Trunking and Vlans

[mrjoli021]

I am trying to migrate my pfSense Firewall into a Virtual machine inside TrueNAS SCALE. This particular firewall setup now has a trunk port connected to the switch and then I can tag the vlan inside pfSense. How would I do this in TrueNAS SCALE? I don't see an option for a Trunk/Tagged port. These are the options I see ("bridge", "Link Aggregation" and "Vlan").

The other question I have is when I create a Vlan It pulls an IP from DHCP. Is there a way to just do an L2 Vlan without L3? I don't want an IP on every Vlan Interface I create. Is there a way to do this?

 

[jgreco]

I dont see an option for a Trunk/Tagged port. These are the options I see ("bridge", "Link Aggregation" and "Vlan").

That's because you're using crappy terminology. "Trunk" is incredibly poorly defined and can mean a variety of things including an LACP bundle, some people confuse it to mean a port that carries multiple VLAN's, etc.

First you'll have to define what you mean by a "Trunk/Tagged port". A link aggregation is a bundle of multiple ethernets, often in LACP, that can provide bandwidth aggregation of multiple individual ethernet circuits. A VLAN interface is a virtual LAN interface, which requires a parent interface (can be a single ethernet interface or a link aggregation). The packets on the VLAN will be encapsulated and transmitted on the parent interface (and vice versa).

The other question I have is when I create a Vlan It pulls an IP frmo DHCP. Is there a way to just do an L2 Vlan without L3? I dont want an IP on every Vlan Interface I create. Is there a way to do this?

Don't assign an address to it, and do not enable "DHCP".

 

[mrjoli021]

That's because you're using crappy terminology. "Trunk" is incredibly poorly defined and can mean a variety of things including an LACP bundle, some people confuse it to mean a port that carries multiple VLAN's, etc.

First you'll have to define what you mean by a "Trunk/Tagged port". A link aggregation is a bundle of multiple ethernets, often in LACP, that can provide bandwidth aggregation of multiple individual ethernet circuits. A VLAN interface is a virtual LAN interface, which requires a parent interface (can be a single ethernet interface or a link aggregation). The packets on the VLAN will be encapsulated and transmitted on the parent interface (and vice versa).



Don't assign an address to it, and do not enable "DHCP".

When I say Trunk/Tagged port I am reffering to a way that I can tag a vlan and pass it through using 801.Q encapsulation.

 

[Patrick M. Hausen]

I'm on the same page as you are and name an interface that carries tagged frames "trunk". Mainly because Cisco used the term at least since the early 90s.

Virtualising pfSense on TrueNAS - brave endeavour. I like it, because it's all FreeBSD. So let's look at the FreeBSD network architecture and its consequences.

FreeBSD supports VLANs all right. And bridge interfaces. These can serve as a sort of vSwitch for VMs and this is what is used in TrueNAS.

Unfortunately this vSwitch is not VLAN capable. That's important. You cannot have tagged frames, and VLAN subinterfaces, on a port that is a member of a bridge.

Bridges OTOH are the only way currently to connect virtual interfaces of VMs to the network.

So ...

You absolutely must create all VLAN interfaces on TrueNAS. And then create a bridge interface for each VLAN and place exactly one VLAN interface into the bridge as a member.

Then you create as many virtual interfaces as there are VLANs for your pfSense VM and assign each one to one of the bridge interfaces.

pfSense will see N vtnetX interfaces and not know about VLANs but why not? With VLANs in pfSense you would end up with N logical interfaces, too.

In an enterprise situation and possibly ESXi instead of TrueNAS as the hypervisor I would prefer PCIe passthrough and separate interfaces just for pfSense, but I am confident what I sketched will work.

HTH,
Patrick

 

[mrjoli021]

I currently have this setup working now on ESXi. The trunk port on ESXi is just a vlan with a tag of 4095. This makes that interface use 801.q and I can then create as many interfaces as I want inside PFSense and tag it. I will try the bridge option and see how that goes.

 

[sretalla]

Virtualising pfSense on TrueNAS - brave endeavour. I like it, because it's all FreeBSD. So let's look at the FreeBSD network architecture and its consequences.

Just to clarify... he said:

migrate my pfSense Firewall into a Virtual machine inside TrueNAS SCALE.

That isn't FreeBSD.

 

[Patrick M. Hausen]

My bad - SCALE not CORE. OK. No idea if the Linux bridge can pass tagged frames.

 

[sretalla]

Good answer though, even if not directly to the original question.