VLAN support on bridges from FreeBSD 15.x onwards, impact when?

Started by Rene78, January 01, 2026, 01:28:04 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 01, 2026, 01:28:04 PM Last Edit: January 01, 2026, 01:32:08 PM by Rene78 Reason: Add happy new year
Happy New Year!

Searching the forum for VLANs on bridges results in a lot of information and configurations (e.g. link, link, link) where the bottomline seems to be "bridge over VLANs" and not use (not possible in OPNsense config) VLANs on bridges.

Now I have been reading up on the matter and see that"
  • in FreeBSD 14.x man for IF_BRIDGE(4) there is no VLAN support (link)
  • in FreeBSD 15.x man for IF_BRIDGE(4) there is VLAN support (see quote below, link)

Where I am aware that OPNsense is currently based on FreeBSD 14.3 I assume that OPNsense will move to 15.x at some point. this will offer VLAN support on bridges judging by the FreeBSD documentation.

Is this VLAN support on bridges also moving into OPNsense? Couldn't find it on the forum, but when is OPNsense moving to FreeBSD 15.x/16.x?
Arguably, having VLAN support on bridges could make multi-NIC box configurations (such as my trusty Qotom) a little easier with IPTV VLANs, WLAN VLANs, IOT VLANs etc. on top of a multi-NIC LAN_bridge with a single WAN interface. ;-) 

From the FreeBSD 15.x man IF_BRIDGE(4)
QuoteVLAN SUPPORT
       The if_bridge driver has   full support for virtual  LANs   (VLANs).   The
       bridge  implements  independent   VLAN  learning,   i.e. MAC addresses are
       learned on a per-VLAN basis, and   the same MAC address may be learned on
       multiple   interfaces on different   VLANs.   Incoming frames   with an   802.1Q
       tag will   be assigned to the appropriate VLAN.

       Traffic sent to or from the host   is not assigned   to a VLAN by  default.
       To  allow the host to communicate on a VLAN, configure a   vlan(4)   inter-
       face on the bridge and (if necessary) assign IP addresses there.

       By default no access control is enabled,   so any interface may  partici-
       pate in any VLAN.

       VLAN  filtering   may  be    enabled  on  a    bridge    using the ifconfig(8)
       vlanfilter option.  When   VLAN filtering is enabled,  an   interface  may
       only send and receive frames based on its configured VLAN access   list.

       The   interface's   untagged  VLAN  ID  may  be   configured  using  the
       ifconfig(8) untagged option.  If   an untagged VLAN ID is configured, in-
       coming frames will be assigned to that VLAN, and   the interface may  re-
       ceive outgoing untagged frames in that VLAN.

       The tagged VLAN access list may be configured using the tagged, +tagged
       and  -tagged options to ifconfig(8).  An   interface may send and receive
       tagged frames for any VLAN in its access   list.

       The bridge will automatically insert or remove 802.1q tags  as  needed,
       based  on  the  interface configuration,   when forwarding   frames between
       interfaces.  This tag processing   is only   done for interfaces with  VLAN
       filtering enabled.


January 01, 2026, 02:45:58 PM #1
Quote from: Rene78 on January 01, 2026, 01:28:04 PMSearching the forum for VLANs on bridges results in a lot of information and configurations[...]where the bottomline seems to be "bridge over VLANs" and not use (not possible in OPNsense config) VLANs on bridges.[...]

Are you suggesting that it's not possible to assign a VLAN interface to a bridge? It works fine. I use four bridges with nine VLAN interfaces (interfaces on a 10-port switch, broken out as a port expander) assigned among them.
January 01, 2026, 03:12:21 PM #2
Currently you can bridge VLAN interfaces but not the other way round.

E.g. with FreeBSD 14:

igc0.1 - VLAN 1 on igc0
igc0.2 - VLAN 2 on igc0
igc1.1 - VLAN 1 on igc1
igc1.2 - VLAN 2 on igc1

bridge1 - members igc0.1, igc1.1
bridge2 - members igc0.2, igc2.2

This works well but is complicated and error prone to set up.

With FreeBSD 15:

bridge0 - members igc0, igc1

bridge0.1 - VLAN 1 on all bridge ports
bridge0.2 - VLAN 2 on all bridge ports


HTH,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 01, 2026, 04:31:54 PM #3
Quote from: Patrick M. Hausen on January 01, 2026, 03:12:21 PMCurrently you can bridge VLAN interfaces but not the other way round.

E.g. with FreeBSD 14:

igc0.1 - VLAN 1 on igc0
igc0.2 - VLAN 2 on igc0
igc1.1 - VLAN 1 on igc1
igc1.2 - VLAN 2 on igc1

bridge1 - members igc0.1, igc1.1
bridge2 - members igc0.2, igc2.2

This works well but is complicated and error prone to set up.

With FreeBSD 15:

bridge0 - members igc0, igc1

bridge0.1 - VLAN 1 on all bridge ports
bridge0.2 - VLAN 2 on all bridge ports


HTH,
Patrick

Will this also be implemented in OPNsense? Not sure if all FreeBSD options are also implemented in OPNsense
January 01, 2026, 05:28:04 PM #4
Quote from: Patrick M. Hausen on January 01, 2026, 03:12:21 PMCurrently you can bridge VLAN interfaces but not the other way round.[...]

Ah, I missed the intent. The original VLAN assignment scheme was not a limitation/inconvenience for me. The value added by the new scheme seems limited, as it only provides a more traditional bridge-like configuration with no (apparent) added functionality. Not that I can say much about that, as I treat my firewall like a bridge and my bridges like port expanders, but I could use either method with little modification. (I actually prefer the old method, as some of my equipment is only manageable from VLAN 1, so isolating it would be potentially inconvenient.)
Print
Go Up Pages1
User actions