Bridging two VLANs

awyeah · Sep 9, 2011

Hello,

I'm attempting to bridge two VLANs together. The packets are coming in tagged already.

Eventually this may be part of a larger project, but I'm just testing things for now.

The physical nic is lan0 - it's a renamed NIC that uses the nfe driver.
The bridge is bridge0.
The two VLANs are vlan103 and vlan104.

Here's the ifconfig output for each of them:

Code:

lan0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=82008<VLAN_MTU,WOL_MAGIC,LINKSTATE>
        ether 00:1b:b9:8b:ca:33
        inet 10.1.0.1 netmask 0xffffff00 broadcast 10.1.0.255
        inet6 fe80::21b:b9ff:fe8b:ca33%lan0 prefixlen 64 scopeid 0x2
        inet6 2001:470:7:d4e::3 prefixlen 64
        nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
        media: Ethernet autoselect (100baseTX <full-duplex,flowcontrol,rxpause,txpause>)
        status: active
bridge0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether d2:41:75:d6:ff:0d
        inet 10.1.3.1 netmask 0xffffff00 broadcast 10.1.3.255
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: vlan104 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 7 priority 128 path cost 55
        member: vlan103 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 6 priority 128 path cost 55
vlan103: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 00:1b:b9:8b:ca:33
        inet6 fe80::210:b5ff:fe0d:9c75%vlan103 prefixlen 64 scopeid 0x6
        nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
        media: Ethernet autoselect (100baseTX <full-duplex,flowcontrol,rxpause,txpause>)
        status: active
        vlan: 103 parent interface: lan0
vlan104: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 00:1b:b9:8b:ca:33
        inet6 fe80::210:b5ff:fe0d:9c75%vlan104 prefixlen 64 scopeid 0x7
        nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
        media: Ethernet autoselect (100baseTX <full-duplex,flowcontrol,rxpause,txpause>)
        status: active
        vlan: 104 parent interface: lan0

I have dhcpd set up to dole out addresses on 10.1.3.0/24. Clients actually receive addresses. Clients can ping the server (10.1.3.1), but the server cannot ping or connect to clients.

What's missing here?

awyeah · Sep 10, 2011

Update: If I add only one VLAN to the bridge, keeping the bridge assigned the 10.1.3.1 IP address, all clients on that VLAN work fine. As soon as I add the second VLAN to the bridge, everything starts to fail.

ecazamir · Sep 12, 2011

Why would anyone bridge two VLANs on the same physical interface? It should be much easier to use one VLAN instead of two for a specific set of physical ports, which currently uses two VLAN ids.
It doesn't make too much sense this kind of bridge.

awyeah · Sep 12, 2011

Because they're separate VLANs coming in from a single wireless access point with different SSIDs with different passphrases (and VLAN tags), so I don't have to use two access points. I need to rotate one of the passphrases frequently, and the devices need to be on different subnets with some firewall rules between them.

aragon · Sep 12, 2011

This seems like a bug to me...

awyeah · Sep 12, 2011

It does to me as well, but I wanted to make sure I was doing everything right before filing a PR. Unless anyone sees anything wrong with my configs, I'll go ahead and do that (unless one's in already)

ecazamir · Sep 13, 2011

awyeah said:
I need to rotate one of the passphrases frequently, and the devices need to be on different subnets with some firewall rules between them.

Since you use a bridge, the wireless clients aren't really 'on different subnets', I assume that a 'malicious wireless client' who knows the passphrase is able to configure an IP address manually. Maybe a strong firewall set will limit communication between the VLANs / subnets.

I also assume that using a RADIUS server and enabling WPA2-Enterprise will allow you to use different passphrases for each client, so you won't need to change any key 'for everyone', but only for specific clients.

awyeah · Sep 13, 2011

I don't know why I said 'different subnets' in this thread, my intention for this has been to have them on the *same* subnet as I want them in the same broadcast domain. This is a geek project on a home network. I want things like automatic discovery of network services to work, for printers and other devices, while keeping them on a different SSID and VLAN. I was originally trying to have them on separate subnets and I tried get multicast routing between subnets to work (which would solve that problem), but that ended up not going so well, I couldn't make mrouted work, and the pimdd port is marked BROKEN.

Because this is a home network, I'm not going to bother with WPA2-Enterprise and RADIUS.

And yes, I realize that it's no problem to manually set an IP address, I'm not at all concerned with that, I'm really just geeking out here.

I have an entirely separate SSID for non-trusted users (guests), on a different VLAN that has no access to the rest of the network, only the internet. That's my only actual security concern. The rest is just for fun.

ecazamir · Sep 14, 2011

awyeah said:
Clients can ping the server (10.1.3.1), but the server cannot ping or connect to clients.

If the clients can ping the server, then the routing tables should be fine.
Can you show how your firewall rules look like ?

You could use

Code:

arp -a

to check if the IP address you are trying to ping has a corresponding ethernet address learned

Code:

route -n get x.x.x.x

to check what interface and/or nexthop is used to send packets to ip address x.x.x.x

Code:

tcpdump -i lan0 vlan 103

to see all traffic on a specific VLAN (maybe looking for ARP requests/responses, if the requested IP address does not have a corresponding ARP entry)

Code:

tcpdump -i lan0 vlan 103 ether src aa:bb:cc:dd:ee:ff or ether dst aa:bb:cc:dd:ee:ff

to check the traffic coming and going to aa:bb:cc:dd:ee:ff.

Code:

tcpdump -i lan0 vlan 103 and \(src x.x.x.x or dst x.x.x.x\)

to check what traffic goes and comes from the ip address x.x.x.x

Don't forget to check firewall counters.