Bridges on VLAN-tagged interfaces.

Eric Bautsch eric.bautsch at pobox.com
Mon Mar 18 21:13:01 UTC 2019 

Hi All.


OK, slight reset: I have no idea what I did wrong last time (I suspect something 
to do with my rc.conf settings, more on that later), but what I can now do is this:

I can get my base interface re0 configured with an IP address and at the same 
time have an re0.33 interface (on VLAN 33) inside a bridge (bridge0 in this 
case), then configure an IP on bridge0 and get both (!) to ping.

I would have sworn I had tried this and it hadn't worked, but alas, it now does. 
I think this is because I tested something slightly different last time and had 
a bridge created on re0 via settings in rc.conf. If I do that, I can't seem to 
get my networking to work after. But that's a problem for a different day...


The problem that still persists and that I need to fix (in order to be able to 
use FreeBSD as my host for my VMs, which is where this is all going) is this:

I now have a bridge0 on re0.33 which works, great.

I now configure a bridge1 which contains re0 and put an IP on that bridge, and 
hey presto, that IP pings, but the IP on bridge0 on VLAN 33 stops pinging.

It seems that at the point where I put re0 inside a bridge, the other bridge 
doesn't get any IP traffic any more.


Funnily enough, if I configure a bridge0 on re0 and then plumb up an re0.33, 
both of them ping, too.

But no matter what I do, a bridge on re0 prevents another bridge on any of the 
vlan tagged interfaces from working.


Someone at some point told me that the untagged network on FreeBSD cannot really 
be used if I also have tagged VLANs on the same hardware, but I hope that's not 
true and that I need some magic incantation....

I was considering if I could somehow "clone" my re0 interface and put that clone 
into my bridge, but I haven't been able to find a way of doing that. I also 
tried to create an re0.0 in the hopes that that would signify untagged, but 
FreeBSD doesn't allow this.


Any pointers greatly appreciated.


Thanks.

Eric



P.S. Yes, I appreciate that I can just present that untagged VLAN as a tagged 
one and then my problems go away, but then I need to create a new VLAN to use 
untagged, so that I can do network installations on that, which would need to 
either be routed or have DNS, YP, etc. services on it as well as of course an 
installation server, so that'd be a huge amount of work....




On 16/03/2019 20:09, Eric Bautsch wrote:
> Thanks, Harry.
>
> I'll hopefully get a chance to try this tomorrow.... I'll let the list know 
> the outcome.
>
>
> Eric
>
>
> P.S. Sorry for the formatting, no idea why that got re-formatted on the list.....
>
>
>
> On 15/03/19 11:02, Harry Schmalzbauer wrote:
>> Am 15.03.2019 um 11:21 schrieb Harry Schmalzbauer:
>>> Am 11.03.2019 um 11:48 schrieb Eric Bautsch:
>>>>>>> |ifconfig bridge create ifconfig bridge1 addm re0.33|
>>>>
>>>> If I now put an IP on that bridge instead of re0.33, it does not ping.
>>>>
>>>> If I do a broadcast ping from another host on that network thus (Solaris 
>>>> system issuing the ping):
>>>> ping -sn 192.168.33.255
>>>>
>>>> I can see packets arriving if I |tcpdump -i re0.33| and if I |tcpdump -i 
>>>> bridge1|
>>>> However, on neither interface do I see any pings coming in when I ping it's 
>>>> own address (in this case 192.168.33.20).
>>>
>>> IP stack processes them without passing it to the interface(s), so that's 
>>> not unusual.
>>>
>>>
>>>> The Solaris system issuing the pings has learned the arp address of the 
>>>> bridge though:
>>>> Code:
>>>>
>>>> |root at gaspra # arp -an | grep 192.168.33.20 net1 192.168.33.20 
>>>> 255.255.255.255 02:a7:91:b6:3a:01|
>>>>
>>>> If I |tcpdump -i bridge1|, I do get some packets, but not any echo requests:
>>>> Code:
>>>>
>>>> |root at bianca # tcpdump -i bridge1 tcpdump: verbose output suppressed, use 
>>>> -v or -vv for full protocol decode listening on bridge1, link-type EN10MB 
>>>> (Ethernet), capture size 262144 bytes 11:05:26.081185 ARP, Request who-has 
>>>> 192.168.33.20 (Broadcast) tell juliet-punchin.swangage.co.uk, length 46 
>>>> 11:05:26.081197 ARP, Reply 192.168.33.20 is-at 02:a7:91:b6:3a:01 (oui 
>>>> Unknown), length 28 11:05:38.201079 IP6 fe80::7285:c2ff:fea6:583c > 
>>>> ff02::2: ICMP6, router solicitation, length 16 11:06:04.079441 ARP, Request 
>>>> who-has 192.168.33.20 (Broadcast) tell juliet-punchin.swangage.co.uk, 
>>>> length 46 11:06:04.079464 ARP, Reply 192.168.33.20 is-at 02:a7:91:b6:3a:01 
>>>> (oui Unknown), length 28 11:06:17.588644 ARP, Request who-has 192.168.33.20 
>>>> (Broadcast) tell gaspra-punchin.swangage.co.uk, length 46 11:06:17.588665 
>>>> ARP, Reply 192.168.33.20 is-at 02:a7:91:b6:3a:01 (oui Unknown), length 28|
>>>
>>> If I read it corretcly, all you get are ethernet broadcast frames.
>>> (Hard) Reading next:
>>>>>>> |root at bianca # ifconfig -a re0: 
>>>> flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 
>>>> 1500 
>>>> options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE> 
>>>> ether 80🇪🇪73:63:5c:48 media: Ethernet autoselect (1000baseT 
>>>> <full-duplex,master>) status: active nd6 
>>>> options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> lo0: 
>>>> flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 
>>>> options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> inet6 ::1 
>>>> prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 inet 127.0.0.1 
>>>> netmask 0xff000000 groups: lo nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> 
>>>> bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 
>>>> 1500 ether 02:a7:91:b6:3a:00 inet 192.168.140.85 netmask 0xffffff00 
>>>> broadcast 192.168.140.255 id 00:00:00:00:00:00 priority 32768 hellotime 2 
>>>> fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 root 
>>>> id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: re0 
>>>> flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> ifmaxaddr 0 port 1 priority 
>>>> 128 path cost 55 groups: bridge nd6 options=9<PERFORMNUD,IFDISABLED> 
>>>> re0.33: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 
>>>> mtu 1500 options=80003<RXCSUM,TXCSUM,LINKSTATE> ether 80🇪🇪73:63:5c:48 
>>>> inet6 fe80::82ee:73ff:fe63:5c48%re0.33 prefixlen 64 scopeid 0x4 groups: 
>>>> vlan vlan: 33 vlanpcp: 0 parent interface: re0 media: Ethernet autoselect 
>>>> (1000baseT <full-duplex,master>) status: active nd6 
>>>> options=21<PERFORMNUD,AUTO_LINKLOCAL> bridge1: 
>>>> flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 ether 
>>>> 02:a7:91:b6:3a:01 inet 192.168.33.20 netmask 0xffffff00 broadcast 
>>>> 192.168.33.255 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 
>>>> maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 root id 
>>>> 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: re0.33 
>>>> flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> ifmaxaddr 0 port 4 priority 
>>>> 128 path cost 20000 groups: bridge nd6 options=9<PERFORMNUD,IFDISABLED> 
>>>> root at bianca #|
>>>
>>> Here you have a universally administered addresses (UAA) on the parent 
>>> interface re0, which is the same for the vlan clone re0.33, and a locally 
>>> administered addresses (LAA) on if_bridge(4), which was verified to be 
>>> announced.
>>> In order to get through the MAC filter of the ethernet interface, re0.33 
>>> must be in PROMISC mode.
>>> I remember having seen two different PROMISC interface status – never 
>>> tracked it down.  But issuing 'ifconfig re0.33 promisc' might result in a 
>>> second PROMISC status report on re0.33 and a working setup...
>>
>> Should have read man page before posting, sorry.  This is supposed to be done 
>> by ifconfig(8)'s "addm" command.
>> But like mentioned, I can see PROMISC _two_ times in the interface status 
>> line of ifconfig(8), after putting the interface manually in permanent 
>> promisc mode (stable/12).
>>
>> Don't know how the filter of the parent interface is involved in the vlan 
>> clone and I have no idea if "addm" respects it, in case it is involved.
>> Before code inspection, I'd try and put the parent re0 manually into 
>> permanent promisc mode and see if you can see unicast frames afterwards.
>>
>> -Harry
>>
>>

-- 
  
       ____
      /          .                           Eric A. Bautsch
     /--   __       ___                ______________________________________
    /     /    /   /                  /
   (_____/____(___(__________________/       email: eric.bautsch at pobox.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4127 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20190318/87a088e4/attachment.bin>

More information about the freebsd-net mailing list