802.1q header (with VLAN ID set to 0 which it probably doesn't) but ISP's PPPoE server actually requires it. In this case switch would have to add it ...

If you don't need VLANs on this switch otherwise, you can probably configure switch to deal with service tags (ether type 0x88a8). If you are using switch with VLANs configured on other ports, then changing VLAN type probably won't work for the rest of connected gear.
 
evillerbob
just joined
Topic Author
Posts: 4
Joined: Fri Sep 16, 2022 2:23 am

Re: CSS326-24G-2S+RM, 802.1ad, removing VLAN0

Fri Sep 16, 2022 9:02 pm

The ISP uses straight DHCP, not PPPoE, which is one less complication thankfully.

Again, I'm thinking out loud here but very happy for any input or corrections.

I'm looking at this alongside the following SwOS example page:
https://wiki.mikrotik.com/wiki/SWOS/CSS326-VLAN-Example

Port 23 (to PFSense) would be the downstream port
Port 24 (to ONT) would be the upstream port

With the SwOS admin page in front of me, I'm looking at:
Port 23 and Port 24, isolated and only talking to each other (This is already set up with the ONT on port 24 and the ISP router's WAN on port 23; I was previously using this to "tap into" the connection and mirror packets to another port for wireshark)

Proposed settings

"VLAN" tab
Port 23: "VLAN Mode" = "enabled"
Port 23: "VLAN Receive" = "any"
Port 23: "Default VLAN ID" = "911"
Port 23: "Force VLAN ID" = unchecked

Port 24: "VLAN Mode" = "enabled"
Port 24: "VLAN Receive" = "any"
Port 24: "Default VLAN ID" = "911"
Port 24: "Force VLAN ID" = unchecked

"VLANs" tab
VLAN ID = "911"
"Port Isolation" = checked
"Learning" = checked
"Mirror" = unchecked
"Members" = checked {Port 23; Port 24}, unchecked {everything else}

PFSense WAN port set for vlan 911 with priority 0 (which is about the only clear instruction I have from the ISP on this point). I've not come across people configuring this as QinQ in routers, they seem to be using normal vlan. I couldn't configure it as QinQ anyway as I have to set the inner tag to a non-0 VLAN.

So, would I be right in thinking that:
  • Outbound 802.1Q traffic from PFSense with vlan 911 reaches port 23, the vlan is removed, the packet moves to port 24 which applies vlan 911 and send it off to the ONT. This is 802.1Q so whether the ISP accepts it or not is up in the air.
  • Inbound 802.1ad traffic from the ONT with (s) vlan 911 (c) vlan 0 reaches port 24, the outer (s) vlan is removed, the packet moves to port 23 which applies vlan 911 and sends it to PFSense. By applying the vlan 911 we have replaced (?) the (c) vlan 0, meaning we have a 802.1Q packet that PFSense is happy to handle.

There comes a point where I'll just have to give it a go, I'm just trying to limit the amount of trial and error involved!
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: CSS326-24G-2S+RM, 802.1ad, removing VLAN0

Fri Sep 16, 2022 9:30 pm

I'm quite sceptical about your (wishful) thinking in the very last bullet. Even about the preceeding bullet. It's not really clear how exactly switch chip deals with VLAN tags internally, it could well have all frames tagged and only strips tag on egress if needed and adds tag on ingress if ingress frame is tagless. In this case switch won't touch tags at all. And even if it did strip tags as you wrote in last bullet, it wouldn't replace remaining tag on egress but rather add it, again ending with frame with two VLAN headers.

So indeed try and see if/how it works. And report back.
 
evillerbob
just joined
Topic Author
Posts: 4
Joined: Fri Sep 16, 2022 2:23 am

Re: CSS326-24G-2S+RM, 802.1ad, removing VLAN0

Fri Sep 16, 2022 10:24 pm

You were right to be skeptical!

Back to the drawing board. I'm just not sure if it's possible (but I don't know how) or if it's just not going to work at all.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: CSS326-24G-2S+RM, 802.1ad, removing VLAN0

Sat Sep 17, 2022 12:11 am

I don't want to sound too negativistic ... but I doubt you can do what you're after with (pretty simplistic) SwOS device. It might be doable with ROS device with some innovative aporoach ... I guess. OTOH I don't want to discourage you, you might find a way, so by all means do keep thinking about it.

Who is online

Users browsing this forum: No registered users and 9 guests