Re: vlan(4) and bridge(4) on same interface

Reply: Lexi Winter : "Re: vlan(4) and bridge(4) on same interface"
In reply to: Lexi Winter : "Re: vlan(4) and bridge(4) on same interface"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Bjoern A. Zeeb <bzeeb-lists_at_lists.zabbadoz.net>
Date: Wed, 30 Jul 2025 22:52:16 UTC

On Wed, 30 Jul 2025, Lexi Winter wrote:

> i think bridge is the right solution here, but with vlan filtering, you
> could do it this way instead:
>
> ifconfig bridge0 create vlanfilter addm dwc0 tagged dwc0 100-399

You are missing the inet6 on bridge0 or an "untagged" on dwc0 from my
original example as I also had a Host IP on that for untagged packets
which needs to become accessible again -- see questions below.

> ifconfig bridge0 addm epair0a untagged epair0a 100  # epair0b in a jail
> ifconfig bridge0 addm epair1a untagged epair1a 200  # epair1b in a jail
> ifconfig bridge0 addm epair2a untagged epair2a 300  # epair2b in a jail

I realised this is possible and I start to understand "untagged" a bit
more after I read through the code earlier.  nice :)

My initial understanding was that you use "untagged" to lift the
unttaged packets of a physical port into a vlan so you could configure
a vlan access interface on top of the bridge for the host IP.
I think this was all the examples I saw so far.
And that did not make sense to me and was one thing I wanted to
ask (see below).

So now my brain currently translates the ifconfig vlanfilter keyword
"untagged" into "access" to avoid confusion somehow.  I think being more
descriptive in the ifconfig man page will help here.

Am I correct that if I do want to leave the untagged packets of a trunk
connected to the bridge "untagged" I would still be able to configure
the host IP on bridge0 without any need for "untagged" if no vlanfilter
is in place?

But the moment vlanfilter is in place these untagged packets would be
dropped and I will always need a spare VLAN ID to sacrifice (even though
only internally to that bridge and not visible outside -- unless that
pvid matches the vlan ID on a differnt trunk connected to the bridge)
and need to use the 'untagged' keyword?  Or is it still possible to
directly configure the Host IP on bridge0 and leave untagged packets
as such?

/bz

-- 
Bjoern A. Zeeb                                                     r15:7