Slides for the July 2018 pfSense Hangout video

1. Configuring Netgate Appliance
Integrated Switches
on pfSense 2.4.4
July 2018 Hangout
Jim Pingle

2. About this Hangout
● Netgate News
● Netgate Hardware with Integrated Switches
● Integrated Switch Capabilities
● Integrated Switch Limitations
● Switch Modes
● Default Switch Configuration
● Configuring the switch and pfSense to use discrete ports
● Other Example Configurations

3. Netgate News
● 2.4.4 Release Highlights article
– https://www.netgate.com/blog/pfsense-software-version-2-4-4-release-highlights.html
● pfSense Gold content will be free starting with 2.4.4-RELEASE
– See the blog for details https://www.netgate.com/blog/pfsense-gold-free-starting-with-2-4-4.html
– AutoConfigBackup service integrated into 2.4.4 and is free for all
– Book will be free to access
– Hangouts will be migrating to Youtube
– Certified VMWare appliance discontinued, but you can still install from iso and install the tools, just no certification
process run
● XG-7100 Desktop now available for Preorder
– https://www.netgate.com/blog/xg-7100-desktop-available-for-pre-order.html
● 2.4.4 will natively support the MinnowBoard Turbot Dual Ethernet we sell
– Can run CE, not preinstalled, but will install/run and the HDMI issue has been resolved
– https://www.netgate.com/blog/pfsense-2-2-4-on-minnowboard-turbot-dual-ethernet.html
● More new hardware coming very soon!

4. Netgate Hardware with Integrated Switches
● XG-7100 1U and Desktop
– Marvell 6000 Series
– Switch has 8x 1Gbit/s ports plus 2x internal 2.5Gbit/s uplinks
● SG-3100
– Marvell 6000 Series
– Switch has 4x 1Gbit/s ports plus 1x internal 2.5Gbit/s uplink
● SG-1000
– TI Common Platform Ethernet Switch
– Two ports are on a switch, but primarily useful as LAN+WAN
– This switch is handled differently than the 7100/3100 switches and won’t be covered today
● More devices with switches coming soon!

5. Integrated Switch Capabilities
● True switch in that traffic between ports in the same group/VLAN
does not get processed by the uplink (pfSense)
● Can work in 802.1q mode or port VLAN mode
● Ports can be configured in one or more groups to effectively have
multiple switches or one large switch
● Ports can be configured as discrete ports, individually
addressable/isolated as if they were separate physical ports
● Supports link aggregation between multiple ports (LAGG) in 2.4.4
● Switch port status shown in the Interfaces widget on the Dashboard

6. Integrated Switch Limitations
● 128 VLAN tag limit in 802.1q mode on the switch
– Port VLAN mode passes tags, can be used to trunk >128 VLANs to another switch if necessary
● Though the individual port status can be tied to interface status on 2.4.4, it does not yet
affect HA so HA using switch ports is not ideal
– This is still being actively worked on and may be resolved before 2.4.4-RELEASE
● Though the switch supports LAGG, the only supported LAGG mode at this time is Load
Balance – No support for LACP
● Can't set speed/duplex on switch ports at this time
● Restoring from another platform can be tricky due to the differences in interface layouts
– We are working on ways to make this easier, including a switch configuration wizard
– Pre-configure switch and VLANs, take backup, splice switch/VLAN settings from there into old
backup from old hardware, adjust interfaces

7. Switch Modes
● 802.1q Mode
– Supports multiple VLANs (Up to 128)
– Can send tagged or untagged traffic on a port
– Configurable PVID to set VLAN ID of arriving untagged traffic
– Through the use of VLANs, can effectively make isolated interfaces out of switch ports
– Assign and use VLAN tagged interfaces for discrete ports using the uplink as a VLAN parent
● lagg0 or ix2/ix3 on 7100, mvneta1 on 3100
● Port VLAN Mode
– Retains VLAN tags, does not add or remove them
– Untagged traffic from the uplink (pfSense) is sent untagged
– Ports can be configured in groups similar to separate switches/VLANs
– Assign and use the uplink interface directly to talk to clients sharing a port group with uplink
● lagg0 or ix2/ix3 on 7100, mvneta1 on 3100

8. Default Switch Configuration
● XG-7100 1U/DT
– 10 switch ports, 8 physical plus 2 uplink
– Uplinks are 2.5Gbit/s ix2 & ix3 configured as lagg0 in pfSense and as LAGG 0 on switch
– Default mode is 802.1q
– First port tied to VLAN 4090 and assigned as WAN
– Remaining ports on VLAN 4091 and assigned as LAN
● SG-3100
– 5 switch ports, 4 physical plus 1 uplink
– Uplink is 2.5Gbit/s, mvneta1
– Default mode is Port VLAN
– Uplink assigned as the pfSense LAN by default

9. Configuring Discrete Ports
● This assumes a default starting configuration and that all ports will be separate
● Do not perform this configuration from a port on the switch, you will lose connectivity!
– On 7100, configure and use OPT1 (ix0), OPT2 (ix1), or an add-in port
– On 3100, configure and use OPT1 (mvneta0) or WAN (in a lab setup)
● Before staring, need a plan
– What VLANs to use? Which port for which VLAN?
– These VLANs are internal to the switch.
– Packets will be untagged so clients do not need to know VLANs
– If there are other VLANs on the network, these should be different/not conflict.
● For example on an SG-3100
– VLAN 4081 = Port 1, VLAN 4082 = Port 2, VLAN 4083 = Port 3, VLAN 4084 = Port 4
● For 7100, use 4081-4088 for ports 1-8
● These are only suggestions, change to suit your needs!
● Required tasks:
– Configure Switch
– Create VLAN tagged interfaces
– Assign and configure VLAN tagged interfaces
● The switch may be configured before or after the interfaces

10. Discrete Ports – Switch Configuration
● Interfaces > Switches, VLANs tab
● Check Enable 802.1q VLAN mode, click Save
– SG-3100 needs changed by default, XG-7100 defaults to this mode (and clear out existing entries)
● For each VLAN (4081, 4082, etc) click +Add Tag – For this example, VLAN 4081 for Port 1
– Enter the VLAN Tag for this VLAN (4081)
– Set Member set to the port number decided previously (Port 1)
– For this member entry, Tagged should be unchecked
– Add another member entry for 5 and check Tagged (on 7100, add 9 and 10 as tagged)
● For the uplink so pfSense can talk to that VLAN
– Repeat for each port that will be mapped to a VLAN
● Edit VLAN group 0, remove Member entries for ports that now have individual VLANs
● Switch to the Ports tab
● Click the PVID and change to the corresponding VLAN (e.g. Port 1, PVID 4081), repeat for each port
● Click Save

11. Discrete Ports – VLAN Tags
● Interfaces > Assignments, VLANs tab
● For each VLAN…
– Click + Add
– Pick mvneta1 for the parent (SG-3100) or lagg0 (XG-7100)
– Set VLAN tag to the one picked earlier (e.g. 4081)
– Click Save
– Repeat for each other port (e.g. 4082, 4083, 4084)

12. Discrete Ports – Interface Configuration
● Interfaces > Assignments
● Assign each VLAN as its own interface
● For each of these interfaces (OPT3, OPT4, etc)
– Interfaces > OPTx
– Check Enable
– Choose Switch Port to monitor status
– Set an IP address (e.g. 192.168.81.1/24)
– Click Save, Apply Changes
● These now can be used like any other physical port
● You will have to setup DHCP, add firewall rules, and so on, the same as any other interface
● With each port on its own network, no need for the old “LAN”
– Can be disabled, reassigned as one of these ports, etc.

13. Other Examples
● More documentation on the website
– https://www.netgate.com/docs/pfsense/solutions/xg-7100/switch-overview.html
– https://www.netgate.com/docs/pfsense/solutions/sg-3100/switch-overview.html
● Other common examples:
– All ports on one switch, or discrete ports (already covered)
– Mix of separate and discrete ports (similar to 7100 default configuration)
– Two isolated 4-port switches, each using one uplink (7100)
● In docs above
– Port isolation (clients can reach uplink but not each other)
● https://forum.netgate.com/topic/125336/sg-3100-switch-configuration
– Many other common switch configuration scenarios, varies widely from customer to
customer!

14. Conclusion
● Questions?
● New Hangout format starting next month, details to come
● Ideas for hangout topics? Post on forum, Reddit, etc