Re: vlan(4) and bridge(4) on same interface

From: Patrick M. Hausen <hausen_at_punkt.de>
Date: Wed, 30 Jul 2025 21:29:57 UTC
Hi!

> Am 30.07.2025 um 23:20 schrieb Lexi Winter <ivy@freebsd.org>:
> the situation i'm talking about is when you have a vlan(4) configured on
> an interface, and the underlying interface (not the vlan interface) is
> also in a bridge, for example:

But that configuration has always been illegal and known to fail
in weird ways. Just like putting a layer 3 address on a bridge member
interface.

So I still wonder what the problem seems to be. Update the documentation.
Make these particular constraints big boxes with a red exclamation mark
in the handbook.

You can still create arbitrary switch-equivalent network topologies
with these known constraints. You just need to

- not have a layer 3 address on a bridge member
- not have a VLAN on a bridge member
- use one bridge per VLAN if you want to turn your machine into a "switch"

> "ix0" has a vlan(4) configured on it and is also in a bridge: this is
> the configuration i want to prohibit.

But why of course. It was never supposed to work and getting a decent
error message is better than weird and hard to debug failure scenarios.

Fail early, fail hard.


I do get the diskless client scenario. Fine. That was probably overlooked
and we need a solution for that in tooling/rc/whatever.


What I do not get is the argument "I insist on creating bridges for VMs or
VNET jails on the fly". You cannot do that in VMware, or Proxmox, or any
product I know. You plan and create your vSwitches and port groups in
advance.

So on FreeBSD if you do not know if you ever want to attach a jail to a
physical or VLAN interface? Easy. Create a bridge for every interface
and use that bridge for layer 3 of the host. At least that is what we do.

What is lost with an extra bridge on every interface?

Kind regards,
Patrick
-- 
punkt.de GmbH
Patrick M. Hausen
.infrastructure

Sophienstr. 187
76185 Karlsruhe

Tel. +49 721 9109500

https://infrastructure.punkt.de
info@punkt.de

AG Mannheim 108285
Geschäftsführer: Daniel Lienert, Fabian Stein