pfSense QinQ Configuration¶
QinQ, also known as IEEE 802.1ad or stacked VLANs, is a means of nesting VLAN tagged traffic inside of packets that are already VLAN tagged, or “double tagging” the traffic.
QinQ is used to move groups of VLANs over a single link containing one outer tag, as can be found on some ISP, Metro Ethernet, or datacenter links between locations. It can be a quick/easy way of trunking VLANs across locations without having a trunking-capable connection between the sites, provided the infrastructure between the locations does not strip tags from the packets.
Setting up QinQ interfaces on pfSense is fairly simple:
Navigate to Interfaces > (assign)
Click the QinQ tab
Click Add to add a new QinQ entry
Configure the QinQ entry as follows:
- Parent Interface
The interface that will carry the QinQ traffic.
- First level tag
The outer VLAN ID on the QinQ interface, or the VLAN ID given by the provider for the site-to-site link.
- Adds interface to QinQ interface groups
When checked, a new interface group will be created called QinQ that can be used to filter all of the QinQ subinterfaces at once.
When hundreds or potentially thousands of QinQ tags are present, this greatly reduces the amount of work needed to use the QinQ interfaces
Optional text for reference, used to identify the entry
Member VLAN IDs for QinQ tagging. These can be entered one per row by clicking Add Tag, or in ranges such as 100-150
Click Save to complete the interface
In the following example (Figure QinQ Basic Example), a QinQ interface is configured to carry tagged traffic for VLANs 10 and 20 across the link on igb3 with a first level tag of 2000.
In Figure QinQ List, this entry is shown on the QinQ tab summary list.
The automatic interface group, shown in Figure QinQ Interface Group, must not be manually edited. Because these interfaces are not assigned, it is not possible to make alterations to the group without breaking it. To re-create the group, delete it from this list and then edit and save the QinQ instance again to add it back.
Rules may be added to the QinQ tab under Firewall > Rules to pass traffic in both directions across the QinQ links.
From here, how the QinQ interfaces are used is mostly up to the needs of the network. Most likely, the resulting interfaces may be assigned and then configured in some way, or bridged to their local equivalent VLANs (e.g. bridge an assigned igb2_vlan10 to igb3_2000_10 and so on).
The QinQ configuration will be roughly the same on both ends of the setup. For example, if both sides use identical interface configurations, then traffic that leaves Site A out on igb3_2000_10 will go through VLAN 2000 on igb3, come out the other side on VLAN 2000 on igb3 at Site B, and then in igb3_2000_10 at Site B.