15.0-RELEASE new bridge/VLAN structure - problem

free-and-bsd · Monday at 9:19 AM

Hello everyone!
I'm very enthusiastic about this new bridge concept in 15.0, so I've put it to use of my old configuration where I had a dedicated bridge for every cloned VLAN interface.
But it doesn't seem to work the way I expected.
In particular, this is part of my old config:

Code:

ifconfig bridge0 addm igb1.10 addm tap1
ifconfig bridge0 inet 192.168.0.1/27

Here, tap1 is used by a VM guest with IP set by the guest OS 192.168.0.3/24 (no VLAN ID set on it!!).
So this is "VLAN 10" then, because of igb0.10.
And to connect to it from LAN I use, say, em0.10 on a remote LAN host, with IP address set to, say, 192.168.0.7/24.
This works fine, the old way.

But when I try to use the NEW bridge approach, I don't seem to be able to connect to VLAN 10!!!
As documented, I go like this:

Code:

ifconfig bridge0 vlanfilter addm igb1 tagged 10 \
ifconfig bridge0 addm tap1 tagged 10
ifconfig bridge0.10 inet 192.168.0.1/24

This is a recommended way to do it: instead of creating igb1.10 I'm using bridge0.10.
I want thus to connect tap1 with igb1 on VLAN 10 and then be able to connect LAN hosts to that VLAN on igb1.

The problems is, I can't connect to VLAN 10 from a remote host, whatever notation I use on that host, old or new.
Whether I use em0.10 or bridge0.10 + "ifconfig bridge0 vlanfilter addm em0 tagged 10"
The only thing that seems to work this way is, when I use VLAN 10 on tap1 inside my VM, then I can connect to VM using IP 192.168.0.3/24 -- but only on localhost!!

I'll repeat it: if I use VLAN 10 on that "tagged 10" interface tap1 inside the VM guest (it happens to be OpenBSD, I use vlan0 device with "vnetid 10" on it), then I get connectivity to that VM through VLAN 10 -- but only on localhost.

So, my question is: how am I supposed to connect to that from LAN?
Now in the old style the word "tagged/untagged" isn't present at all. In the new one it is.
But how does that effect the concept of VLANs?

free-and-bsd · Monday at 9:27 AM

Now... the word "tagged" seems to be the game changer here. But if I use "untagged 10" in the syntax above,
then VLAN 10 exists only on localhost. And in order to connect to it from remote LAN host I don't need any VLAN 10 interface like igb0.10 or, for that matter, bridge0.10 as per new style.

BTW, on a remote host, even when I create a 'tagged 10" bridge0.10, I can't connect to the "tagged 10" VLAN I'm talking about.
On the other hand, this new bridge0.10 works fine to connect to the "old-style" remote VLAN 10...
So, what am I missing with this whole concept??

anguisette · Monday at 10:28 AM

free-and-bsd said:

i don't think your configuration for tap1 is right (the rest looks fine).

based on your description of what you want to do, you should configure tap1 as an untagged interface; that means bridge will strip the VLAN tag before sending packets on that interface, and an incoming packet without a tag will have a tag added before processing. this is how you'd typically configure an interface for a non-vlan-aware VM guest.

if you make tap1 a tagged interface, then the VM has to send and receive tagged packets (e.g., using vlan(4) on FreeBSD), which is also fine, but it doesn't sound like that's what you want.

free-and-bsd said:
I'll repeat it: if I use VLAN 10 on that "tagged 10" interface tap1 inside the VM guest (it happens to be OpenBSD, I use vlan0 device with "vnetid 10" on it), then I get connectivity to that VM through VLAN 10 -- but only on localhost.

please show the output of the following:

'ifconfig' on the FreeBSD host (the one with the bridge interface)
'ifconfig -a' on the OpenBSD VM
the equivalent command on the remote machine (the one with the em0.10 interface)

note, i suggest switching tap1 to an untagged interface first, if that's the configuration you want to end up with.

free-and-bsd · Monday at 11:09 AM

anguisette said:
i don't think your configuration for tap1 is right (the rest looks fine).

based on your description of what you want to do, you should configure tap1 as an untagged interface; that means bridge will strip the VLAN tag before sending packets on that interface, and an incoming packet without a tag will have a tag added before processing. this is how you'd typically configure an interface for a non-vlan-aware VM guest.

if you make tap1 a tagged interface, then the VM has to send and receive tagged packets (e.g., using vlan(4) on FreeBSD), which is also fine, but it doesn't sound like that's what you want.

please show the output of the following:

'ifconfig' on the FreeBSD host (the one with the bridge interface)

'ifconfig -a' on the OpenBSD VM

the equivalent command on the remote machine (the one with the em0.10 interface)

note, i suggest switching tap1 to an untagged interface first, if that's the configuration you want to end up with.

Thanks for you reply!
Here is ifconfig output for the bridge machine:

Code:

bridge0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=10<VLAN_HWTAGGING>
    ether 58:9c:fc:10:5c:64
    id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
    maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
    root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
    bridge flags=1<VLANFILTER>
    member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            port 10 priority 128 path cost 2000000 vlan protocol 802.1q untagged 3
    member: tap1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            port 11 priority 128 path cost 2000000 vlan protocol 802.1q untagged 10
    member: igb1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            port 2 priority 128 path cost 55 vlan protocol 802.1q untagged 3 tagged 10
    member: tap2 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            port 12 priority 128 path cost 2000000 vlan protocol 802.1q untagged 2
    member: wlan1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            port 4 priority 128 path cost 22222 vlan protocol 802.1q untagged 2
    member: tap3 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            port 13 priority 128 path cost 2000000 vlan protocol 802.1q untagged 1
    groups: bridge
    nd6 options=9<PERFORMNUD,IFDISABLED>

This is for bridge0.10:

Code:

bridge0.10: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1496
    options=0
    ether 58:9c:fc:10:5c:64
    inet 192.168.8.1 netmask 0xffffffe0 broadcast 192.168.8.31
    groups: vlan
    vlan: 10 vlanproto: 802.1q vlanpcp: 0 parent interface: bridge0
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

By the time you answered I'd already changed tap1 to "untagged" state. This way I got, indeed, the untagged traffic from the VM available on the host itself. Now this VM-related part is not a problem, I'm clear on this.
The problem is WHY I cannot connect to "tagged 10" from the LAN.
Here is my remote machine's ifconfig for igb1.10 (not em0.10 actually):

Code:

igb1.10: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=4600703<RXCSUM,TXCSUM,TSO4,TSO6,LRO,RXCSUM_IPV6,TXCSUM_IPV6,MEXTPG>
    ether 00:1b:21:96:0b:64
    inet 192.168.8.5 netmask 0xffffffe0 broadcast 192.168.8.31
    groups: vlan
    vlan: 10 vlanproto: 802.1q vlanpcp: 0 parent interface: igb1
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

Now whether or not the VM is available, the problem is I cannot ping 192.168.8.1, which is on the bridge0.10 on the remote machine, linked to the LAN igb1 interface.

anguisette · Monday at 11:23 AM

please show the full ifconfig output on both systems, not just the bridge/igb interfaces. you can omit the VM guest interfaces if networking between the host and the guest is working correctly.

free-and-bsd · Monday at 11:40 AM

OK, this for the bridge machine:

Code:

igb0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500  options=4e527bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
    ether b4:2e:99:a8:bb:99
    inet XXX.XXX.XXX.XX netmask 0xfffff000 broadcast XXX.XXX.XXX.XXX
    media: Ethernet autoselect (100baseTX <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
igb1: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500    options=a520b9<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,HWSTATS>
    ether b4:2e:99:a8:bb:9a
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet 127.0.0.1 netmask 0xff000000
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
    groups: lo
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
wlan1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=0
    ether 04:54:53:03:c7:a9
    groups: wlan
    ssid XXXXX-yyy channel 52 (5260 MHz 11a ht/20) bssid 04:54:53:03:c7:a9
    regdomain 100 indoor ecm authmode WPA2/802.11i privacy MIXED
    deftxkey 2 AES-CCM 2:128-bit txpower 30 mcastrate 6 mgmtrate 6
    scanvalid 60 ampdulimit 64k ampdudensity 8 shortgi -uapsd wme burst
    dtimperiod 1 -dfs
    parent interface: ath0
    media: IEEE 802.11 Wireless Ethernet autoselect mode 11na <hostap>
    status: running
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
bridge0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=10<VLAN_HWTAGGING>
    ether 58:9c:fc:10:5c:64
    id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
    maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
    root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
    bridge flags=1<VLANFILTER>
    member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            port 10 priority 128 path cost 2000000 vlan protocol 802.1q untagged 3
    member: tap1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            port 11 priority 128 path cost 2000000 vlan protocol 802.1q untagged 10
    member: igb1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            port 2 priority 128 path cost 55 vlan protocol 802.1q untagged 3 tagged 10
    member: tap2 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            port 12 priority 128 path cost 2000000 vlan protocol 802.1q untagged 2
    member: wlan1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            port 4 priority 128 path cost 22222 vlan protocol 802.1q untagged 2
    member: tap3 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            port 13 priority 128 path cost 2000000 vlan protocol 802.1q untagged 1
    groups: bridge
    nd6 options=9<PERFORMNUD,IFDISABLED>
bridge0.1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1496
    options=0
    ether 58:9c:fc:10:5c:64
    inet 192.168.1.1 netmask 0xffffffe0 broadcast 192.168.1.31
    groups: vlan
    vlan: 1 vlanproto: 802.1q vlanpcp: 0 parent interface: bridge0
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
bridge0.2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1496
    options=0
    ether 58:9c:fc:10:5c:64
    inet 192.168.2.1 netmask 0xffffffe0 broadcast 192.168.2.31
    groups: vlan
    vlan: 2 vlanproto: 802.1q vlanpcp: 0 parent interface: bridge0
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
bridge0.3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1496
    options=0
    ether 58:9c:fc:10:5c:64
    inet 192.168.9.1 netmask 0xffffffe0 broadcast 192.168.9.31
    groups: vlan
    vlan: 3 vlanproto: 802.1q vlanpcp: 0 parent interface: bridge0
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
bridge0.10: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1496
    options=0
    ether 58:9c:fc:10:5c:64
    inet 192.168.8.1 netmask 0xffffffe0 broadcast 192.168.8.31
    groups: vlan
    vlan: 10 vlanproto: 802.1q vlanpcp: 0 parent interface: bridge0
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
tap0: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=80000<LINKSTATE>
    ether 58:9c:fc:10:ad:63
    groups: tap
    media: Ethernet 1000baseT <full-duplex>
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    Opened by PID 2825
tap1: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=80000<LINKSTATE>
    ether 58:9c:fc:10:e3:a3
    groups: tap
    media: Ethernet 1000baseT <full-duplex>
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    Opened by PID 2825
tap2: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=80000<LINKSTATE>
    ether 58:9c:fc:10:1e:e9
    groups: tap
    media: Ethernet 1000baseT <full-duplex>
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    Opened by PID 2825
tap3: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=80000<LINKSTATE>
    ether 58:9c:fc:10:c9:2a
    groups: tap
    media: Ethernet 1000baseT <full-duplex>
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    Opened by PID 2825

And this for the remote FreeBSD machine:

Code:

igb0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=4e527bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
    ether 00:1b:21:96:0b:62
    media: Ethernet autoselect
    status: no carrier
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
igb1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=4e527bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
    ether 00:1b:21:96:0b:64
    inet 192.168.9.5 netmask 0xffffffe0 broadcast 192.168.9.31
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
re0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
    ether 00:e0:6b:68:03:4d
    media: Ethernet autoselect (none)
    status: no carrier
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet 127.0.0.1 netmask 0xff000000
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
    groups: lo
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
igb1.10: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=4600703<RXCSUM,TXCSUM,TSO4,TSO6,LRO,RXCSUM_IPV6,TXCSUM_IPV6,MEXTPG>
    ether 00:1b:21:96:0b:64
    inet 192.168.8.5 netmask 0xffffffe0 broadcast 192.168.8.31
    groups: vlan
    vlan: 10 vlanproto: 802.1q vlanpcp: 0 parent interface: igb1
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
tap0: flags=8803<UP,BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=4080000<LINKSTATE,MEXTPG>
    ether 58:9c:fc:10:9b:11
    groups: tap
    media: Ethernet 1000baseT <full-duplex>
    status: no carrier
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
tap1: flags=8803<UP,BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=4080000<LINKSTATE,MEXTPG>
    ether 58:9c:fc:10:e8:cf
    groups: tap
    media: Ethernet 1000baseT <full-duplex>
    status: no carrier
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
bridge0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=10<VLAN_HWTAGGING>
    ether 58:9c:fc:10:6d:e7
    id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
    maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
    root id 00:00:00:00:00:00 priority 0 ifcost 0 port 0
    bridge flags=0<>
    groups: bridge
    nd6 options=9<PERFORMNUD,IFDISABLED>
virbr0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=10<VLAN_HWTAGGING>
    ether 52:54:00:f3:06:2f
    inet 192.168.122.1 netmask 0xffffff00 broadcast 192.168.122.255
    id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 4
    maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
    root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
    bridge flags=0<>
    groups: bridge
    nd6 options=9<PERFORMNUD,IFDISABLED>

There's a lot of stuff here, but I'm only using igb1 -- currently connecting to the "untagged 3" VLAN on the bridge host. And igb1.10 that I'm trying to connect to "tagged 10", unsuccessful.

The virbr0 is used by libvirtd as part of its installation and doesn't seem to affect the matter in question in any way I'd be aware of.

anguisette · Monday at 11:53 AM

can the remote system (192.168.8.5) reach 192.168.8.1 on the vm host (i.e., networking between the two hosts is working, only networking to the vm isn't)?

if yes, please do the following:

start 'tcpdump -ni igb1 arp or icmp' on the vm host
start 'tcpdump -ni tap1 arp or icmp', also on the vm host
on the remote system, ping the IP address of the vm guest (not the host) and let it send a few packets
paste both tcpdump outputs here

also, what is the IP address of the vm guest?

free-and-bsd · Monday at 2:32 PM

anguisette said:
can the remote system (192.168.8.5) reach 192.168.8.1 on the vm host (i.e., networking between the two hosts is working, only networking to the vm isn't)?

if yes, please do the following:

start 'tcpdump -ni igb1 arp or icmp' on the vm host

start 'tcpdump -ni tap1 arp or icmp', also on the vm host

on the remote system, ping the IP address of the vm guest (not the host) and let it send a few packets

paste both tcpdump outputs here

also, what is the IP address of the vm guest?

No it can't. 192.168.8.1/27 is unreachable to remote host, whether I use "non-vlan" igb1 or 'vlan 10" igb1.10 for that network segment.

Remote system only can reach the VM host through 192.168.9.0/27, which is there linked to "untagged" VLAN 3 on bridge0.3. The remote machine uses simple igb1 (no vlan) for that -- see my remote host ifconfig. Which, as I understand from the paper, supports the idea that "untagged VLAN 3" only exists on the VM host itsef.

Nor can I ping remote host 192.168.8.5 from the VM host.

free-and-bsd · Monday at 2:46 PM

I must also add that ALL tap interfaces on the VM host are used by that VM guest. It works as a firewall/router -- that's the idea.
And PF configuration there explicitly blocks traffic between 192.168.8.0/27 and 192.168.9.0/27. Since they're both supposed to be available from LAN by my remote host -- but as separate VLANs.

...So VM guest thus receives
1) WAN traffic (from igb0 that's not part of bridge0 -- otherwise DHCP from ISP doesn't work on it)
2) WLAN traffic through wlan1 ("untagged 2"). And it doesn't work either because wlan1 cannot be authenticated in this new-style bridge configuration.
3) 2 VLANS to be used on my home LAN. This for VLAN testing/learning purposes, my training setup.

So VM guest PF rules allow internet traffic to all those vlans but prohibit traffic between the last 2 vlans for understandable reasons.
And VM host PF solves the same problem by only doing NAT between WAN and incoming iface for VM:

Code:

nonroute = "{ 0.0.0.0/8, 20.20.20.0/24, 127.0.0.0/8, 172.16.0.0/12, 169.254.0.0/16, 192.0.2.0/24, 192.168.0.0/16, 224.0.0.0/3, 255.255.255.255 }"

icmp_types = "{ 0, 3, 8, 11, 12 }"

set optimization aggressive
set block-policy return
set skip on lo0
scrub in all fragment reassemble no-df max-mss 1440

### NAT for vlans etc ###
nat on bridge0.1 from ! bridge0.1:network to any -> (bridge0.1) ##used in VM as egress if
nat on igb0 from ! $igb0:network to any -> (igb0) ##WAN interface receiving DHCP from ISp, not part of bridge0
anchor untagged

block drop in quick on igb0 from $nonroute to any
block in on igb0 all
pass in quick on { bridge0 bridge0.1 bridge0.2 bridge0.3 bridge0.10 igb1 tap0 tap1 tap2 tap3 wlan1 } all
pass out quick all
block all

free-and-bsd · Monday at 6:42 PM

And to complete the list of problems, VM host machine also runs DHCP server for VLAN where wlan1 is attached.
That's bridge0.2 (untagged 2) in the new-style setup. Address is assigned to bridge clone rather than wlan1 itself...
Well, it doesn't seem to work, nor does hostapd authentication for wlan1 in this configuration.

I already keep the ISP-facing igb0 out of that bridge. Doing the same for wlan1 solves the problem as well...
But I'm interested in making it all work in that new bridge concept

. Where ALL interfaces are part of that cover-all bridge, as seems to be the idea...

anguisette · Monday at 11:40 PM

free-and-bsd said:
No it can't. 192.168.8.1/27 is unreachable to remote host, whether I use "non-vlan" igb1 or 'vlan 10" igb1.10 for that network segment.

okay, so we should fix that first, before worrying about the VM.

i notice you have a wlan(4) interface in the bridge. is any of this traffic going over that interface?

assuming not, please do this:

on the remote system (192.168.8.5), run 'tcpdump -vnei igb1 arp or icmp'
on the vm host (192.168.8.1), run 'tcpdump -vnei igb1 arp or icmp'
on the remote system, run 'ping 192.168.8.1' and let it run for 10 seconds or so
show the output of both tcpdumps here

is there any sort of network device (switch/bridge, ...) between the two systems, or are they directly connected?

free-and-bsd · 2026-05-12T22:43:09+0100

anguisette said:
is there any sort of network device (switch/bridge, ...) between the two systems, or are they directly connected?

Only a simple router, nothing else.
The output:

Code:

$sudo tcpdump -vnei igb1 arp or icmp
tcpdump: listening on igb1, link-type EN10MB (Ethernet), snapshot length 262144 bytes

0 packets captured
118 packets received by filter
0 packets dropped by kernel

This is because igb1 has network 192.168.9.0/27, which I use to connect. That's "untagged 3" part of the bridge -- no problems there.
And of course, 'ping 192.168.8.1' says 'Host is down'.

BTW,: since we're debugging the "tagged 10" configuration problems, I've set both igb1 and tap1 part of the bridge0 on VM host back to 'tagged 10' state. Because VM guest has no problem with its "tagged 10" side: I've set the guest side address to VLAN 10 and now I can ping (or ssh to) the the VM guest side (192.168.8.3) -- from the VM host only, 192.168.8.1 .

BUT when I run that tcpdump command on igb1.10 on 192.168.8.5, I get this:

Code:

tcpdump: listening on igb1.10, link-type EN10MB (Ethernet), snapshot length 262144 bytes
00:47:55.763018 00:1b:21:96:0b:64 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.8.1 tell 192.168.8.5, length 28
00:47:56.763493 00:1b:21:96:0b:64 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.8.1 tell 192.168.8.5, length 28
00:47:57.783727 00:1b:21:96:0b:64 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.8.1 tell 192.168.8.5, length 28
00:47:58.785042 00:1b:21:96:0b:64 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.8.1 tell 192.168.8.5, length 28
00:47:59.826090 00:1b:21:96:0b:64 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.8.1 tell 192.168.8.5, length 28
00:48:00.856438 00:1b:21:96:0b:64 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.8.1 tell 192.168.8.5, length 28
00:48:01.904471 00:1b:21:96:0b:64 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.8.1 tell 192.168.8.5, length 28
^C
7 packets captured
7 packets received by filter
0 packets dropped by kernel

free-and-bsd · 2026-05-12T23:07:32+0100

For the sake of experiment, I also tried from my laptop with OpenBSD installed which I also connected as VLAN 10 through that router I have on that LAN. Same as VM guest -- OpenBSD set "tagged 10" host tap1 interface to VLAN 10 on its side. No connection either.

So it seems, 'tagged 10' segment is only accessible on the host itself -- and from VM. But not on the LAN.

NOTE: with the 'old-style' vlan 10 configuration command ifconfig bridge1 addm igb1.10 addm tap1`, that vlan 10 is NOT accessible to the VM if it uses VLAN 10 on its side. So I don't use it there for the old config (currently working).

anguisette · 2026-05-13T08:01:33+0100

free-and-bsd said:
Only a simple router, nothing else.

do you mean a bridge/switch? putting a router between two machines on the same subnet would be a very unusual configuration. it's fine if the device is capable of routing, as long as it's not trying to route between these two ports.

free-and-bsd said:
The output:

which is this the output from - the remote host or the vm host?

free-and-bsd said:
This is because igb1 has network 192.168.9.0/27, which I use to connect. That's "untagged 3" part of the bridge -- no problems there.

no, this isn't expected. if you create a vlan subinterface igb1.10 on igb1, then send packets via igb1.10, tcpdump should show the tagged packets leaving the underlying interface, igb1. the same with receiving tagged packets. that's why i asked for tcpdump on the underlying interface, not the vlan subinterface.

can you please run both commands i asked for and show the output of both of them?

anguisette · 2026-05-13T08:03:30+0100

actually, it seems like tcpdump filters don't like the tagged packets. so please replace "arp or icmp" with "vlan 10" in both tcpdump commands.

free-and-bsd · 2026-05-13T09:56:12+0100

Hi

1. The router is a basic non-programmable 8-port "home edition" router ppl use to create a small LAN on a single incoming NIC (gateway). No routing problems up to now.

Now the sudo tcpdump -vnei igb1 vlan 10 output on the VM host (192.168.8.1):

Code:

sudo tcpdump -vnei igb1 vlan 10
Password:
tcpdump: listening on igb1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
^C
0 packets captured
4297 packets received by filter
0 packets dropped by kernel

(ran for a while before I closed it)

And this one on the other end, 192.168.8.5 machine:

Code:

sudo tcpdump -vnei igb1 vlan 10
Password:
tcpdump: listening on igb1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
11:48:39.204884 00:1b:21:96:0b:64 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 46: vlan 10, p 0, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.8.1 tell 192.168.8.5, length 28
11:48:40.209299 00:1b:21:96:0b:64 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 46: vlan 10, p 0, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.8.1 tell 192.168.8.5, length 28
11:48:41.213052 00:1b:21:96:0b:64 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 46: vlan 10, p 0, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.8.1 tell 192.168.8.5, length 28
11:48:42.225037 00:1b:21:96:0b:64 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 46: vlan 10, p 0, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.8.1 tell 192.168.8.5, length 28
...

free-and-bsd · 2026-05-13T10:27:56+0100

Now although you didn't ask it, I tried to ping 192.168.8.5 from 192.168.8.1. In this case I do have some result on BOTH machines.
[Edited]
This is on VM host, 192.168.8.1:

Code:

tcpdump: listening on igb1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
11:57:32.822185 58:9c:fc:10:5c:64 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 46: vlan 10, p 0, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.8.5 tell 192.168.8.1, length 28
11:57:33.829029 58:9c:fc:10:5c:64 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 46: vlan 10, p 0, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.8.5 tell 192.168.8.1, length 28
... etc

And this on 192.168.8.5 there is a reply also:

Code:

sudo tcpdump -vnei igb1 vlan 10
Password:
tcpdump: listening on igb1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
11:57:32.822522 58:9c:fc:10:5c:64 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 10, p 0, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.8.5 tell 192.168.8.1, length 42
11:57:32.822554 00:1b:21:96:0b:64 > 58:9c:fc:10:5c:64, ethertype 802.1Q (0x8100), length 46: vlan 10, p 0, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Reply 192.168.8.5 is-at 00:1b:21:96:0b:64, length 28
11:57:33.829368 58:9c:fc:10:5c:64 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 10, p 0, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.8.5 tell 192.168.8.1, length 42
11:57:33.829395 00:1b:21:96:0b:64 > 58:9c:fc:10:5c:64, ethertype 802.1Q (0x8100), length 46: vlan 10, p 0, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Reply 192.168.8.5 is-at 00:1b:21:96:0b:64, length 28
11:57:34.832418 58:9c:fc:10:5c:64 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 10, p 0, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.8.5 tell 192.168.8.1, length 42
11:57:34.832437 00:1b:21:96:0b:64 > 58:9c:fc:10:5c:64, ethertype 802.1Q (0x8100), length 46: vlan 10, p 0, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Reply 192.168.8.5 is-at 00:1b:21:96:0b:64, length 28
11:57:35.837082 58:9c:fc:10:5c:64 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 10, p 0, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.8.5 tell 192.168.8.1, length 42
11:57:35.837114 00:1b:21:96:0b:64 > 58:9c:fc:10:5c:64, ethertype 802.1Q (0x8100), length 46: vlan 10, p 0, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Reply 192.168.8.5 is-at 00:1b:21:96:0b:64, length 28
...

Now I also tried to ping remote 192.168.8.5 from inside VM guest, 192.168.8.3, and receive this on the remote machine:

Code:

sudo tcpdump -vnei igb1 vlan 10
Password:
tcpdump: listening on igb1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
12:06:15.215253 00:a0:98:96:c6:30 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 10, p 3, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.8.5 tell 192.168.8.3, length 42
12:06:15.215290 00:1b:21:96:0b:64 > 00:a0:98:96:c6:30, ethertype 802.1Q (0x8100), length 46: vlan 10, p 0, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Reply 192.168.8.5 is-at 00:1b:21:96:0b:64, length 28
12:06:16.219853 00:a0:98:96:c6:30 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 10, p 3, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.8.5 tell 192.168.8.3, length 42
12:06:16.219883 00:1b:21:96:0b:64 > 00:a0:98:96:c6:30, ethertype 802.1Q (0x8100), length 46: vlan 10, p 0, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Reply 192.168.8.5 is-at 00:1b:21:96:0b:64, length 28
12:06:17.219582 00:a0:98:96:c6:30 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 10, p 3, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.8.5 tell 192.168.8.3, length 42

~~But nothing received on the VM host nor guest.~~

And VM host shows only request and no reply:

Code:

Password:
tcpdump: listening on igb1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
12:32:11.408013 00:a0:98:96:c6:30 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 46: vlan 10, p 3, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.8.5 tell 192.168.8.3, length 28
12:32:12.410647 00:a0:98:96:c6:30 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 46: vlan 10, p 3, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.8.5 tell 192.168.8.3, length 28
12:32:13.410493 00:a0:98:96:c6:30 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 46: vlan 10, p 3, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.8.5 tell 192.168.8.3, length 28
...