Freebsd 13.1 supports vlan 0 tagging but .... about pfatt HOT 11 OPEN

In some of these scripts I'm seeing, I dont see a filter for eap traffic to not be tagged (unless I'm missing something). Seems to be several reports of it working correctly with all traffic tagged as vlan 0.

from pfatt.

I don't either but I was surprised to see at least one packet from the EAPoL protocol was not tagged. I think it was the initial broadcast on the MAC address used to start the interaction. At least that's my recollection from the working setup.

from pfatt.

from pfatt.

@christopher-bowman Netgate (the company that makes pfsense) has recently completed a lot of work incorporating Layer 2 functionality in pf. As part of this, we enabled two new pieces of functionality 'dup-to' and 'bridge-to' that are designed with the idea of replacing the netgraph-based functionality of pfatt.

I'm wondering if you (and @tman785 is welcome of course, but IDK when OPNsense might adopt this work, and IDK if @MonkWho is even watching this repo at this point) are open to testing this (very new) functionality

from pfatt.

@christopher-bowman Finally got around to getting non-tethered to work on 22.7.4. As for whether setting vlanpcp 0 works, I couldn't get past authorization. At some point maybe next week, I'll do a packet trace between the two methods.

from pfatt.

@christopher-bowman I gave it a shot to look at the traffic. Vlan is set to 0 when we run ifconfig $ONT_IF vlanpcp 0.

But for some reason, after wpa_supplicant sends out the START command, we receive the "Request, Identity" from the ONT, but nothing occurs after. It's like wpa_supplicant isnt responding to the traffic.

As for the script, I used my actual working script and modified it to comment out anything referring to netgraph. One thing I also did was comment these out:

#  /sbin/ifconfig $ONT_IF up
#  /sbin/ifconfig $ONT_IF promisc -vlanhwtag -vlanhwfilter -vlanhwtso

I dont think we need the $ONT_IF in promiscuous mode.

Any ideas? I dont get how wpa_supplicant will start the process but not respond. Unless there's an issue w/ the script itself.

from pfatt.

I am having similar issues with newer versions of Opnsense. I have seen it work on older versions though. I wonder what has changed and how to fix it. I am trying to setup a packet trace, I think a promiscuous listener 3rd party on a dumb switch should work, right?

from pfatt.

I am having similar issues with newer versions of Opnsense. I have seen it work on older versions though. I wonder what has changed and how to fix it. I am trying to setup a packet trace, I think a promiscuous listener 3rd party on a dumb switch should work, right?

Never heard of it working outside of netgraph - I didnt think FreeBSD officially supports vlan 0 and we're just using some workaround where setting the pcp value to 0 also sets the vlan to 0.

I did see one post do it on ESXi, but they had the adapter within the host tag everything as vlan 0.

from pfatt.

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=224961

Just to add some of my own notes here. I am current user of the Intel 350 NIC and because of this have had troubles getting this to work on native PfSense. I have since moved to ESXi and using the VLAN 0 option of the vswitch at the ESXi layer have been able to bypass the need for NetGraph and it's incompatibility with my native 12.x intel driver.

During this however I purchased a UDMP SE from ubiquity and was able to get it to authenticate natively by using VLAN 0 but I had to set a QoS value of 1, I thought this was just a GUI limitation but looking at the FreeBSD bug link above I wonder if setting the PCP to 1 would actually still set the VLAN to 0 and provide the desired result with respect to this traffic. Just judging from some of the responses in the thread linked above it looks like PCP actually designates a priority and not a VLAN but a side effect is that it sets the VLAN to 0 as a result.

Anyways it's something to try, hope it helps.

from pfatt.

Some more information I found from here https://www.freebsd.org/cgi/man.cgi?ifconfig(8)

vlanpcp priority_code_point
Priority code point (PCP) is an 3-bit field which refers to the
IEEE 802.1p class of service and maps to the frame priority
level.

     Values in order of	priority are: 1	(Background (lowest)), 0 (Best
     effort (default)),	2 (Excellent effort), 3	(Critical
     applications), 4 (Video, <	100ms latency and jitter), 5 (Voice, <
     10ms latency and jitter), 6 (Internetwork control), 7 (Network
     control (highest)).

Maybe try using a value higher than 1?

from pfatt.

wpa supplicant was patched to allow this to work, not sure if anyone saw that announcement in the other threads

from pfatt.