Hauke Fath
2018-04-01 14:42:09 UTC
Hi,
I am trying to network a remote site with a main site through a bridged
gif tunnel, and it doesn't work for me. The if_bridge(4) man page
sounds deceptively easy. Browsing the web, what came up didn't help;
<https://lists.freebsd.org/pipermail/freebsd-net/2017-November/049278.html>
sounded vaguely related.
In the past, I have set up a similar link by tunneling ip over gif, but
routing turned out to be intricate, and I figured just bridging the
exclave with the main site would save me routing issues, plus I could
stick with the existing subnets.
The setup:
The main site runs a filtering router (freebsd 11, pf) to connect a
dozen subnets via vlans over an ix(4) trunk. The router serves dhcp to
several of those subnets. The trunk is bridged to the gif tunnel
interface:
cloned_interfaces="gif0 bridge0"
ifconfig_bridge0="addm ix0 addm gif0 up"
ifconfig_gif0="tunnel 130.83.aa.bb 130.83.cc.dd mtu 1500 up"
ifconfig_ix0="up"
The exclave bridge machine connects a trunk with three subnets over a
gif(4) tunnel:
cloned_interfaces="gif0 bridge0"
ifconfig_bridge0="addm em1 addm gif0 up"
ifconfig_gif0="tunnel 130.83.cc.dd 130.83.aa.bb mtu 1500 up"
ifconfig_em1="up"
Bridge sysctls on both machines:
# sysctl net.link.bridge
net.link.bridge.ipfw: 0
net.link.bridge.allow_llz_overlap: 0
net.link.bridge.inherit_mac: 0
net.link.bridge.log_stp: 0
net.link.bridge.pfil_local_phys: 0
net.link.bridge.pfil_member: 0
net.link.bridge.ipfw_arp: 0
net.link.bridge.pfil_bridge: 0
net.link.bridge.pfil_onlyip: 0
#
After finding and setting the above sysctls, the setup connects both
segments of each bridged vlan successfully, in that I can ping and
ssh-login from a machine on one segment to a machine on the other (or
rather, I could, until the latter machine's dhcp lease ran out, and I
am off-site). But there is no connection between the exclave segments
and the main-site router interfaces, neither for dhcp nor ip
connectivity.
So while an exclave machine is requesting an ip address through dhcp
(which the main router is expected to serve)
bridge0:
14:00:52.129710 d8:cb:8a:6e:74:29 (oui Unknown) > Broadcast, ethertype
802.1Q (0x8100), length 380: vlan 7, p 0, ethertype IPv4,
0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from
d8:cb:8a:6e:74:29 (oui Unknown), length 334
at the same time the main router calls that machine to identify
ix0:
14:00:00.866778 a0:36:9f:25:62:d4 (oui Unknown) > Broadcast, ethertype
802.1Q (0x8100), length 46: vlan 7, p 0, ethertype ARP, Request who-has
Plaike.nt.e-technik.tu-darmstadt.de tell 130.83.228.62, length 28
In short, the main router vlan interfaces do not see traffic coming to
their trunk via gif and bridge, nor can they send traffic that way.
Is there a magic knob that I have overlooked that will enable this
connection, or what else could I be missing?
Cheerio,
hauke
I am trying to network a remote site with a main site through a bridged
gif tunnel, and it doesn't work for me. The if_bridge(4) man page
sounds deceptively easy. Browsing the web, what came up didn't help;
<https://lists.freebsd.org/pipermail/freebsd-net/2017-November/049278.html>
sounded vaguely related.
In the past, I have set up a similar link by tunneling ip over gif, but
routing turned out to be intricate, and I figured just bridging the
exclave with the main site would save me routing issues, plus I could
stick with the existing subnets.
The setup:
The main site runs a filtering router (freebsd 11, pf) to connect a
dozen subnets via vlans over an ix(4) trunk. The router serves dhcp to
several of those subnets. The trunk is bridged to the gif tunnel
interface:
cloned_interfaces="gif0 bridge0"
ifconfig_bridge0="addm ix0 addm gif0 up"
ifconfig_gif0="tunnel 130.83.aa.bb 130.83.cc.dd mtu 1500 up"
ifconfig_ix0="up"
The exclave bridge machine connects a trunk with three subnets over a
gif(4) tunnel:
cloned_interfaces="gif0 bridge0"
ifconfig_bridge0="addm em1 addm gif0 up"
ifconfig_gif0="tunnel 130.83.cc.dd 130.83.aa.bb mtu 1500 up"
ifconfig_em1="up"
Bridge sysctls on both machines:
# sysctl net.link.bridge
net.link.bridge.ipfw: 0
net.link.bridge.allow_llz_overlap: 0
net.link.bridge.inherit_mac: 0
net.link.bridge.log_stp: 0
net.link.bridge.pfil_local_phys: 0
net.link.bridge.pfil_member: 0
net.link.bridge.ipfw_arp: 0
net.link.bridge.pfil_bridge: 0
net.link.bridge.pfil_onlyip: 0
#
After finding and setting the above sysctls, the setup connects both
segments of each bridged vlan successfully, in that I can ping and
ssh-login from a machine on one segment to a machine on the other (or
rather, I could, until the latter machine's dhcp lease ran out, and I
am off-site). But there is no connection between the exclave segments
and the main-site router interfaces, neither for dhcp nor ip
connectivity.
So while an exclave machine is requesting an ip address through dhcp
(which the main router is expected to serve)
bridge0:
14:00:52.129710 d8:cb:8a:6e:74:29 (oui Unknown) > Broadcast, ethertype
802.1Q (0x8100), length 380: vlan 7, p 0, ethertype IPv4,
0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from
d8:cb:8a:6e:74:29 (oui Unknown), length 334
at the same time the main router calls that machine to identify
ix0:
14:00:00.866778 a0:36:9f:25:62:d4 (oui Unknown) > Broadcast, ethertype
802.1Q (0x8100), length 46: vlan 7, p 0, ethertype ARP, Request who-has
Plaike.nt.e-technik.tu-darmstadt.de tell 130.83.228.62, length 28
In short, the main router vlan interfaces do not see traffic coming to
their trunk via gif and bridge, nor can they send traffic that way.
Is there a magic knob that I have overlooked that will enable this
connection, or what else could I be missing?
Cheerio,
hauke
--
The ASCII Ribbon Campaign Hauke Fath
() No HTML/RTF in email Institut für Nachrichtentechnik
/\ No Word docs in email TU Darmstadt
Respect for open standards Ruf +49-6151-16-21344
The ASCII Ribbon Campaign Hauke Fath
() No HTML/RTF in email Institut für Nachrichtentechnik
/\ No Word docs in email TU Darmstadt
Respect for open standards Ruf +49-6151-16-21344