15.0-RELEASE new bridge/VLAN structure - problem

F

free-and-bsd

Hello everyone!
I'm very enthusiastic about this new bridge concept in 15.0, so I've put it to use of my old configuration where I had a dedicated bridge for every cloned VLAN interface.
But it doesn't seem to work the way I expected.
In particular, this is part of my old config:
Code: 
ifconfig bridge0 addm igb1.10 addm tap1
ifconfig bridge0 inet 192.168.0.1/27
Here, tap1 is used by a VM guest with IP set by the guest OS 192.168.0.3/24 (no VLAN ID set on it!!).
So this is "VLAN 10" then, because of igb0.10.
And to connect to it from LAN I use, say, em0.10 on a remote LAN host, with IP address set to, say, 192.168.0.7/24.
This works fine, the old way.

But when I try to use the NEW bridge approach, I don't seem to be able to connect to VLAN 10!!!
As documented, I go like this:
Code: 
ifconfig bridge0 vlanfilter addm igb1 tagged 10 \
ifconfig bridge0 addm tap1 tagged 10
ifconfig bridge0.10 inet 192.168.0.1/24
This is a recommended way to do it: instead of creating igb1.10 I'm using bridge0.10.
I want thus to connect tap1 with igb1 on VLAN 10 and then be able to connect LAN hosts to that VLAN on igb1.

The problems is, I can't connect to VLAN 10 from a remote host, whatever notation I use on that host, old or new.
Whether I use em0.10 or bridge0.10 + "ifconfig bridge0 vlanfilter addm em0 tagged 10"
The only thing that seems to work this way is, when I use VLAN 10 on tap1 inside my VM, then I can connect to VM using IP 192.168.0.3/24 -- but only on localhost!!

I'll repeat it: if I use VLAN 10 on that "tagged 10" interface tap1 inside the VM guest (it happens to be OpenBSD, I use vlan0 device with "vnetid 10" on it), then I get connectivity to that VM through VLAN 10 -- but only on localhost.

So, my question is: how am I supposed to connect to that from LAN?
Now in the old style the word "tagged/untagged" isn't present at all. In the new one it is.
But how does that effect the concept of VLANs?
 
Now... the word "tagged" seems to be the game changer here. But if I use "untagged 10" in the syntax above,
then VLAN 10 exists only on localhost. And in order to connect to it from remote LAN host I don't need any VLAN 10 interface like igb0.10 or, for that matter, bridge0.10 as per new style.

BTW, on a remote host, even when I create a 'tagged 10" bridge0.10, I can't connect to the "tagged 10" VLAN I'm talking about.
On the other hand, this new bridge0.10 works fine to connect to the "old-style" remote VLAN 10...
So, what am I missing with this whole concept??
 
free-and-bsd said:
Code: 
ifconfig bridge0 vlanfilter addm igb1 tagged 10 \
ifconfig bridge0 addm tap1 tagged 10
ifconfig bridge0.10 inet 192.168.0.1/24
Click to expand...
i don't think your configuration for tap1 is right (the rest looks fine).

based on your description of what you want to do, you should configure tap1 as an untagged interface; that means bridge will strip the VLAN tag before sending packets on that interface, and an incoming packet without a tag will have a tag added before processing. this is how you'd typically configure an interface for a non-vlan-aware VM guest.

if you make tap1 a tagged interface, then the VM has to send and receive tagged packets (e.g., using vlan(4) on FreeBSD), which is also fine, but it doesn't sound like that's what you want.

free-and-bsd said:
I'll repeat it: if I use VLAN 10 on that "tagged 10" interface tap1 inside the VM guest (it happens to be OpenBSD, I use vlan0 device with "vnetid 10" on it), then I get connectivity to that VM through VLAN 10 -- but only on localhost.
Click to expand...
please show the output of the following:
  • 'ifconfig' on the FreeBSD host (the one with the bridge interface)
  • 'ifconfig -a' on the OpenBSD VM
  • the equivalent command on the remote machine (the one with the em0.10 interface)
note, i suggest switching tap1 to an untagged interface first, if that's the configuration you want to end up with.
 
anguisette said:
i don't think your configuration for tap1 is right (the rest looks fine).

based on your description of what you want to do, you should configure tap1 as an untagged interface; that means bridge will strip the VLAN tag before sending packets on that interface, and an incoming packet without a tag will have a tag added before processing. this is how you'd typically configure an interface for a non-vlan-aware VM guest.

if you make tap1 a tagged interface, then the VM has to send and receive tagged packets (e.g., using vlan(4) on FreeBSD), which is also fine, but it doesn't sound like that's what you want.


please show the output of the following:
  • 'ifconfig' on the FreeBSD host (the one with the bridge interface)
  • 'ifconfig -a' on the OpenBSD VM
  • the equivalent command on the remote machine (the one with the em0.10 interface)
note, i suggest switching tap1 to an untagged interface first, if that's the configuration you want to end up with.
Click to expand...
Thanks for you reply!
Here is ifconfig output for the bridge machine:
Code: 
bridge0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=10<VLAN_HWTAGGING>
    ether 58:9c:fc:10:5c:64
    id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
    maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
    root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
    bridge flags=1<VLANFILTER>
    member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            port 10 priority 128 path cost 2000000 vlan protocol 802.1q untagged 3
    member: tap1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            port 11 priority 128 path cost 2000000 vlan protocol 802.1q untagged 10
    member: igb1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            port 2 priority 128 path cost 55 vlan protocol 802.1q untagged 3 tagged 10
    member: tap2 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            port 12 priority 128 path cost 2000000 vlan protocol 802.1q untagged 2
    member: wlan1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            port 4 priority 128 path cost 22222 vlan protocol 802.1q untagged 2
    member: tap3 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            port 13 priority 128 path cost 2000000 vlan protocol 802.1q untagged 1
    groups: bridge
    nd6 options=9<PERFORMNUD,IFDISABLED>
This is for bridge0.10:
Code: 
bridge0.10: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1496
    options=0
    ether 58:9c:fc:10:5c:64
    inet 192.168.8.1 netmask 0xffffffe0 broadcast 192.168.8.31
    groups: vlan
    vlan: 10 vlanproto: 802.1q vlanpcp: 0 parent interface: bridge0
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
By the time you answered I'd already changed tap1 to "untagged" state. This way I got, indeed, the untagged traffic from the VM available on the host itself. Now this VM-related part is not a problem, I'm clear on this.
The problem is WHY I cannot connect to "tagged 10" from the LAN.
Here is my remote machine's ifconfig for igb1.10 (not em0.10 actually):
Code: 
igb1.10: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=4600703<RXCSUM,TXCSUM,TSO4,TSO6,LRO,RXCSUM_IPV6,TXCSUM_IPV6,MEXTPG>
    ether 00:1b:21:96:0b:64
    inet 192.168.8.5 netmask 0xffffffe0 broadcast 192.168.8.31
    groups: vlan
    vlan: 10 vlanproto: 802.1q vlanpcp: 0 parent interface: igb1
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
Now whether or not the VM is available, the problem is I cannot ping 192.168.8.1, which is on the bridge0.10 on the remote machine, linked to the LAN igb1 interface.
 
please show the full ifconfig output on both systems, not just the bridge/igb interfaces. you can omit the VM guest interfaces if networking between the host and the guest is working correctly.
 
OK, this for the bridge machine:
Code: 
igb0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500  options=4e527bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
    ether b4:2e:99:a8:bb:99
    inet XXX.XXX.XXX.XX netmask 0xfffff000 broadcast XXX.XXX.XXX.XXX
    media: Ethernet autoselect (100baseTX <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
igb1: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500    options=a520b9<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,HWSTATS>
    ether b4:2e:99:a8:bb:9a
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet 127.0.0.1 netmask 0xff000000
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
    groups: lo
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
wlan1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=0
    ether 04:54:53:03:c7:a9
    groups: wlan
    ssid XXXXX-yyy channel 52 (5260 MHz 11a ht/20) bssid 04:54:53:03:c7:a9
    regdomain 100 indoor ecm authmode WPA2/802.11i privacy MIXED
    deftxkey 2 AES-CCM 2:128-bit txpower 30 mcastrate 6 mgmtrate 6
    scanvalid 60 ampdulimit 64k ampdudensity 8 shortgi -uapsd wme burst
    dtimperiod 1 -dfs
    parent interface: ath0
    media: IEEE 802.11 Wireless Ethernet autoselect mode 11na <hostap>
    status: running
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
bridge0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=10<VLAN_HWTAGGING>
    ether 58:9c:fc:10:5c:64
    id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
    maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
    root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
    bridge flags=1<VLANFILTER>
    member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            port 10 priority 128 path cost 2000000 vlan protocol 802.1q untagged 3
    member: tap1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            port 11 priority 128 path cost 2000000 vlan protocol 802.1q untagged 10
    member: igb1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            port 2 priority 128 path cost 55 vlan protocol 802.1q untagged 3 tagged 10
    member: tap2 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            port 12 priority 128 path cost 2000000 vlan protocol 802.1q untagged 2
    member: wlan1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            port 4 priority 128 path cost 22222 vlan protocol 802.1q untagged 2
    member: tap3 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            port 13 priority 128 path cost 2000000 vlan protocol 802.1q untagged 1
    groups: bridge
    nd6 options=9<PERFORMNUD,IFDISABLED>
bridge0.1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1496
    options=0
    ether 58:9c:fc:10:5c:64
    inet 192.168.1.1 netmask 0xffffffe0 broadcast 192.168.1.31
    groups: vlan
    vlan: 1 vlanproto: 802.1q vlanpcp: 0 parent interface: bridge0
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
bridge0.2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1496
    options=0
    ether 58:9c:fc:10:5c:64
    inet 192.168.2.1 netmask 0xffffffe0 broadcast 192.168.2.31
    groups: vlan
    vlan: 2 vlanproto: 802.1q vlanpcp: 0 parent interface: bridge0
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
bridge0.3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1496
    options=0
    ether 58:9c:fc:10:5c:64
    inet 192.168.9.1 netmask 0xffffffe0 broadcast 192.168.9.31
    groups: vlan
    vlan: 3 vlanproto: 802.1q vlanpcp: 0 parent interface: bridge0
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
bridge0.10: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1496
    options=0
    ether 58:9c:fc:10:5c:64
    inet 192.168.8.1 netmask 0xffffffe0 broadcast 192.168.8.31
    groups: vlan
    vlan: 10 vlanproto: 802.1q vlanpcp: 0 parent interface: bridge0
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
tap0: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=80000<LINKSTATE>
    ether 58:9c:fc:10:ad:63
    groups: tap
    media: Ethernet 1000baseT <full-duplex>
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    Opened by PID 2825
tap1: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=80000<LINKSTATE>
    ether 58:9c:fc:10:e3:a3
    groups: tap
    media: Ethernet 1000baseT <full-duplex>
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    Opened by PID 2825
tap2: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=80000<LINKSTATE>
    ether 58:9c:fc:10:1e:e9
    groups: tap
    media: Ethernet 1000baseT <full-duplex>
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    Opened by PID 2825
tap3: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=80000<LINKSTATE>
    ether 58:9c:fc:10:c9:2a
    groups: tap
    media: Ethernet 1000baseT <full-duplex>
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    Opened by PID 2825

And this for the remote FreeBSD machine:
Code: 
igb0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=4e527bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
    ether 00:1b:21:96:0b:62
    media: Ethernet autoselect
    status: no carrier
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
igb1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=4e527bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
    ether 00:1b:21:96:0b:64
    inet 192.168.9.5 netmask 0xffffffe0 broadcast 192.168.9.31
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
re0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
    ether 00:e0:6b:68:03:4d
    media: Ethernet autoselect (none)
    status: no carrier
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet 127.0.0.1 netmask 0xff000000
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
    groups: lo
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
igb1.10: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=4600703<RXCSUM,TXCSUM,TSO4,TSO6,LRO,RXCSUM_IPV6,TXCSUM_IPV6,MEXTPG>
    ether 00:1b:21:96:0b:64
    inet 192.168.8.5 netmask 0xffffffe0 broadcast 192.168.8.31
    groups: vlan
    vlan: 10 vlanproto: 802.1q vlanpcp: 0 parent interface: igb1
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
tap0: flags=8803<UP,BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=4080000<LINKSTATE,MEXTPG>
    ether 58:9c:fc:10:9b:11
    groups: tap
    media: Ethernet 1000baseT <full-duplex>
    status: no carrier
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
tap1: flags=8803<UP,BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=4080000<LINKSTATE,MEXTPG>
    ether 58:9c:fc:10:e8:cf
    groups: tap
    media: Ethernet 1000baseT <full-duplex>
    status: no carrier
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
bridge0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=10<VLAN_HWTAGGING>
    ether 58:9c:fc:10:6d:e7
    id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
    maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
    root id 00:00:00:00:00:00 priority 0 ifcost 0 port 0
    bridge flags=0<>
    groups: bridge
    nd6 options=9<PERFORMNUD,IFDISABLED>
virbr0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=10<VLAN_HWTAGGING>
    ether 52:54:00:f3:06:2f
    inet 192.168.122.1 netmask 0xffffff00 broadcast 192.168.122.255
    id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 4
    maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
    root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
    bridge flags=0<>
    groups: bridge
    nd6 options=9<PERFORMNUD,IFDISABLED>
There's a lot of stuff here, but I'm only using igb1 -- currently connecting to the "untagged 3" VLAN on the bridge host. And igb1.10 that I'm trying to connect to "tagged 10", unsuccessful.

The virbr0 is used by libvirtd as part of its installation and doesn't seem to affect the matter in question in any way I'd be aware of.
 
can the remote system (192.168.8.5) reach 192.168.8.1 on the vm host (i.e., networking between the two hosts is working, only networking to the vm isn't)?

if yes, please do the following:
  • start 'tcpdump -ni igb1 arp or icmp' on the vm host
  • start 'tcpdump -ni tap1 arp or icmp', also on the vm host
  • on the remote system, ping the IP address of the vm guest (not the host) and let it send a few packets
  • paste both tcpdump outputs here
also, what is the IP address of the vm guest?
 
You must log in or register to reply here.
Back
Top