Date: Fri, 29 Apr 2022 07:45:08 +0000 From: Benoit Chesneau <benoitc@enki-multimedia.eu> To: "freebsd-net@FreeBSD.org" <freebsd-net@FreeBSD.org> Subject: Re: issue with ng_vlan nomatch connected to the bridge Message-ID: <zMe2JfLExuczF03sEZkLmiCi1GggVG_ijqz3VacZOGKLKxh_HpD85kbeGou42NruF2jMvSg1mGuLJc84YGGSn65jhgN4TYc7exW9ozI1aVE=@enki-multimedia.eu> In-Reply-To: <WCMWeElRlitmBpR68L1E5-wTHGnQNMUx6ugOY-UW9qx3arF63kTS7g2P6Rzxyq1BiLZLu9DRbKylaHSvi9hBWjN-fuT35KD_KyXwq7Sx2BI=@enki-multimedia.eu> References: <WCMWeElRlitmBpR68L1E5-wTHGnQNMUx6ugOY-UW9qx3arF63kTS7g2P6Rzxyq1BiLZLu9DRbKylaHSvi9hBWjN-fuT35KD_KyXwq7Sx2BI=@enki-multimedia.eu>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] To quickly test, I created an interface added to the bridge that get its IP from DHCP: The IP is correctly given by the DHCP server, but I can't ping from the same server (the router with the DHCP server) to this device. ``` # ngctl mkpeer public: eiface link2 ether # dhclient ngeth1 DHCPDISCOVER on ngeth1 to 255.255.255.255 port 67 interval 7 DHCPOFFER from 192.168.1.1 DHCPREQUEST on ngeth1 to 255.255.255.255 port 67 DHCPACK from 192.168.1.1bound to 192.168.1.37 -- renewal in 300 seconds. # ifconfig ngeth1 ngeth1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=28<VLAN_MTU,JUMBO_MTU> ether 58:9c:fc:10:c6:73 inet 192.168.1.60 netmask 0xffffff00 broadcast 192.168.1.255 inet 192.168.1.37 netmask 0xffffff00 broadcast 192.168.1.255 inet6 fe80::5a9c:fcff:fe10:c673%ngeth1 prefixlen 64 scopeid 0xb media: Ethernet autoselect (1000baseT <full-duplex>) status: active nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> ``` Benoît Chesneau, Enki Multimedia — t. +33608655490 Sent with [ProtonMail](https://protonmail.com/) secure email. ------- Original Message ------- On Friday, April 29th, 2022 at 09:17, Benoit Chesneau <benoitc@enki-multimedia.eu> wrote: > I have an issue with the way the nomatch hook is working. I have linked the nomatch hook from a lan to a bridge but I can only get the native vlan in it. I can't even ping new link added to this bridge. Maybe I am missing some connection? > > My goal is to be able to catch non filtered vlan in an ng_bridge so I can use them (an dpass newcreated vlan) from a firewall vm in bhyve. > > Following the advice of a previous thread, I have created a vlan peer over the lagg0 created using ifconfig and 3 bridge, 2 connected to filtered vlan (102 and 200) and 1 to nomatch. This is sumarised in the following diagram: https://imgur.com/a/aDfUQz6 > > The configuration is the following: > > ``` > mkpeer lagg0: vlan lower downstream > name lagg0:lower vlan0 > mkpeer vlan0: bridge 102 link0 > mkpeer vlan0: bridge 200 link0 > mkpeer vlan0: bridge nomatch link0 > msg vlan0: addfilter { vid=102 hook="102" } > msg vlan0: addfilter { vid=200 hook="200" } > name vlan0:102 bgpnet > name vlan0:200 services > name vlan0:nomatch public > msg lagg0: setpromisc 1msg lagg0: setautosrc 0 > > ``` > > Should I connect the nomatch bridge to downstream or anything else? Why Can't I ping the VM connected to that bridge while it can get its IP using DHCP? > > Any help is welcome :) > > Benoît [-- Attachment #2 --] <div style="font-family: arial; font-size: 14px;">To quickly test, I created an interface added to the bridge that get its IP from DHCP: The IP is correctly given by the DHCP server, but I can't ping from the same server (the router with the DHCP server) to this device. </div><div style="font-family: arial; font-size: 14px;"><br></div><div style="font-family: arial; font-size: 14px;"><br></div><div style="font-family: arial; font-size: 14px;">```</div><div style="font-family: arial; font-size: 14px;"><span># ngctl mkpeer public: eiface link2 ether</span><div># dhclient ngeth1</div><div><span>DHCPDISCOVER on ngeth1 to 255.255.255.255 port 67 interval 7</span></div><div><span>DHCPOFFER from 192.168.1.1</span></div><div><span>DHCPREQUEST on ngeth1 to 255.255.255.255 port 67</span></div><div><span>DHCPACK from 192.168.1.1</span></div><span>bound to 192.168.1.37 -- renewal in 300 seconds.</span><br></div><div style="font-family: arial; font-size: 14px;"><span># ifconfig ngeth1</span><div><span>ngeth1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500</span></div><div><span> options=28<VLAN_MTU,JUMBO_MTU></span></div><div><span> ether 58:9c:fc:10:c6:73</span></div><div><span> inet 192.168.1.60 netmask 0xffffff00 broadcast 192.168.1.255</span></div><div><span> inet 192.168.1.37 netmask 0xffffff00 broadcast 192.168.1.255</span></div><div><span> inet6 fe80::5a9c:fcff:fe10:c673%ngeth1 prefixlen 64 scopeid 0xb</span></div><div><span> media: Ethernet autoselect (1000baseT <full-duplex>)</span></div><div><span> status: active</span></div><span> nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL></span></div><div style="font-family: arial; font-size: 14px;">```</div><div style="font-family: arial; font-size: 14px;"><br></div> <div class="protonmail_signature_block" style="font-family: arial; font-size: 14px;"> <div class="protonmail_signature_block-user"> <div style="font-style:normal;font-weight:normal;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;color:rgb(0,0,0);font-family:Helvetica;font-size:12px;">Benoît Chesneau, Enki Multimedia<br></div><div style="font-style:normal;font-weight:normal;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;color:rgb(0,0,0);font-family:Helvetica;font-size:12px;">—<br></div><div style="font-style:normal;font-weight:normal;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;color:rgb(0,0,0);font-family:Helvetica;font-size:12px;">t. +33608655490 <br></div> </div> <div style="font-family: arial; font-size: 14px;"><br></div> <div class="protonmail_signature_block-proton"> Sent with <a target="_blank" href="https://protonmail.com/" rel="noopener noreferrer">ProtonMail</a> secure email. </div> </div> <div style="font-family: arial; font-size: 14px;"><br></div><div class="protonmail_quote"> ------- Original Message -------<br> On Friday, April 29th, 2022 at 09:17, Benoit Chesneau <benoitc@enki-multimedia.eu> wrote:<br><br> <blockquote class="protonmail_quote" type="cite"> <div style="font-family: arial; font-size: 14px;">I have an issue with the way the nomatch hook is working. I have linked the nomatch hook from a lan to a bridge but I can only get the native vlan in it. I can't even ping new link added to this bridge. <span style="caret-color:rgb(0, 0, 0);background-color:rgb(255, 255, 255);display:inline !important">Maybe I am missing some connection?<span> </span></span></div><div style="font-family: arial; font-size: 14px;"><br></div><div style="font-family: arial; font-size: 14px;">My goal is to be able to catch non filtered vlan in an ng_bridge so I can use them (an dpass newcreated vlan) from a firewall vm in bhyve. </div><div style="font-family: arial; font-size: 14px;"><br></div><div style="font-family: arial; font-size: 14px;">Following the advice of a previous thread, I have created a vlan peer over the lagg0 created using ifconfig and 3 bridge, 2 connected to filtered vlan (102 and 200) and 1 to nomatch. This is sumarised in the following diagram: <a href="https://imgur.com/a/aDfUQz6" rel="noreferrer nofollow noopener" target="_blank">https://imgur.com/a/aDfUQz6</a></div><div style="font-family: arial; font-size: 14px;"><br></div><div style="font-family: arial; font-size: 14px;">The configuration is the following:</div><div style="font-family: arial; font-size: 14px;"><br></div><div style="font-family: arial; font-size: 14px;">```</div><div style="font-family: arial; font-size: 14px;"><span>mkpeer lagg0: vlan lower downstream</span><div><span>name lagg0:lower vlan0</span></div><div><span>mkpeer vlan0: bridge 102 link0</span></div><div><span>mkpeer vlan0: bridge 200 link0</span></div><div><span>mkpeer vlan0: bridge nomatch link0</span></div><div><span>msg vlan0: addfilter { vid=102 hook="102" }</span></div><div><span>msg vlan0: addfilter { vid=200 hook="200" }</span></div><div><span>name vlan0:102 bgpnet</span></div><div><span>name vlan0:200 services</span></div><div><span>name vlan0:nomatch public</span></div><div><span>msg lagg0: setpromisc 1</span></div><span>msg lagg0: setautosrc 0</span><br></div><div style="font-family: arial; font-size: 14px;"><span><br></span></div><div style="font-family: arial; font-size: 14px;">```</div><div style="font-family: arial; font-size: 14px;"><br></div><div style="font-family: arial; font-size: 14px;">Should I connect the nomatch bridge to downstream or anything else? Why Can't I ping the VM connected to that bridge while it can get its IP using DHCP?</div><div style="font-family: arial; font-size: 14px;"><br></div><div style="font-family: arial; font-size: 14px;">Any help is welcome :)</div><div style="font-family: arial; font-size: 14px;"><br></div> <div style="font-family: arial; font-size: 14px;" class="protonmail_signature_block"> <div class="protonmail_signature_block-user"> <div style="font-style:normal;font-weight:normal;letter-spacing:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;color:rgb(0,0,0);font-family:Helvetica;font-size:12px;">Benoît</div></div> </div> </blockquote><br> </div>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?zMe2JfLExuczF03sEZkLmiCi1GggVG_ijqz3VacZOGKLKxh_HpD85kbeGou42NruF2jMvSg1mGuLJc84YGGSn65jhgN4TYc7exW9ozI1aVE=>