Configure FreeBSD as switch?

[dsagra]

Hello all, I would like to bridge a few interfaces with a set up like:

em0: VLAN X untagged, Y tagged
em1: VLAN Z untagged, X tagged
em2: VLAN Y untagged, X tagged

to essentially turn my FreeBSD machine as a switch. I found older threads stating that you shouldn't be mixing "untagged" and "tagged" traffic in a plain bridge(4), but I wonder if there's a way to achieve this in Freebsd?
Thank you

 

[drhowarddrfine]

Yes you can--and many have done this--but it's software so it will be slower than a hardware switch.

 

[dsagra]

correct, ASICs would outperform a general purpose CPU for this task, I am aware of that, I wanted more to understand what's the recommended approach for this on FreeBSD: is it via some userland software? Thank you

 

[SirDice]

What exactly do you want to bridge? The VLANs on em1 and em2 shouldn't be much of a problem (you simply bridge the vlan(4) interfaces), but em0 might pose a problem.

 

[dsagra]

Exactly SirDice ! What I would like to achieve is create several bridges with a configuration like:

bridge0: em0, em1.X, em2.X
bridge1: em0.Y, em1, em2.Y
bridge2: em0.Z, em1.Z, em2

As you said, and it is what I also noticed, everything is fine if I only attach the vlan(4) interfaces, but as soon as I add the "main" interface to a bridge, it looks like packets/frames for that NIC are no longer forwarded, that's why I started the thread in the first place

 

[dino1]

It's some time in distant past I played with netgraph but I think it is possible to create such arrangement with ng_ether, ng_vlan and ng_bridge nodes, with ng_eiface if host connectivity for a bridge is desired.
Basically, use ng_ether nodes for physical interfaces, connect their lower hooks with downstream hooks of respective ng_vlan node. This connection carries both tagged and untagged frames. On the other side of the ng_vlan nodes, there are vlans hooks for tagged frames you are interested in and nomatch hooks carrying all untagged frames (and tagged for vlans not explicitly designed for other hooks, which we can ignore for now for simplicity). Then just use ng_bridge node with its linkN hooks and create bridges as desired. Add ng_eiface node (or, maybe, use ng_ether's upper node for this) where host connectivity is desired.
Please read all respective man pages for details, also look into /usr/share/examples/netgraph/ether.bridge file for an example how ng_bridge is created. Also, make sure you have alternate means to access the box where you are playing with netgraph, if you are not careful, it is easy to break network connectivity... it is really powerfull tool, which could be sometimes dangerous.