ipfw on vlans

[Victor Gamov]

Hi All

I have some misunderstood while configuring ipfw on VLAN-only interfaces

My net look like following:

-- network switch Juniper EX-2200 with port configured as follows:
ge-0/0/12 {
   unit 0 {
     family ethernet-switching {
       port-mode trunk;
         vlan {
           members [ vlan1201 vlan1202 vlan202 ];
         }
       }
   }
}
vlan1201 {
   vlan-id 1201
}

-- FreeBSD 11.1-STABLE (r328066) connected to switch.  vlan1201 on 
FreeBSD configured as:
vlan1201: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> 
metric 0 mtu 1500
   options=200001<RXCSUM,RXCSUM_IPV6>
   ether 00:1b:21:bc:a8:0a
   inet 10.200.200.161 netmask 0xfffffff0 broadcast 10.200.200.175
   nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
   media: Ethernet autoselect (1000baseT <full-duplex>)
   status: active
   vlan: 1201 vlanpcp: 0 parent interface: igb2
   groups: vlan

-- igb2 configured as
igb2: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 
0 mtu 1500
options=6403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
   ether 00:1b:21:bc:a8:0a
   hwaddr 00:1b:21:bc:a8:0a
   nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
   media: Ethernet autoselect (1000baseT <full-duplex>)
   status: active


I need to filter multicast received via vlan1201 and add following rule:

20000 allow udp from any to 239.20.2.1 in via vlan1201
30000 deny ip from any to any via vlan1201
<some other rules not about vlan1201 nor igb2>
65000 deny ip from any to any


But no packets received by 20000 and I need to add:
15000 allow ip from any to any via igb2


Here is my misunderstood (or misconfiguration?): why I need "allow via 
igb2" -- I receive IP traffic via VLANs only?


And why my test ipfw rules log something like
Deny P:103 172.16.69.5 224.0.0.13 in via igb2

while I haven't traffic on pure igb2 but on VLANs only.


Thanks for any explanations.


--
CU
Victor Gamov