From owner-freebsd-i386@FreeBSD.ORG Wed Apr 3 19:40:01 2013 Return-Path: Delivered-To: freebsd-i386@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 05D60E3F for ; Wed, 3 Apr 2013 19:40:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id DDCF3A6B for ; Wed, 3 Apr 2013 19:40:00 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r33Je0V4043611 for ; Wed, 3 Apr 2013 19:40:00 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r33Je0x4043610; Wed, 3 Apr 2013 19:40:00 GMT (envelope-from gnats) Resent-Date: Wed, 3 Apr 2013 19:40:00 GMT Resent-Message-Id: <201304031940.r33Je0x4043610@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-i386@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Jean Aumont Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id C4694D20 for ; Wed, 3 Apr 2013 19:30:05 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22]) by mx1.freebsd.org (Postfix) with ESMTP id B6A149E9 for ; Wed, 3 Apr 2013 19:30:05 +0000 (UTC) Received: from red.freebsd.org (localhost [127.0.0.1]) by red.freebsd.org (8.14.5/8.14.5) with ESMTP id r33JU4bV084348 for ; Wed, 3 Apr 2013 19:30:04 GMT (envelope-from nobody@red.freebsd.org) Received: (from nobody@localhost) by red.freebsd.org (8.14.5/8.14.5/Submit) id r33JU4SU084347; Wed, 3 Apr 2013 19:30:04 GMT (envelope-from nobody) Message-Id: <201304031930.r33JU4SU084347@red.freebsd.org> Date: Wed, 3 Apr 2013 19:30:04 GMT From: Jean Aumont To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Subject: i386/177618: Bridge firewall with trunk ports and vlans X-BeenThere: freebsd-i386@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: I386-specific issues for FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Apr 2013 19:40:01 -0000 >Number: 177618 >Category: i386 >Synopsis: Bridge firewall with trunk ports and vlans >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-i386 >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Apr 03 19:40:00 UTC 2013 >Closed-Date: >Last-Modified: >Originator: Jean Aumont >Release: Version 8.2 (also 7.2) >Organization: Mediagrif >Environment: FreeBSD TestFW 8.2-Release FreeBSD 8.2-Release #0: Fri Mar 2 10.11:53 EST 2012 root@:/usr/obj/usr/src/sys/MDFKERNEL i386 >Description: First lest clarify that the kernel has been recompiled to support Pf, Carp and ALTQ, by adding the following options in the config file for the kernel compile: device pf device pflog device pfsync device carp options ALTQ options ALTQ_CBQ options ALTQ_RED options ALTQ_RIO options ALTQ_HFSC options ALTQ_PRIQ options ALTQ_NOPCC I do no beleive that those option have an impact on the problem, but just to be clear, I wanted to mention it. The following can be replicated on FreeBSD 8.2 and 7.2 Here is the problem. I have 2 cisco switchs, both of them caring 2 vlans: 10 and 50. Those 2 switch are connected to my FreeBSD firewall with a dot1q trunk port that carry those 2 vlans. One switch is connected to the bge0: interface and the other switch is connected to the xl0: interface. I want to filter the traffic using FreeBSD as a bridge firewall without mixing vlan 10 and 50, and be able to control the spanning tree priority. The configuration I used in /etc/rc.conf is as follow: cloned_interfaces="vlan100 vlan101 vlan500 vlan501 bridge0 bridge1" ifconfig_bridge0="fwddelay 12 \ maxage 16 \ priority 4096 \ addm vlan100 \ addm vlan101 \ stp vlan100 \ stp vlan101 \ -learn vlan100 \ -learn vlan101 \ up" ifconfig_bridge1="fwddelay 12 \ maxage 16 \ priority 45056 \ addm vlan500 \ addm vlan501 \ stp vlan500 \ stp vlan501 \ -learn vlan500 \ -learn vlan501 \ up" ifconfig_vlan100="vlan 10 vlandev bge0 up" ifconfig_vlan101="vlan 10 vlandev xl0 up" ifconfig_vlan500="vlan 50 vlandev bge0 up" ifconfig_vlan501="vlan 50 vlandev xl0 up" ifconfig_bge0="up" ifconfig_xl0="up" I tried to separate the traffic from vlan 10 and 50 on bridge 0 and 1 respectively by using intermediate vlans that are mapped to the trunk port. For vlan 10, I used vlan100 from interface bge0: and used vlan101 from xl0:. For vlan 50, I used vlan500 from interface bge0: and used vlan501 from xl0:. The traffic is seperated properly between vlan 10 and 50, and using tcpdump on the bridges I could confirmed that. The problem, is that the bridge priority is not respected, even if using the command "ifconfig bridge0", shows that the right value is set for the priority. Using tcpdump on the bridge0 or bridge1, you can see stp traffic passing through through the bridge. Also, both bridges, do not acquired a bridge id, it is left to 00:00:00:00:00:00. I also tried to create the bridge manually using shell commands, here is the results: ifconfig bridge0 create ifconfig bridge0 priority 4096 ifconfig bridge0 addm vlan100 ifconfig bridge0 addm vlam101 ==> bridge0: error setting interface capability on vlan100 ifconfig bridge0 stp vlan100 ==> ifconfig: unable to set bridge flags: invalid argunment ifconfig bridge0 -learn vlan100 ifconfig bridge0 -learn vlan101 ifconfig bridge0 fwddelay 12 ifconfig bridge0 maxage 16 As you can see, there was some errors .... Am I using the right technique to accomplish what I want. Thanks. Jean Aumont >How-To-Repeat: Just used the configuration from the description >Fix: Do not know >Release-Note: >Audit-Trail: >Unformatted: