Date: Wed, 10 Sep 2025 10:07:22 +0200 From: Andrea Venturoli <ml@netfence.it> To: freebsd-net@freebsd.org Subject: Help with bridge and new IP requirements Message-ID: <24b8c39e-b1a3-4cd3-accc-c86a03e21689@netfence.it>
next in thread | raw e-mail | index | archive | help
Hello. I've read that assigning an IP to bridged interfaces is deprecated and the configuration should be altered. I've got a complicated setup, on a 14.3p1 box, involing LACP, bridges, VLANs, CARP, jails and ipfw. Simplifying a bit, I have: > cloned_interfaces="bridge0 lagg0 tap0 vlan1" > ifconfig_em0="up" > ifconfig_em1="up" > ifconfig_lagg0="up laggproto lacp laggport em0 laggport em1" > ifconfig_vlan1="inet 192.168.1.15 netmask 255.255.255.0 vlan 1 vlandev lagg0" > ifconfig_bridge0="up addm vlan1" If I understand correctly, I need to change this to: > cloned_interfaces="bridge0 lagg0 tap0 vlan1" > ifconfig_em0="up" > ifconfig_em1="up" > ifconfig_lagg0="up laggproto lacp laggport em0 laggport em1" > ifconfig_vlan1="up vlan 1 vlandev lagg0" > ifconfig_bridge0="inet 192.168.1.15 netmask 255.255.255.0 addm vlan1" Is this correct? AFAICT this works, except for ipfw. I have: > # sysctl -a|grep -E "bridge.*(pfil|ipfw)" > net.link.bridge.ipfw: 0 > net.link.bridge.pfil_local_phys: 1 > net.link.bridge.pfil_member: 1 > net.link.bridge.ipfw_arp: 0 > net.link.bridge.pfil_bridge: 0 > net.link.bridge.pfil_onlyip: 1 So I'd excpect I would need to use rules on the member interfaces (e.g. vlan1), as I've always done. Yet I see packets are being blocked on bridge0. E.g.: > kernel: ipfw: 1997 Deny ICMP:8.0 192.168.1.18 192.168.1.15 in via bridge0 Am I misunderstanding the meaning of net.link.bridge.pfil_member and net.link.bridge.pfil_bridge? Or am I making any other mistake? Should I just give up and use bridge0 in ipfw rules? (This, at first, seems a loss to me, but maybe I'm wrong). bye & Thanks av.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?24b8c39e-b1a3-4cd3-accc-c86a03e21689>