Re: vlan(4) and bridge(4) on same interface

Reply: Lexi Winter : "Re: vlan(4) and bridge(4) on same interface"
In reply to: Lexi Winter : "vlan(4) and bridge(4) on same interface"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Bjoern A. Zeeb <bzeeb-lists_at_lists.zabbadoz.net>
Date: Wed, 30 Jul 2025 19:42:52 UTC

On Wed, 30 Jul 2025, Lexi Winter wrote:

> hello,
>
> currently we allow users to create a vlan and a bridge on the same
> interface, like this:
>
> % ifconfig ix0.100 create
> % ifconfig bridge0 create addm ix0
>
> i am aware that some people are using this in production, but because it
> doesn't work properly[0], i would like to forbid this configuration in
> 16.0, i.e. it would not be possible to add an interface to a bridge if
> vlans are present on that interface, and vice versa.

Sounds like a good plan.

Do you intend to make it a sysctl in 15 already so people can forbid it
upfront before migrating to 16, and in 16 before stable/16 just remove
it all together?

Or if it is not too late for 15, simply have the sysctl disabled by
default in 15 and people can rescue themselves flipping it for the
lifetime of 15?
Given the other changes, I wonder if it would just make sense to get
all the cases/possible breakage sorted in one go that way?

> i am looking for feedback from people who are currently using this:

I do have setups which are highly fragile (you may notice I am good at
creating these silly things);  I had conversations with kp@ about them
in the past.

dwc0 inet6
bridge0 addm dwc0 addm epair0a ; epair0b in another vnet with another 3 vlans on top
vlan100 inet6 on dwc0
vlan200 inet6 on dwc0

Normally I would have put the vlan interfaces into the vnet without
bridge but you cannot have the same vlan N twice on the same parent
interface.  Hence the bridge in the middle.  Should really be three
bridges and 3 epairs on 3 vlan interfaces in the base for the vnet
but ..

> - can you switch your untagged traffic to tagged instead and use a
>  vlan(4) in a bridge?  e.g.,
>
>  	% ifconfig ix0.100 create
> 	% ifconfig ix0.101 create
> 	% ifconfig bridge0 create addm ix0.101

Is this the same setup as above as we are no longer bridging the trunk
in addition to having a local access VLAN or do I have a different use
case in mind?

> - can you switch to a vlan filtering bridge instead?  e.g.,
>
> 	% ifconfig bridge0 create addm ix0 vlanfilter tagged ix0 100,101
> 	% ifconfig bridge0.100 create
> 	% ifconfig bridge0.101 create

If I were to take my above setup, would the following do the job?
(syntax may be wrong)

ifconfig bridge0 addm dwc0 [vlanfilter] untagged dwc0 4000 tagged dwc0 100,200,300,400
ifconfig bridge0.4000 inet6 ...	  # that's the base address formerly on dwc0 for untagged on the wire
ifconfig bridge0.100 inet6 ..
ifconfig bridge0.200 inet6 ..
ifconfig bridge0 addm epair0a [vlanfilter] tagged epair0a 100,300,400

Seems a lot cleaner and I know which problems will go away right away.

> if the answer to both these questions is no, it would be helpful if you
> could explain why.

The only problem I need to figure out is how to transition from a
netboot setup (address is on the physical interface) to something where
the address migrates to the bridge without losing the NFS root mount...
Has anyone found a solution for that already?

/bz

-- 
Bjoern A. Zeeb                                                     r15:7