5.4-stable, 802.1q vlans, ipfw, and bridging??

[Viren Patel]

Hello. I am trying to setup a bridging firewall between
multiple 802.1q vlans. Vlans 1 and 2 are public and vlans
3 and 4 are private. Vlans 1 and 3 are to be bridged, as
are vlans 2 and 4. Router/switches are Cisco. My setup is
as follows:

Firewall:

PC with Intel Pro/1000 MT dual-port server adapter

Operating System:

FreeBSD 5.4-stable

Kernel config:

options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_FORWARD
options IPDIVERT
options IPSTEALTH
options BRIDGE
device  vlan

/etc/sysctl.conf:

net.link.ether.bridge.enable=1
net.link.ether.bridge.config=vlan1:1,vlan3:1,vlan2:2,vlan4:2
net.link.ether.bridge.ipfw=1

/etc/rc.conf:

network interfaces="em0 em1 lo0"
ifconfig_em0="up promisc vlanhwtag"
ifconfig_em1="up promisc vlanhwtag"

cloned_interfaces="vlan1 vlan2 vlan3 vlan4"
ifconfig_vlan1="vlan1 vlan 1 vlandev em0"
ifconfig_vlan2="vlan2 vlan 2 vlandev em0"
ifconfig_vlan3="vlan3 vlan 3 vlandev em1"
ifconfig_vlan4="vlan4 vlan 4 vlandev em1"

ipfirewall_enable="YES"
ipfirewall_type="OPEN"
ipfirewall_quiet="NO"
ipfirewall_logging="YES"


Vlans 1 and 2 are trunked to em0 and vlans 3 and 4 are
trunked to em1.

The firewall does not seem to be functioning correctly. A
PC on private vlan is not able to connect out. In the open
firewall configuration as above, I would expect all
traffic to be passed from private to public vlans and
vice-versa.

Starting a steady ping on the private PC, then capturing
vlan traffic on the firewall via tcpdump shows arp
requests on the private vlan, and corresponding arp
requests on the public vlan, but no arp replies.

Sniffing the physical interfaces on the firewall shows the
802.1q frames.

Sniffing the public vlan via a third host however does not
show any arp traffic at all. So it seems the vlan bridging
is working on the firewall, however the packets are not
being put out on the parent interface of the public vlan.

What am I doing wrong?

Viren