Date: Sun, 1 Apr 2018 16:42:09 +0200 From: Hauke Fath <hf@spg.tu-darmstadt.de> To: freebsd-net@freebsd.org Cc: Hauke Fath <hf@spg.tu-darmstadt.de> Subject: Bridging a vlan trunk with a gif tunnel? Message-ID: <20180401164209528151.6f554119@spg.tu-darmstadt.de>
next in thread | raw e-mail | index | archive | help
Hi, I am trying to network a remote site with a main site through a bridged=20 gif tunnel, and it doesn't work for me. The if_bridge(4) man page=20 sounds deceptively easy. Browsing the web, what came up didn't help;=20 <https://lists.freebsd.org/pipermail/freebsd-net/2017-November/049278.html>= =20 sounded vaguely related. In the past, I have set up a similar link by tunneling ip over gif, but=20 routing turned out to be intricate, and I figured just bridging the=20 exclave with the main site would save me routing issues, plus I could=20 stick with the existing subnets. The setup: The main site runs a filtering router (freebsd 11, pf) to connect a=20 dozen subnets via vlans over an ix(4) trunk. The router serves dhcp to=20 several of those subnets. The trunk is bridged to the gif tunnel=20 interface: cloned_interfaces=3D"gif0 bridge0" ifconfig_bridge0=3D"addm ix0 addm gif0 up" ifconfig_gif0=3D"tunnel 130.83.aa.bb 130.83.cc.dd mtu 1500 up" ifconfig_ix0=3D"up" The exclave bridge machine connects a trunk with three subnets over a=20 gif(4) tunnel: cloned_interfaces=3D"gif0 bridge0" ifconfig_bridge0=3D"addm em1 addm gif0 up" ifconfig_gif0=3D"tunnel 130.83.cc.dd 130.83.aa.bb mtu 1500 up" ifconfig_em1=3D"up" Bridge sysctls on both machines: # sysctl net.link.bridge net.link.bridge.ipfw: 0 net.link.bridge.allow_llz_overlap: 0 net.link.bridge.inherit_mac: 0 net.link.bridge.log_stp: 0 net.link.bridge.pfil_local_phys: 0 net.link.bridge.pfil_member: 0 net.link.bridge.ipfw_arp: 0 net.link.bridge.pfil_bridge: 0 net.link.bridge.pfil_onlyip: 0 # After finding and setting the above sysctls, the setup connects both=20 segments of each bridged vlan successfully, in that I can ping and=20 ssh-login from a machine on one segment to a machine on the other (or=20 rather, I could, until the latter machine's dhcp lease ran out, and I=20 am off-site). But there is no connection between the exclave segments=20 and the main-site router interfaces, neither for dhcp nor ip=20 connectivity. So while an exclave machine is requesting an ip address through dhcp=20 (which the main router is expected to serve) bridge0: 14:00:52.129710 d8:cb:8a:6e:74:29 (oui Unknown) > Broadcast, ethertype=20 802.1Q (0x8100), length 380: vlan 7, p 0, ethertype IPv4,=20 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from=20 d8:cb:8a:6e:74:29 (oui Unknown), length 334 at the same time the main router calls that machine to identify ix0: 14:00:00.866778 a0:36:9f:25:62:d4 (oui Unknown) > Broadcast, ethertype=20 802.1Q (0x8100), length 46: vlan 7, p 0, ethertype ARP, Request who-has=20 Plaike.nt.e-technik.tu-darmstadt.de tell 130.83.228.62, length 28 In short, the main router vlan interfaces do not see traffic coming to=20 their trunk via gif and bridge, nor can they send traffic that way. Is there a magic knob that I have overlooked that will enable this=20 connection, or what else could I be missing? Cheerio, hauke --=20 The ASCII Ribbon Campaign Hauke Fath () No HTML/RTF in email Institut f=FCr Nachrichtentechnik /\ No Word docs in email TU Darmstadt Respect for open standards Ruf +49-6151-16-21344
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20180401164209528151.6f554119>