VNET, if_bridge, if_epair, vlans and bridged phy?

[Kevin Bowling]

On 3/16/2014 8:04 PM, Kevin Bowling wrote:
> I'm trying a somewhat elaborate VNET jails setup and for the most part
> it's working.  I'm using if_epairs, one side that gets passed into the
> jail, and the other side that attaches to an if_bridge.  The if_bridge
> has a member on a vlan interface.  So far so good.
>
> cloned_interfaces="bridge0 bridge1 bridge2 vlan0 vlan1"
> ifconfig_ix0="inet <pub ip> netmask 255.255.255.240 up"
> ifconfig_vlan0="vlan 1010 vlandev ix0"
> ifconfig_vlan1="vlan 1011 vlandev ix0"
> ifconfig_bridge1="inet 10.10.10.55/24 addm vlan0 description vlan0"
> ifconfig_bridge2="inet 10.10.11.55/24 addm vlan1 description vlan1"
>
> The above works fine, the VNET jails are able to access the outside
> world and vis versa (NAT happens on a dedicated router, not this host).
>
> Now, if I instead do something like this to add the public IP to a bridge:
>
> ifconfig_ix0="up"
> ifconfig_vlan0="vlan 1010 vlandev ix0"
> ifconfig_vlan1="vlan 1011 vlandev ix0"
> ifconfig_bridge0="inet <pub ip> netmask 255.255.255.240 addm ix0
> description ix0"
> ifconfig_bridge1="inet 10.10.10.55/24 addm vlan0 description vlan0"
> ifconfig_bridge2="inet 10.10.11.55/24 addm vlan1 description vlan1"
>
> A VNET jail on bridge0 in the public IP space works fine, but bridge1
> and bridge2 are no longer accessible from the outside, including the
> host interface like 10.10.10.55.
>
> Any ideas on what could be going wrong?  Is there a way to use an
> untagged interface like this in addition to the tagged ones?
>
> Regards,
> Kevin

I'm able to work around this by setting the native VLAN on the switch to 
a bogus value and using another tagged interface for the public IP (now 
nothing uses untagged interface).

I'm guessing it might be rstp/mstp related since STP does not happen on 
the VLAN interfaces, but it does on the native port when added to a 
bridge.  When they're all VLANs, I don't think if_bridge will send any 
BPDUs to the switch.

Regards,
Kevin