From nobody Thu Sep 4 11:00:41 2025 X-Original-To: net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cHc3021tBz65mJf for ; Thu, 04 Sep 2025 11:00:44 +0000 (UTC) (envelope-from ronald-lists@klop.ws) Received: from smtp-relay-int-backup.realworks.nl (smtp-relay-int-backup.realworks.nl [87.255.56.188]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4cHc2z1Tv6z4BK9 for ; Thu, 04 Sep 2025 11:00:43 +0000 (UTC) (envelope-from ronald-lists@klop.ws) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=klop.ws header.s=rw2 header.b=X3qv7DgF; dmarc=pass (policy=quarantine) header.from=klop.ws; spf=pass (mx1.freebsd.org: domain of ronald-lists@klop.ws designates 87.255.56.188 as permitted sender) smtp.mailfrom=ronald-lists@klop.ws Received: from smtp-relay-int-backup.realworks.nl (crmpreview5.colo2.realworks.nl [10.2.52.35]) by mailrelayint1.colo2.realworks.nl (Postfix) with ESMTP id 4cHc2x6Mtmz1WG for ; Thu, 4 Sep 2025 13:00:41 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=klop.ws; s=rw2; t=1756983641; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=BkF8+/z4JivgIU2lJgKQYhJjmfL6jx1R2fR/qJn3xd0=; b=X3qv7DgF8oaEY4rxYXauwrgKgWewUQBXG/22dKMb2GvjtHAbyft6EQVt8UvgkOLxhU01Xg tBMX96t1BbB43Jc/G7T/2vrJbDAZ4Cx+daALrWdz6/rgP3HDPoRn5C2NMt2UziQqaCzo5n NEYKw9USzbBKMVQnW95Nv4DHSlhYNRAfdILfVs0B6lSaC1AM9cuUKuEM7Wc6ePFwBNUIxA cmBJMBeRmMiLAiztTT8+OYUVUim3z1hJ96ZgsaojJf8Wj3r9WfVMJqYCNjGOMREvBMLTCn LZk9OlFmcBHBEAb/p7YCykk0TIOTeEOLRBWJVnS/soPzb5vxdt6i85pbXojw2A== Received: from crmpreview5.colo2.realworks.nl (localhost [127.0.0.1]) by crmpreview5.colo2.realworks.nl (Postfix) with ESMTP id CC718C02FE for ; Thu, 4 Sep 2025 13:00:41 +0200 (CEST) Date: Thu, 4 Sep 2025 13:00:41 +0200 (CEST) From: Ronald Klop To: net@freebsd.org Message-ID: <1163973293.2324.1756983641807@localhost> In-Reply-To: <481902534.1074.1756977663370@localhost> References: <481902534.1074.1756977663370@localhost> Subject: (solved) Re: bridge new vlan and iftagged "none" List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@FreeBSD.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_2323_759261598.1756983641796" X-Mailer: Realworks (764.81) X-Originating-Host: from (83-81-212-149.cable.dynamic.v4.ziggo.nl [83.81.212.149]) by crmpreview5.colo2.realworks.nl [10.2.52.35] with HTTP; Thu, 04 Sep 2025 13:00:41 +0200 Importance: Normal X-Priority: 3 (Normal) X-Originating-User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:142.0) Gecko/20100101 Firefox/142.0 X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.50 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; MID_RHS_NOT_FQDN(0.50)[]; DMARC_POLICY_ALLOW(-0.50)[klop.ws,quarantine]; R_SPF_ALLOW(-0.20)[+ip4:87.255.56.128/26]; R_DKIM_ALLOW(-0.20)[klop.ws:s=rw2]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; RCVD_TLS_LAST(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; FROM_EQ_ENVFROM(0.00)[]; ASN(0.00)[asn:38930, ipnet:87.255.32.0/19, country:NL]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FROM_HAS_DN(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[net@freebsd.org]; HAS_X_PRIO_THREE(0.00)[3]; TO_DN_NONE(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; ARC_NA(0.00)[]; MLMMJ_DEST(0.00)[net@freebsd.org]; DKIM_TRACE(0.00)[klop.ws:+] X-Rspamd-Queue-Id: 4cHc2z1Tv6z4BK9 ------=_Part_2323_759261598.1756983641796 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Ah, after looking into the config of my switch and seeing the nice "untagged 1" on all interfaces it dawned on me what the config should be. I now have this bridge: bridge0: flags=1008843 metric 0 mtu 1500 options=10 ether 58:9c:fc:10:ea:3e id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 bridge flags=1 member: epair3a flags=143 port 21 priority 128 path cost 2000 vlan protocol 802.1q untagged 3 member: epair4a flags=143 port 18 priority 128 path cost 2000 vlan protocol 802.1q untagged 1 member: epair6a flags=143 port 15 priority 128 path cost 2000 vlan protocol 802.1q untagged 3 member: epair10a flags=143 port 12 priority 128 path cost 2000 vlan protocol 802.1q untagged 3 member: epair2a flags=143 port 9 priority 128 path cost 2000 vlan protocol 802.1q untagged 3 member: epair5a flags=143 port 6 priority 128 path cost 2000 vlan protocol 802.1q untagged 3 member: epair0a flags=143 port 4 priority 128 path cost 2000 vlan protocol 802.1q untagged 1 member: genet0 flags=143 port 1 priority 128 path cost 55 vlan protocol 802.1q untagged 1 tagged 3 groups: bridge nd6 options=9 And everything works as expected. I realize that I can now configure this to sent "tagged 1" traffic between genet0 and the switch and even further into my network. Would that have /any/ influence on performance? Regards, Ronald. Van: Ronald Klop Datum: donderdag, 4 september 2025 11:21 Aan: net@freebsd.org Onderwerp: bridge new vlan and iftagged "none" > > Hi, > > I'm trying out the new bridge vlan functionality. > I can't find a lot of examples of the new config options yet and I'm a bit confused. > > I have this setup working: > > genet0 <--> bridge0 <--> multiple epairs for jails > > Some epairs will be in vlan 3 and some epairs are not in a vlan. > I have this working. > bridge0: flags=1008843 metric 0 mtu 1500 > options=10 > ether 58:9c:fc:10:ea:3e > id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 > maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 > root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 > bridge flags=1 > member: epair3a flags=143 > port 21 priority 128 path cost 2000 vlan protocol 802.1q untagged 3 > member: epair6a flags=143 > port 18 priority 128 path cost 2000 vlan protocol 802.1q untagged 3 > member: epair4a flags=143 > port 15 priority 128 path cost 2000 vlan protocol 802.1q > member: epair2a flags=143 > port 12 priority 128 path cost 2000 vlan protocol 802.1q untagged 3 > member: epair10a flags=143 > port 9 priority 128 path cost 2000 vlan protocol 802.1q untagged 3 > member: epair5a flags=143 > port 6 priority 128 path cost 2000 vlan protocol 802.1q untagged 3 > member: epair0a flags=143 > port 4 priority 128 path cost 2000 vlan protocol 802.1q > member: genet0 flags=143 > port 1 priority 128 path cost 55 vlan protocol 802.1q > groups: bridge > nd6 options=9 > epair4a still receives all traffic, so also traffic for vlan 3. > My expectation was that I should be able to filter vlan traffic from epair4a by doing this. > ifconfig bridge0 vlanfilter > ifconfig bridge0 iftagged epair4a none > And somehow make it possible to have genet0 to transfer all traffic even with vlanfilter enabled. > > I don't understand if this is possible and how. Any insights? > > Regards, > Ronald. > ------=_Part_2323_759261598.1756983641796 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit Ah, after looking into the config of my switch and seeing the nice "untagged 1" on all interfaces it dawned on me what the config should be.
I now have this bridge: 
bridge0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=10<VLAN_HWTAGGING>
    ether 58:9c:fc:10:ea:3e
    id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
    maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
    root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
    bridge flags=1<VLANFILTER>
    member: epair3a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            port 21 priority 128 path cost 2000 vlan protocol 802.1q untagged 3
    member: epair4a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            port 18 priority 128 path cost 2000 vlan protocol 802.1q untagged 1
    member: epair6a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            port 15 priority 128 path cost 2000 vlan protocol 802.1q untagged 3
    member: epair10a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            port 12 priority 128 path cost 2000 vlan protocol 802.1q untagged 3
    member: epair2a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            port 9 priority 128 path cost 2000 vlan protocol 802.1q untagged 3
    member: epair5a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            port 6 priority 128 path cost 2000 vlan protocol 802.1q untagged 3
    member: epair0a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            port 4 priority 128 path cost 2000 vlan protocol 802.1q untagged 1
    member: genet0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            port 1 priority 128 path cost 55 vlan protocol 802.1q untagged 1 tagged 3
    groups: bridge
    nd6 options=9<PERFORMNUD,IFDISABLED>

And everything works as expected.

I realize that I can now configure this to sent "tagged 1" traffic between genet0 and the switch and even further into my network. Would that have /any/ influence on performance?

Regards,
Ronald.

 

Van: Ronald Klop <ronald-lists@klop.ws>
Datum: donderdag, 4 september 2025 11:21
Aan: net@freebsd.org
Onderwerp: bridge new vlan and iftagged "none"

Hi,

I'm trying out the new bridge vlan functionality.
I can't find a lot of examples of the new config options yet and I'm a bit confused.

I have this setup working:

genet0 <--> bridge0 <--> multiple epairs for jails

Some epairs will be in vlan 3 and some epairs are not in a vlan.
I have this working. 
bridge0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        options=10<VLAN_HWTAGGING>
        ether 58:9c:fc:10:ea:3e
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        bridge flags=1<VLANFILTER>
        member: epair3a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                port 21 priority 128 path cost 2000 vlan protocol 802.1q untagged 3
        member: epair6a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                port 18 priority 128 path cost 2000 vlan protocol 802.1q untagged 3
        member: epair4a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                port 15 priority 128 path cost 2000 vlan protocol 802.1q
        member: epair2a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                port 12 priority 128 path cost 2000 vlan protocol 802.1q untagged 3
        member: epair10a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                port 9 priority 128 path cost 2000 vlan protocol 802.1q untagged 3
        member: epair5a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                port 6 priority 128 path cost 2000 vlan protocol 802.1q untagged 3
        member: epair0a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                port 4 priority 128 path cost 2000 vlan protocol 802.1q
        member: genet0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                port 1 priority 128 path cost 55 vlan protocol 802.1q
        groups: bridge
        nd6 options=9<PERFORMNUD,IFDISABLED>

epair4a still receives all traffic, so also traffic for vlan 3.
My expectation was that I should be able to filter vlan traffic from epair4a by doing this. 
ifconfig bridge0 vlanfilter
ifconfig bridge0 iftagged epair4a none
And somehow make it possible to have genet0 to transfer all traffic even with vlanfilter enabled.

I don't understand if this is possible and how. Any insights?

Regards,
Ronald.
 

  ------=_Part_2323_759261598.1756983641796--