From owner-freebsd-net@freebsd.org Sun Apr 1 14:44:39 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BCCB3F4F8E7 for ; Sun, 1 Apr 2018 14:44:38 +0000 (UTC) (envelope-from hf@spg.tu-darmstadt.de) Received: from lnx141.hrz.tu-darmstadt.de (lnx141.hrz.tu-darmstadt.de [130.83.156.236]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 34EE06F3B0 for ; Sun, 1 Apr 2018 14:44:37 +0000 (UTC) (envelope-from hf@spg.tu-darmstadt.de) Received: from lnx503.hrz.tu-darmstadt.de (lnx503.hrz.tu-darmstadt.de [130.83.156.232]) by lnx141.hrz.tu-darmstadt.de (8.14.4/8.13.8) with ESMTP id w31EhAaq024026 for ; Sun, 1 Apr 2018 16:43:10 +0200 (envelope-from hf@spg.tu-darmstadt.de) Received: from Bounce.nt.e-technik.tu-darmstadt.de (bounce.nt.e-technik.tu-darmstadt.de [130.83.197.1]) by lnx503.hrz.tu-darmstadt.de (8.14.4/8.14.4/HRZ/PMX) with ESMTP id w31EesAo025236 for ; Sun, 1 Apr 2018 16:40:55 +0200 (envelope-from hf@spg.tu-darmstadt.de) Received: from [172.16.8.22] (p4FC6C1A4.dip0.t-ipconnect.de [79.198.193.164]) (authenticated bits=0) by Bounce.nt.e-technik.tu-darmstadt.de (8.15.2/8.15.2) with ESMTPSA id w31EfWps029781 (version=TLSv1 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Sun, 1 Apr 2018 16:41:33 +0200 (CEST) Date: Sun, 1 Apr 2018 16:42:09 +0200 From: Hauke Fath To: freebsd-net@freebsd.org Cc: Hauke Fath Message-ID: <20180401164209528151.6f554119@spg.tu-darmstadt.de> Subject: Bridging a vlan trunk with a gif tunnel? MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Organization: TU Darmstadt X-Mailer: GyazMail version 1.5.19 X-PMX-TU: seen v1.2 by 5.6.1.2065439, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2018.4.1.143017 X-PMX-RELAY: outgoing X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Apr 2018 14:44:39 -0000 Hi, I am trying to network a remote site with a main site through a bridged=20 gif tunnel, and it doesn't work for me. The if_bridge(4) man page=20 sounds deceptively easy. Browsing the web, what came up didn't help;=20 = =20 sounded vaguely related. In the past, I have set up a similar link by tunneling ip over gif, but=20 routing turned out to be intricate, and I figured just bridging the=20 exclave with the main site would save me routing issues, plus I could=20 stick with the existing subnets. The setup: The main site runs a filtering router (freebsd 11, pf) to connect a=20 dozen subnets via vlans over an ix(4) trunk. The router serves dhcp to=20 several of those subnets. The trunk is bridged to the gif tunnel=20 interface: cloned_interfaces=3D"gif0 bridge0" ifconfig_bridge0=3D"addm ix0 addm gif0 up" ifconfig_gif0=3D"tunnel 130.83.aa.bb 130.83.cc.dd mtu 1500 up" ifconfig_ix0=3D"up" The exclave bridge machine connects a trunk with three subnets over a=20 gif(4) tunnel: cloned_interfaces=3D"gif0 bridge0" ifconfig_bridge0=3D"addm em1 addm gif0 up" ifconfig_gif0=3D"tunnel 130.83.cc.dd 130.83.aa.bb mtu 1500 up" ifconfig_em1=3D"up" Bridge sysctls on both machines: # sysctl net.link.bridge net.link.bridge.ipfw: 0 net.link.bridge.allow_llz_overlap: 0 net.link.bridge.inherit_mac: 0 net.link.bridge.log_stp: 0 net.link.bridge.pfil_local_phys: 0 net.link.bridge.pfil_member: 0 net.link.bridge.ipfw_arp: 0 net.link.bridge.pfil_bridge: 0 net.link.bridge.pfil_onlyip: 0 # After finding and setting the above sysctls, the setup connects both=20 segments of each bridged vlan successfully, in that I can ping and=20 ssh-login from a machine on one segment to a machine on the other (or=20 rather, I could, until the latter machine's dhcp lease ran out, and I=20 am off-site). But there is no connection between the exclave segments=20 and the main-site router interfaces, neither for dhcp nor ip=20 connectivity. So while an exclave machine is requesting an ip address through dhcp=20 (which the main router is expected to serve) bridge0: 14:00:52.129710 d8:cb:8a:6e:74:29 (oui Unknown) > Broadcast, ethertype=20 802.1Q (0x8100), length 380: vlan 7, p 0, ethertype IPv4,=20 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from=20 d8:cb:8a:6e:74:29 (oui Unknown), length 334 at the same time the main router calls that machine to identify ix0: 14:00:00.866778 a0:36:9f:25:62:d4 (oui Unknown) > Broadcast, ethertype=20 802.1Q (0x8100), length 46: vlan 7, p 0, ethertype ARP, Request who-has=20 Plaike.nt.e-technik.tu-darmstadt.de tell 130.83.228.62, length 28 In short, the main router vlan interfaces do not see traffic coming to=20 their trunk via gif and bridge, nor can they send traffic that way. Is there a magic knob that I have overlooked that will enable this=20 connection, or what else could I be missing? Cheerio, hauke --=20 The ASCII Ribbon Campaign Hauke Fath () No HTML/RTF in email Institut f=FCr Nachrichtentechnik /\ No Word docs in email TU Darmstadt Respect for open standards Ruf +49-6151-16-21344