OPNsense Forum

Hi,

I have a setup where my LAN is on a bridge on two physical 10Gbe interfaces because I need both a connection to my switch and one more computer (basically I want to use one 10Gbe interface like a switch port).

So far, this works fine.

However, since I also need a VLAN for a separated IoT network, I tried to establish a VLAN on the LAN bridge. I know how to do this for normal interfaces and it works fine for those.

However, I found that the resulting interface looks strange and does not work:


bridge0_vlan107: flags=8003<UP,BROADCAST,MULTICAST> metric 0 mtu 1500
        ether [b]00:00:00:00:00:00[/b]
        inet6 fe80::3eec:efff:fe6c:36da%bridge0_vlan107 prefixlen 64 tentative scopeid 0x11
        inet 192.168.107.2 netmask 0xffffff00 broadcast 192.168.107.255
        groups: vlan
        vlan: [b]0[/b] vlanpcp: 0 parent interface: <none>
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>


The IP works, the network does not:


# ping 192.168.107.2
PING 192.168.107.2 (192.168.107.2): 56 data bytes
64 bytes from 192.168.107.2: icmp_seq=0 ttl=64 time=0.103 ms
64 bytes from 192.168.107.2: icmp_seq=1 ttl=64 time=0.066 ms
^C
--- 192.168.107.2 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss

# ping 192.168.107.1
PING 192.168.107.1 (192.168.107.1): 56 data bytes
ping: sendto: Network is down
ping: sendto: Network is down
^C
--- 192.168.107.1 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss


Note that bridge0_vlan107 has a blank MAC (ether 00:00:00:00:00:00) and no VLAN (0). I think it should inherit the MAC from bridge0 (which seems synthetic, i.e. not one of the interface MACs). Even if I specify that MAC in the webui, it is still not set. I can set it from the command line, though.

For me it seems that both MAC and VLAN are not set correctly for VLANs on bridge interfaces, is that a bug or am I doing something wrong?

It works the other way round.

physical - lagg - vlan - bridge.

Thank you. I did not realize that you can assign IP addresses to a VLAN, leave the VLAN master interface unassigned and use that in a bridge. Somehow I got the impression that none of the devices in a bridge can have their IP assigned - which is true, but not for VLANs underneath it.

This way, I can also have the other interface complete without VLANs - as an "access" port, whereas the interface with VLANs is the trunk that connects to my switch.

Strange enough that my initial setup was possible via the GUI.

Even further - if you use bridging and there is an IP address and not only a layer 2 connect, the IP address must always go to the bridge, never one of the member interfaces.
It will work with IPv4 unicast if configured "wrong", but it will break for IPv6 and possibly IPv4 multicast, too.

That requirement is well documented:
https://docs.freebsd.org/en/books/handbook/advanced-networking/#network-bridging

QuoteIf the bridge host needs an IP address, set it on the bridge interface, not on the member interfaces.

Right, thinking about it I always had to bridge each VLAN individually on my Linux server.

This fact is somewhat hidden when you configure Interfaces on a switch when you just set an interface to "trunk" mode and define VLANs. Matter-of-fact there is an automatic "bridge" for each VLAN in a switch.