Stripping/attaching vlan tags as packets arrive/leave a physical port?

D

Deever

Hi folks!

Some switches allow tagging/untagging of packets as they are sent from/to a physical interface. With FreeBSD I'd to this like so:
Code: 
ifconfig em0 name physical
ifconfig bridge0 create name tagbridge
ifconfig epair0 create name cable0a
ifconfig epair0b name cable0b
ifconfig vlan0 create name lan0a
ifconfig vlan1 create name lan0b

ifconfig lan0a vlan 42 vlandev cable0a
ifconfig lan0b vlan 42 vlandev cable0b
ifconfig tagbridge addm physical addm lan0a

ifconfig physical up
ifconfig tagbridge up
ifconfig cable0a up
ifconfig cable0b up
ifconfig lan0a up
ifconfig lan0b up
While this should work (using lan0b as the iface to work with), it's very clumsy. Is there a better way to achieve this, maybe even with conditional tagging/untagging?

Greetings,
/dev
 
Last edited by a moderator:
What are you trying to do? What's the result you want?

What's connected to your cableb and lan0b? Nothing? VMs/jails? Another physical NIC?

Vlan tagging is easy to do with just ifconfig(8). Bridging that tagged interface into a VM/jail is a simple bridge command.
 
I'd like to add tags to packets as they come in on the interface and remove the tag from packets as they are sent out over the interface.
The idea is not to require connected boxes to use VLAN.
 
FreeBSD doesn't do that.

vlan tags of packets are compared to the vlan tag of the interface they come in, and only packets that match the settings of the overage are allowed (tags are checked on ingress).

vlan tags are added to packets as they leave an interface if a vlan tag is set on that interface (tags are added on egress).

In switch terms, FreeBSD supports access ports (untagged vlan only) and trunk ports (tagged vlans only).

There is no support for hybrid ports, nor a concept of a PVID (where an untagged packets has a vlan tag added based on the interface it came in on).

You might be able to fake it using one of the software/virtual switch setups (openvswitch, VALE, etc), but that would get overly complex very quickly. And even then, it probably won't work the way you want, or be overly slow.

A better solution is to get a managed switch and do all that on the switch where packets get processed in hardware.
 
You must log in or register to reply here.
Back
Top