Bridging w/Vlan Interfaces

F.Lema · Mar 13, 2019

Hi there,
I've been struggling to make a "basic" setup with two bridges on the LAN side of the router:

Bridge1: em1 + em2
Bridge0: VLAN500 on em1 + em3

As I create Bridge1, bridge0 stops forwarding traffic.

Any suggestion will be appreciated.

***
Configuration:

Code:

bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 02:0f:9d:95:72:00
        inet 192.168.32.1 netmask 0xffffff00 broadcast 192.168.32.255
        nd6 options=1<PERFORMNUD>
        groups: bridge
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: em3 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 4 priority 128 path cost 55
        member: em1_vlan500 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 9 priority 128 path cost 20000

bridge1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 02:0f:9d:95:72:01
        inet 172.16.0.1 netmask 0xffffff00 broadcast 172.16.0.255
        nd6 options=1<PERFORMNUD>
        groups: bridge
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: em1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 2 priority 128 path cost 55
        member: em2 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 3 priority 128 path cost 55

Firewall's Bidge Options:

Code:

net.link.bridge.ipfw: 0
net.link.bridge.allow_llz_overlap: 0
net.link.bridge.inherit_mac: 0
net.link.bridge.log_stp: 0
net.link.bridge.pfil_local_phys: 0
net.link.bridge.pfil_member: 0
net.link.bridge.ipfw_arp: 0
net.link.bridge.pfil_bridge: 1
net.link.bridge.pfil_onlyip: 0

phoenix · Mar 13, 2019

Configure the switch port that em1 plugs into to use tagged vlans for everything (aka trunk mode), including vlan 1.

Then configure the two separate vlan1 and vlan500 interfaces.

Then add those vlan interfaces to the bridge interfaces.

rc.conf would look something like this (untested, going from memory, using backup files that haven't been used in several years, your mileage may vary, use at your own risk, yadda yadda):

Code:

ifconfig_em1="up"
ifconfig_em2="up"
ifconfig_em3="up"

cloned_interfaces="bridge0 bridge1"

vlans_em1="vlan1 vlan500"
create_args_vlan1="vlan 1"
create_args_vlan500="vlan 500"

ifconfig_bridge0="addm vlan1 addm em2 inet 172.16.0.1/24"
ifconfig_bridge1="adm vlan500 addm em3 inet 192.168.32.1/24"

F.Lema · Mar 14, 2019

Thanks for the reply.

Unfortunetely it doesn't seem to work, in fact vlan1 on em1 seems not to be getting any traffic.

Should untagged traffic en em1 be received on em1_vlan1?

Config:

Code:

em1_vlan1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 00:30:18:3c:d0:a7
        inet6 fe80::230:18ff:fe3c:d0a7%em1_vlan1 prefixlen 64 scopeid 0xd
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        vlan: 1 vlanpcp: 1 parent interface: em1
        groups: vlan
em1_vlan500: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 00:30:18:3c:d0:a7
        inet6 fe80::230:18ff:fe3c:d0a7%em1_vlan500 prefixlen 64 scopeid 0xe
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        vlan: 500 vlanpcp: 0 parent interface: em1
        groups: vlan
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 02:a5:d5:95:59:00
        inet 172.16.10.1 netmask 0xffffff00 broadcast 172.16.10.255
        nd6 options=1<PERFORMNUD>
        groups: bridge
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: em2 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 5 priority 128 path cost 2000000
        member: em1_vlan1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 13 priority 128 path cost 20000
bridge1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 02:a5:d5:95:59:01
        inet 192.168.32.1 netmask 0xffffff00 broadcast 192.168.32.255
        nd6 options=1<PERFORMNUD>
        groups: bridge
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: em3 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 6 priority 128 path cost 55
        member: em1_vlan500 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 14 priority 128 path cost 20000

phoenix · Mar 14, 2019

No, untagged packets will not be seen by the vlan1 interface. Only tagged packets. You need to configure the switch to tag vlan 1 on that port (and probably set the PVID for the port to 1 as well).

F.Lema · Mar 15, 2019

OK. Can you figure out a way to configure the trunk interface interface with a "default VLAN"?

pos · Mar 15, 2019

I would not use VLAN1 at all. It is default everywhere and therefor not good to use from a security perspective. I always ban it on all ports in the switch.

I am rather new to FreeBSD, but found FreeBSD to be very good and intuitive to set up with VLANs and bridges. Now I use it as a fw with PF with serveral vlans, gif:s etc. Lately I have also set up and tried bhyve with bridges and vlans. A new virtualisation server... I think I am in love with the OS after such a short time of usage

I can give you some switch conf tip as well as FreeBSD net conf tip if you explain better what you want to accomplish. Do you need untagged traffic at all in the switch? Why not just tagged traffic? In my FW I use an external 10G interface against the ISP and another 10G interface for all vlans at my site. What more can you give to make it easier to help?

F.Lema · Mar 15, 2019

In fact what I'm trying to set up is to skip the use of a switch by bridging interfaces on the FreeBSD box. The original question is how to get traffic being forwarded on two bridges such as :
Bridge0 : em1 + em2
Bridge1 : em1_vlan500 + em3

As set-up withou the untagged em1 works perfectly. But we do need em1 to be able to run lldp discovery.
Bridge0 : em1_vlan200 + em2
Bridge1 : em1_vlan500 + em3

Any suggestion will be appreciated

phoenix · Mar 15, 2019

lldp runs at the link layer, and will work just fine with only tagged interfaces. No untagged interface required. Set it up like your second option and carry on.