VLANs over a Bridge interface

[lecris]

Unfortunately, that did not help. The hardware is an intel Hunsn (can get specifics next week) if that maters in anyway.

Edit: Also to confirm, it is ok that vlan and interface have the same mac addresses right? Running the packet capture, it seems that from the bridge it goes to appropriate vlan interface, but nothing comes back (or go through the other way)

[lecris]

@pmhausen, question, is the fact that I have multiple vlans on other bridges relevant? I.e.:
- bridge1:
    - igb0
    - igb1
- bridge2:
    - igb0.vlan110
    - igb1.vlan110
- bridge3:
    - igb0.vlan20
    - ign1.vlan20

Is it possible that tagged interface is simply going through bridge1 unimpeded, and when I put the ip on the interface it just take the appropriate traffic on that interface, and it just sometimes loops back around from bridge3 to bridge1? I do often see in the firewall log traffic that should be on bridge2 being reported on bridge1.

Are ther appropriate configurations to avoid this? Would using only vlans (i.e. simply disabling bridge1 and related interfaces) fix such an issue?

[Patrick M. Hausen]

As soon as the physical interface is a member of some bridge, you cannot have VLANs on that interface. I wrote that early in our conversation. Don't use the untagged interface when you want to use VLANs.

[pankaj]

Don't use the bridge, you'll regret it.
Post pictures of your switch vlan config.

Thanks, I solved it. I had to tag each VLAN to the port that I was using as uplink between the two switches...it seems obvious now but not sure how I missed it earlier  :D

[lecris]

As soon as the physical interface is a member of some bridge, you cannot have VLANs on that interface. I wrote that early in our conversation. Don't use the untagged interface when you want to use VLANs.

Thank you that indeed solved my problem as well. Hopefully I can still get network boot to work over vlan.

Is it possible to add a check so that when one tries to add a vlan to a bridge where either the untagged interface has an IP or is in a bridge, or the other way around that this warning pops up? This not being to work is not evident, e.g. in OpenWRT you can set up a switch interface with both untagged and tagged interfaces.

[Patrick M. Hausen]

That question goes deeper into the code than I can implement. But some more documentation on VLANs and bridging is definitely called for. Glad it's working now.

FreeBSD and OPNsense are simply not a switch - OpenWRT sometimes is depending on the hardware. E.g. FreeBSD does not know port assigned VLANs, actually it doesn't know VLANs at all, only tagged imterfaces. So one has to resort to getting creative with the bridge interface. It's like Cisco router vs. Cisco switch.

General recommendation: use a fast enough trunk port, better yet LACP, to connect to a switch, do everything else on the switch. So called router-on-a-stick architecture.

[markh0ppus]

Hey All,

Thanks for the good explanation Patrick.

Using this post+other material, I used a bridged setup to expose one of my VMs to the internet.

I wrote a blog post detailing my setup and I hope it helps other people =)

OPNsense - WAN Bridging for Public IP Addressing
https://blog.infoitech.co.uk/opnsense-wan-bridging-public-address/

Kind regards.

[Maurice]

@markh0ppus Not sure why you would need a bridge for that. All you want to do is assign a public IPv4 address to a host in the OPNsense LAN, correct?

You can do that by e. g. enabling dynamic gateway policy on the LAN interface and creating a static route for the desired public IPv4 address (/32), pointing to the dynamic LAN "gateway" (just the interface in fact). This also enables ARP for this IP address, despite it not being in the actual LAN subnet.

On the host itself, configure the interface with the public IPv4 address (/32). The gateway is the OPNsense LAN address.

You might also have to add a proxy ARP alias for said IPv4 address to the OPNsense WAN, depending on how your ISP routes the /29.

Cheers
Maurice