Bridge interface on VLAN not working

Stefan Bethke stb at lassitu.de
Sun Jul 5 09:03:35 UTC 2020 

Am 04.07.2020 um 20:59 schrieb Ask Bjørn Hansen <ask at develooper.com>:
> 
> Hi everyone,
> 
> I had this working for months until a reboot either got things started up in a different order or cleared what I setup by hand (it’s a snowflake test/development system at home) and did whatever I’d actually configured.
> 
> I have a single trunk’ed (em) interface to the switch. The main network is untagged, and I have various tagged networks as well.  I was using the tagged networks in bhyve virtual machines.
> 
> (Some?) traffic doesn’t pass from the bridged tap interfaces (or from the bridge itself) to the vlan interface (em0.8 for example).  tcpdump shows lots of packets coming from the “outside” and in, but for example if I do a ping from one of the tap interfaces then nothing shows up on the bridge interface (looking with tcpdump).
> 
> Another symptom is that if I move the “host IP” from the em0.8 interface to the bridge interface that’s including em0.8 then I can no longer communicate with that IP from the rest of the network.
> 
> In the output below I can ping 192.168.53.42  from another system on VLAN 53 (outside this box) and I can ping 192.168.53.42  from another system on the bridge, but I can’t ping between the system outside this box and the VM on the bridge.
> 
> I’ve disabled pf everywhere.
> 
> As I mentioned, some traffic crosses but it seems like arp requests gets blocked somewhere?
> 
> I don’t think it’s the switch, because as long as I don’t use the bridge everything works fine. :-/
> 
> Any suggestions?  (or other debug output that’d be useful).

Which kernel version are you running?

I have a similar setup, but all my VLANs are tagged. I have an OpenVPN connection with a bridge, and originally was bridging the untagged interface over that. Since the untagged interface includes all the .1q frames as well, and I didn't want that traffic on the VPN connection, I changed my config to tagged only, and moved to bridging only the VLAN interfaces, but not the physical one. I've followed the advice in the man page and have configured IPv4 and IPv6 only on the bridge interface, not the member interfaces.

I have two more systems that also use a VLAN/bridge setup.

I'm using PF, but I have restricted it (from the defaults) to only work on the IP layer and on the configured interface, not the bridge members and not on bridged packets. In my setup, the bridge conceptually should behave like an external switch.

I'm running 12.1-STABLE amd64 GENERIC 1201518, and I have these interfaces (one example VLAN, I have 4 in total):
ix0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=e53fbb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
	ether d0:50:99:d8:da:83
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
vlan100: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=200401<RXCSUM,LRO,RXCSUM_IPV6>
	ether d0:50:99:d8:da:83
	groups: vlan
	vlan: 100 vlanpcp: 0 parent interface: ix0
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
	nd6 options=49<PERFORMNUD,IFDISABLED,NO_RADR>
br100: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	description: vm-br100
	ether 02:00:00:00:00:64
	inet 44.128.XXXX netmask 0xffffff00 broadcast 44.128.XXXX
	inet 44.128.XXXX netmask 0xffffffff broadcast 44.128.XXXX
	inet 44.128.XXXX netmask 0xffffffff broadcast 44.128.XXXX
	inet6 fe80::ff:fe00:64%br100 prefixlen 64 scopeid 0x10
	inet6 2a02:8108:XXXX:0:ff:fe00:64 prefixlen 64
	inet6 2a02:8108:XXXX::2 prefixlen 128
	id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
	maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
	root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
	member: jous flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
	        ifmaxaddr 0 port 30 priority 128 path cost 2000
	member: jouk flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
	        ifmaxaddr 0 port 29 priority 128 path cost 2000
	member: tap2 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
	        ifmaxaddr 0 port 9 priority 128 path cost 2000000
	member: vlan100 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
	        ifmaxaddr 0 port 12 priority 128 path cost 2000
	groups: bridge vm-switch viid-b8446@
	nd6 options=61<PERFORMNUD,AUTO_LINKLOCAL,NO_RADR>


--
Stefan Bethke <stb at lassitu.de>   Fon +49 151 14070811

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20200705/44c8d099/attachment.sig>

More information about the freebsd-net mailing list