Bridging a vlan trunk with a gif tunnel?

Hauke Fath hf at spg.tu-darmstadt.de
Sun Apr 1 14:44:39 UTC 2018 

Hi,

I am trying to network a remote site with a main site through a bridged 
gif tunnel, and it doesn't work for me. The if_bridge(4) man page 
sounds deceptively easy. Browsing the web, what came up didn't help; 
<https://lists.freebsd.org/pipermail/freebsd-net/2017-November/049278.html> 
sounded vaguely related.

In the past, I have set up a similar link by tunneling ip over gif, but 
routing turned out to be intricate, and I figured just bridging the 
exclave with the main site would save me routing issues, plus I could 
stick with the existing subnets.

The setup:

The main site runs a filtering router (freebsd 11, pf) to connect a 
dozen subnets via vlans over an ix(4) trunk. The router serves dhcp to 
several of those subnets. The trunk is bridged to the gif tunnel 
interface:


cloned_interfaces="gif0 bridge0"

ifconfig_bridge0="addm ix0 addm gif0 up"
ifconfig_gif0="tunnel 130.83.aa.bb 130.83.cc.dd mtu 1500 up"
ifconfig_ix0="up"


The exclave bridge machine connects a trunk with three subnets over a 
gif(4) tunnel:

cloned_interfaces="gif0 bridge0"

ifconfig_bridge0="addm em1 addm gif0 up"
ifconfig_gif0="tunnel 130.83.cc.dd 130.83.aa.bb mtu 1500 up"
ifconfig_em1="up"


Bridge sysctls on both machines:

# sysctl net.link.bridge
net.link.bridge.ipfw: 0
net.link.bridge.allow_llz_overlap: 0
net.link.bridge.inherit_mac: 0
net.link.bridge.log_stp: 0
net.link.bridge.pfil_local_phys: 0
net.link.bridge.pfil_member: 0
net.link.bridge.ipfw_arp: 0
net.link.bridge.pfil_bridge: 0
net.link.bridge.pfil_onlyip: 0
#

After finding and setting the above sysctls, the setup connects both 
segments of each bridged vlan successfully, in that I can ping and 
ssh-login from a machine on one segment to a machine on the other (or 
rather, I could, until the latter machine's dhcp lease ran out, and I 
am off-site). But there is no connection between the exclave segments 
and the main-site router interfaces, neither for dhcp nor ip 
connectivity.

So while an exclave machine is requesting an ip address through dhcp 
(which the main router is expected to serve)

bridge0:
14:00:52.129710 d8:cb:8a:6e:74:29 (oui Unknown) > Broadcast, ethertype 
802.1Q (0x8100), length 380: vlan 7, p 0, ethertype IPv4, 
0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 
d8:cb:8a:6e:74:29 (oui Unknown), length 334

at the same time the main router calls that machine to identify

ix0:
14:00:00.866778 a0:36:9f:25:62:d4 (oui Unknown) > Broadcast, ethertype 
802.1Q (0x8100), length 46: vlan 7, p 0, ethertype ARP, Request who-has 
Plaike.nt.e-technik.tu-darmstadt.de tell 130.83.228.62, length 28

In short, the main router vlan interfaces do not see traffic coming to 
their trunk via gif and bridge, nor can they send traffic that way.

Is there a magic knob that I have overlooked that will enable this 
connection, or what else could I be missing?

Cheerio,
hauke

-- 
     The ASCII Ribbon Campaign                    Hauke Fath
()     No HTML/RTF in email            Institut für Nachrichtentechnik
/\     No Word docs in email                     TU Darmstadt
     Respect for open standards              Ruf +49-6151-16-21344

More information about the freebsd-net mailing list