Odd VLAN behavior: VLAN 1 untagged, others tagged

Started by pfry, January 04, 2025, 05:31:09 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 04, 2025, 05:31:09 AM
Config: ixl3 had 9 VLANs associated, connected to a 10-port switch with ports 1-9 each assigned a unique VLAN; port 10 assigned all, where 1 was untagged and the rest tagged. On the firewall, the various VLANs and main interface were each assigned to one of three bridges. The odd part: From the various switch ports I could obtain a DHCP IP appropriate to the associated bridge, but only VLAN 1 (port 1) would pass traffic (correctly). All traffic showed up on the firewall as entering the bridge to which the main ixl3 interface was assigned. When I removed ixl3 from its bridge, all of the others (the VLANs) worked.

So I tagged VLAN 1 on the aggregate port on the switch, added it and assigned it on the firewall, and now (after a reboot - the bridge was unhappy after reconfiguration and poking it didn't help, so I just rebooted the firewall) it all works. I recall potential issues with entrance interface assignment regarding bridges and packet filtering, but nothing regarding VLANs. Did I miss it?

I'd poke around a bit and perhaps reply to myself, but with the ready solution, I probably won't.
January 04, 2025, 10:16:12 AM #1
Why bridge rather than bond? Interfaces: Other Types: LAGG
January 04, 2025, 10:16:21 AM #2
I'm pretty sure you can't have an interface be a member of a bridge and also have VLAN subinterfaces at the same time. The only way you can mix the two is to build bridges with VLAN subinterfaces as members, but you can't do that for the untagged VLAN, as there is no subinterface for that.

What are you trying to accomplish with these bridges anyway? It seems rather convoluted....
January 04, 2025, 10:30:34 AM #3
Confirming what @dseven wrote: an interface that is a member of a bridge cannot carry VLAN tags in FreeBSD.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 04, 2025, 03:58:37 PM #4
Quote from: Patrick M. Hausen on January 04, 2025, 10:30:34 AMConfirming what @dseven wrote: an interface that is a member of a bridge cannot carry VLAN tags in FreeBSD.

OK, a known issue. Interesting. Thanks.

Quote from: bartjsmit on January 04, 2025, 10:16:12 AMWhy bridge rather than bond? Interfaces: Other Types: LAGG

Not the problem I'm trying to solve. I'll throw in a post in General Discussion, but in short, I have a US consumer (-type "business" service) Internet link with static IPs, which (generally) means bridged service. My last real problem is the #$%^&! proxy ARP behavior of the provider equipment (ONT or upstream).
January 04, 2025, 04:11:44 PM #5
Quote from: pfry on January 04, 2025, 03:58:37 PMNot the problem I'm trying to solve. I'll throw in a post in General Discussion, but in short, I have a US consumer (-type "business" service) Internet link with static IPs, which (generally) means bridged service. My last real problem is the #$%^&! proxy ARP behavior of the provider equipment (ONT or upstream).


...and I failed to answer the actual question, so replying to myself again. The trunk port and switch act as a port expander, nothing more, thus one VLAN per port. I run all traffic through the firewall for centralized management/control, and I can put the switch ports some distance from the firewall.
Print
Go Up Pages1
User actions