VLAN trunk: bridge on untagged interface breaks tagged traffic

I've just spent a while on some weird behaviour on a VLAN trunk interface. It was configured with two VLAN subinterfaces, each a member of a bridge, and the untagged interface also a bridge member. tcpdump was showing tagged frames being dropped somewhere in the stack, unicast behaving differently to multicast/broadcast, and tagged frames from the network arriving at the untagged interface.

Then I found this comment on Bugzilla:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=230996#c23

Aaron doesn't cite his sources for this statement, but I can confirm as soon as I unconfigured the bridge off the untagged interfaces, tagged traffic immediately behaved as expected.

I have quite specific requirements for this host, which I'd rather not change, but if no fix is available, I can workaround it external to the FreeBSD host.

The rc.conf snippet is below. It'd be great to have any suggestions on known fixes, workarounds etc.

(The host has six igb interfaces and the intended application is a router/firewall role.)

TIA

Code:
root@test:~ # uname -a
FreeBSD test 13.0-RELEASE-p7 FreeBSD 13.0-RELEASE-p7 #0: Mon Jan 31 18:24:03 UTC 2022  \
root@amd64-builder.daemonology.net:/usr/obj/usr/src/amd64.amd64/sys/GENERIC  amd64
--
#
# /etc/rc.conf networking section
#
# Untagged = MGT (10.0.10.0/24)
# VLAN tag: 16 = DMZ (10.0.16.0/24)
# VLAN tag: 32 = LAN (10.0.32.0/24)
# VLAN tag: 48 = LAN2 (10.0.48.0/24)
#
# epair101: link to a Jail
#
# Create required interfaces
#
# BRIDGE0 CAUSES BREAKAGE
# cloned_interfaces="bridge0 bridge16 bridge32 bridge48 epair101 igb0.32 igb0.48 igb2.32 igb2.48 igb3.32 igb3.48 igb4.16 igb5.16"
cloned_interfaces="bridge16 bridge32 bridge48 epair101 igb0.32 igb0.48 igb2.32 igb2.48 igb3.32 igb3.48 igb4.16 igb5.16"
#
# igb0: VLAN trunk > LAN switch
#
ifconfig_igb0="up"
ifconfig_igb0_32="up"
ifconfig_igb0_48="up"
#
# igb1: WAN interface
#
ifconfig_igb1="192.168.1.2/24"
defaultrouter="192.168.1.1"
#
# igb2: VLAN trunk > Wifi AP
#
ifconfig_igb2="up"
ifconfig_igb2_32="up"
ifconfig_igb2_48="up"
#
# igb3: VLAN trunk > Wifi AP
#
ifconfig_igb3="up"
ifconfig_igb3_32="up"
ifconfig_igb3_48="up"
#
# igb4: VLAN trunk > server
#
ifconfig_igb4="up"
ifconfig_igb4_16="up"
#
# igb5: VLAN trunk > server
#
ifconfig_igb5="up"
ifconfig_igb5_16="up"
#
# BRIDGE0 CAUSES BREAKAGE
# ifconfig_bridge0="addm igb0 addm igb2 addm igb3 addm igb4 addm igb5 10.0.10.2/24 up"
ifconfig_bridge16="addm igb4.16 addm igb5.16 addm epair101b 10.0.16.2/24 up"
ifconfig_bridge32="addm igb0.32 addm igb2.32 addm igb3.32 10.0.32.2/24 up"
ifconfig_bridge48="addm igb0.48 addm igb2.48 addm igb3.48 10.0.48.2/24 up"
 
I'll workaround it by moving the management traffic onto a vlan.

In this config, fortunately I've no critical need to bridge untagged frames (STP etc.) but in other setups that might be more of an issue.
 
Back
Top