Q 17.7.12 vs 18.1 - VLAN in bridge working?

[epoch]

Hi there.
I was asked to setup a site to site bridge between 2 sites with identical networks. The router at each site is an APU2 running OPNsense 17.7.x.

I elected to use OpenVPN over an anonymous bridge in order to avoid the routing issue.
On 17.7.12, my remote clients were able to get a DHCP lease from the other side, but then they couldn't ping anybody except their neighbours on the switch.
I traced that down to my use of a VLAN over ibg1 as a bridge member. As soon as I used a VLAN-free opt1 (igb2) interface, my clients were ok.

I've found a rather old thread (15.7 ?) relating to issues using VLANs as bridge members.
I didn't test with 18.1, I would like to know if someone can confirm the issue still exists, and if there is a workaround?

Thanks!

[franco]

I can't remember reading about it in FreeBSD or here in the forum. That would mean the issue is still there, but could also be a configuration / switch issue. Best to double-check against FreeBSD bugs:

https://bugs.freebsd.org/bugzilla/


Cheers,
Franco

[epoch]

Hiya Franco,
Agreed those pesky PVIDs and tags can cause problems... I think I will check again but I'm pretty sure it's not a switch setup issue.
The thread I wanted to refer to is not so old in fact: https://forum.opnsense.org/index.php?topic=3753.msg13804#msg13804
Unlike the OP I did not take the time to tcpdump the traffic.
There isn't heaps of bridge/vlan bugs opened in FreeBSD, but I'm not sure my case relates to one.

Anyways, if I check again and find my switch setup was faulty, I will post an update here.
Thanks!

[muchacha_grande]

Hi epoch,

   I have a TAP VPN configured sinse 5 years ago. I created it on pfSense.
   Then I implemented VLANs in my network and the bridged LAN started to be VLAN 2.
   After that I implemented a TUN VPN and stopped using the bridged one.
   Then I migrated to OPNSense with the very same configuration.
   Today I tested the bridged VPN and I found it working allright.
   May be there is some mistake on your config.

   I remember that in some instance I had the same problem that you told.

   If you have some question about the config, just ask.

Cheers

[epoch]

I really think it's hosed.

Bridge 1 on IGB1, no VLAN: DHCP and ping works for clients (192.168.1.0/24)
+ add VLAN 20 on IGB1, give it an IP: DHCP and ping works for clients (192.168.5.0/24) -> switch config is ok.
- unconfigure IGB1.20
+ make IGB1.20 a member of Bridge 2, give the former IP config to Bridge 2: DHCP works for clients (192.168.5.0/24), clients can't ping or communicate with the router. Router can't ping client.

I ran a tcpdump and IGB1.20 does receive traffic. There is never a reply so I suppose the traffic vanishes past IGB1.20
Unlike linux it's not possible it seems to attach a VLAN ID to the bridge itself, so I couldn't try that.