Management VLAN questions

[ridertwixxen]

Heya, I have a (virtualised) TrueNAS Core running, which is currently connected via a "ordinary" LAN. I intended to add Management VLAN Capability, but the outcome is.... not as expected.

First of all I add a second NIC and connected it.
Adding a VLAN to a port and setting up a static IP for the VLAN works. I can then ping the VLAN, access it via trunk ports and so on - as expected.
Same goes when I just add a fixed IP to the NIC within the VLAN range and let the switch care for the tagging - equally good, equally working as expected.

What is not working is the following: As soon as I deactivate the connection to the ordinary LAN I lose network on both connections, not only on primary / LAN. How can I solve this issue? Having a Management VLAN does not seem to be a big issue, but for TrueNAS it seems kinda unsolved? At least I did not find any documentation or help, hence my topic here - the main issue is for sure the person writing this text... Any help would be highly appreciated!

 

[jgreco]

for TrueNAS it seems kinda unsolved?

Of course it's not unsolved. You've done SOMETHING wrong, it just isn't clear what. Some of us run very complex networking setups with multiple vlans and multiple interfaces. It sounds to me like you might be losing your default gateway, which would naturally kill any traffic to networks that were not directly reachable. Try checking from the console if your default route is still there ("route -n get default") and if not, re-establish it. Please note that using DHCP for configuration would cause lots of weird and stupid problems as well.

 

[ridertwixxen]

Yeah, I guessed that it is me, it is almost always me. That's why I wrote the last two sentences ;)
I do not use DHCP at all (just for clients over wifi in my network, like phones and stuff), so that won't be the issue. The route thingy seems a good go, let's give it a test:
With both interfaces attached:

Code:

root@truenas[~]# route -n get default
   route to: 0.0.0.0
destination: 0.0.0.0
       mask: 0.0.0.0
    gateway: 10.10.0.1
        fib: 0
  interface: ix0
      flags: <UP,GATEWAY,DONE,STATIC>
 recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0      1500         1         0

with the "main" interface dropped of:

Code:

root@truenas[~]# route -n get default
   route to: 0.0.0.0
destination: 0.0.0.0
       mask: 0.0.0.0
    gateway: 10.10.0.1
        fib: 0
  interface: ix0
      flags: <UP,GATEWAY,DONE,STATIC>
 recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0      1500         1         0

So no change at all :(
But the route is attached to the interface which is deactivated at the time of test, so at least htat's why I have no network at all anymore - do you mean that with "not there anymore"? Sorry, nub at work over here, but I try and am willing to learn...

O, and btw: Hi and thx!

 

[jgreco]

But the route is attached to the interface which is deactivated at the time of test, so at least htat's why I have no network at all anymore - do you mean that with "not there anymore"? Sorry, nub at work over here, but I try and am willing to learn...

So if you are expecting packets to go to hosts that are not on a directly connected network, the gateway has to exist and be reachable. I would suggest enabling ping on a client and testing. You can manually move the default route with

# route delete default
# route add default 10.20.0.1

Assuming 10.20.0.1 is a valid gateway on one of your other networks and is reachable via ping from the NAS.

 

[ridertwixxen]

Well, the gateway exists and is reachable from the VLAN. I just booted up a VM put it into the VLAN via tagged port and pinged 10.10.0.1 - works without issue.
I don't want to change the default route, because this would also affect the "ordinary" LAN, over which the traffic will go. In this LAN my "main" Gateway/Router/Uplink to ISP is reachable from every VLAN, so an added Gateway in another network segment does seem to be redundant?

 

[Patrick M. Hausen]

The "control plane" of TrueNAS and the services use one and the same network stack. It is difficult up to the point of impossible to separate the two. Specifically both use the same routing table.

The only things that can be separated are VNET jails and VMs because they come with their own IP stack. For TrueNAS even if you try to access the UI via a different (VLAN) interface, the resulting return packets will go to the global default gateway unless the system with the browser is directly connected to the VLAN in question. In the latter case it should work.

HTH,
Patrick

 

[ridertwixxen]

Thank you for clarification. This brings me unfortunately to the point "not possible", which is.... unfortunate. Ty for clarification, highly appreciated you two!

 

[ridertwixxen]

I cannot edit my own posts yet (due to too few posts), so sorry for double posting.
I just switched the default gateway from 10.10.0.1 (lan) to 10.10.10.1 (vlan10), and as soon as I deactivate the lan connection I cannot reach the truenas anymore. This is strange, because it should still work, because the default gateway is within the network segment which is still connected - color me confused?