Messages

As soon as the physical interface is a member of some bridge, you cannot have VLANs on that interface. I wrote that early in our conversation. Don't use the untagged interface when you want to use VLANs.

Thank you that indeed solved my problem as well. Hopefully I can still get network boot to work over vlan.

Is it possible to add a check so that when one tries to add a vlan to a bridge where either the untagged interface has an IP or is in a bridge, or the other way around that this warning pops up? This not being to work is not evident, e.g. in OpenWRT you can set up a switch interface with both untagged and tagged interfaces.

@pmhausen, question, is the fact that I have multiple vlans on other bridges relevant? I.e.:
- bridge1:
    - igb0
    - igb1
- bridge2:
    - igb0.vlan110
    - igb1.vlan110
- bridge3:
    - igb0.vlan20
    - ign1.vlan20

Is it possible that tagged interface is simply going through bridge1 unimpeded, and when I put the ip on the interface it just take the appropriate traffic on that interface, and it just sometimes loops back around from bridge3 to bridge1? I do often see in the firewall log traffic that should be on bridge2 being reported on bridge1.

Are ther appropriate configurations to avoid this? Would using only vlans (i.e. simply disabling bridge1 and related interfaces) fix such an issue?

Unfortunately, that did not help. The hardware is an intel Hunsn (can get specifics next week) if that maters in anyway.

Edit: Also to confirm, it is ok that vlan and interface have the same mac addresses right? Running the packet capture, it seems that from the bridge it goes to appropriate vlan interface, but nothing comes back (or go through the other way)

Could you or any other dev confirm that with the latest opnsense, the vlan is not broken?

Indeed that is the case. Is there another tool for more simple icmp requests?

Two curious things, for some reason I am able to get dhcp address on the machine, and when I do some actions like adding the vlan bridge to an untagged bridged or reverse, then for a brief millisecond the ping goes through in both ways

No it is not virtualized. Last screen is a linux terminal of a host on the vlan, not sure what is cryptic about it. It shows I have the correct tag setup and ip within the subnet, but it cannot ping to the gateway. I have more screenshots, but there is a limit of 4 per post, so here are more.

Promiscuous mode was off on all, and I tried turning them all on, but still nothing. I don't know how to do mac spoofing, so any hints on that?

To confirm that I am not going crazy, here are screenshots of what you said would be an appropriate configuration and how I can confirm there is no firewall issues.

As you can see there is no connection between the host on the vlan interface and bridge interface static ip. Outside connection to that IP works fine, but from vlan to bridge does not work. vlan to vlan worked last time I checked, but I need to fix my configuration to confirm that again.

[does not work]

Probably we are miscommunication with each other here. Currently I know that this configuration works:
- eno1.vlan10 -> bridge
- eno2.vlan10 -> bridge
- no router ip, just as a switch (with appropriate firewall setting)

I suspect from your discussion that the following works too, but haven't confirmed:
- eno1.vlan10 -> bridge
- eno2.vlan20 -> bridge
- eno3 (untagged) -> bridge
- no router ip, just as a switch

But the issue that I encounter is in the following setup:
- eno1.vlan10 -> bridge
- eno2.vlan10 -> bridge
- router ip 192.168.1.1/24 on bridge interface
- communication between 192.168.1.2/24 on eno1.vlan10 and 192.168.1.3/24 on eno2.vlan10 works just fine
- communication between 192.168.1.2/24 on eno1.vlan10 and 192.168.1.1/24 on bridge does not work

But you are implying that it should work without a problem, but maybe there are tunables not set. If you are referring to the steps in https://docs.opnsense.org/manual/how-tos/lan_bridge.html#step-six, I have already tried that with no success. My suspicion was that it couldn't communicate because 192.168.1.1/24 was not on the same vlan 10, but you are saying that all traffic coming into eno1.vlan10 gets untagged when it is passed to bridge right? In that case I don't understand why my setup there doesn't work

[member interface]

You need to assign the IP address to the bridge interface and leave both VLAN interfaces without an IP address.
This is also a fundamental property of FreeBSD and documented in the FreeBSD handbook. A bridge member interface MUST NOT have an IP address.

Setting ip address to the bridge interface is indeed the most intuitive, but if we do that the vlans cannot communicate with that. And what I am trying to get at is if there is anyway to fix that. Is that a bug? Why is that setup not feasible. Can't we get the network to be untagged from one port and tagged on the other?

Are there any updates on making a vlan on the bridge?

Currently I have setup a bridge with 2 vlan interfaces that I want to allow to freely communicate with each other on the same vlan, and allow routing to external network via the opnsense. To get this working I have one vlan interface with ip while the other is empty.

Problem is that it often gets connectivity issues to the opnsense ip and back, while it can (mostly) communicate well between the vlan interfaces.

I would like to keep some form of gating between the two interfaces so that I do not allow all vlans to pass through the other switch, so simply connecting the two switches is not a viable solution here. Ideally I would want that the traffic on this bridge to be untagged when it goes from vlan port to the bridge and re-tagged when it goes through the vlan.